From c60bb0a530e6edb489739002c5db0cef90ad7d34 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Tue, 5 Nov 2024 14:44:24 -0800 Subject: [PATCH 01/33] Updated to show ICCID in device inventory --- memdocs/intune/remote-actions/device-inventory.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/remote-actions/device-inventory.md b/memdocs/intune/remote-actions/device-inventory.md index 4ae88d5a78b..d2f6d14edb4 100644 --- a/memdocs/intune/remote-actions/device-inventory.md +++ b/memdocs/intune/remote-actions/device-inventory.md @@ -7,7 +7,7 @@ keywords: author: Smritib17 ms.author: smbhardwaj manager: dougeby -ms.date: 10/27/2023 +ms.date: 11/05/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: remote-actions @@ -105,7 +105,7 @@ Depending on the carrier used by the devices, not all details might be collected |Cellular technology|The radio system used by the device.|Windows, iOS/iPadOS, Android| |Wi-Fi MAC|The device's Media Access Control address.|Windows, macOS, iOS/iPadOS, Android

**NOTE**: As of October 2021, Intune doesn't display Wi-Fi MAC addresses for newly enrolled personally owned work profile devices and devices managed with device administrator running Android 9 and later. | |Ethernet MAC|The primary Ethernet MAC address for the device. For macOS devices with no ethernet, the device reports the Wi-Fi MAC address.|macOS| -|ICCID|The Integrated Circuit Card Identifier, which is a SIM card's unique identification number.|Windows, iOS/iPadOS, Android

ICCID isn't inventoried on Android Enterprise Dedicated, Fully Managed, or Corporate-Owned Work Profile devices.| +|ICCID|The Integrated Circuit Card Identifier, which is a SIM card's unique identification number.|Windows, iOS/iPadOS, Android BYOD, Android Enterprise Dedicated, Android Fully Managed

**Note**:Reporting for ICCID isn't supported for Android Enterprise corporate-owned work profile devices. For Android Enterprise fully managed and dedicated devices, reporting for ICCID is supported; however, certain SIM cards won't write the data and therefore the ICCID isn't reported in such cases.| |EID|The eSIM identifier, which is a unique identifier for the embedded SIM (eSIM) for cellular devices that have an eSIM.|iOS/iPadOS| |Wi-Fi IPv4 address|The device's IPv4 address.|Windows, Android Enterprise fully managed, dedicated and corp-owned work profiles.

**NOTE**: Any change to IPv4 or subnet ID may take up to 8 hours to reflect in Intune admin center from the time that network changes on device.| |Wi-Fi subnet ID|The device's subnet ID.|Android Enterprise fully managed, dedicated and corp-owned work profiles.

**NOTE**: Any change to IPv4 or subnet ID may take up to 8 hours to reflect in Intune admin center from the time that network changes on device.| From 7a968dfeff1cda0b2013d2d5c2d5f2d4247a6a35 Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Tue, 5 Nov 2024 14:49:54 -0800 Subject: [PATCH 02/33] erikre-rel2411-29602331 --- memdocs/intune/apps/apps-supported-intune-apps.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/apps/apps-supported-intune-apps.md b/memdocs/intune/apps/apps-supported-intune-apps.md index 551001ff9a1..4c9e7207e0f 100644 --- a/memdocs/intune/apps/apps-supported-intune-apps.md +++ b/memdocs/intune/apps/apps-supported-intune-apps.md @@ -6,7 +6,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 10/31/2024 +ms.date: 11/05/2024 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: apps @@ -66,6 +66,8 @@ The below apps support the Core Intune App Protection Policy settings and are al |Microsoft Azure|[iOS](https://apps.apple.com/app/microsoft-azure/id1219013620)|✔|No settings|✖|N/A|✖|✖|N/A|✖| |Microsoft Copilot|[Android](https://play.google.com/store/apps/details?id=com.microsoft.copilot)|✔|No settings|✖|N/A|✖|✖|N/A|✖| |Microsoft Copilot|[iOS](https://apps.apple.com/us/app/microsoft-copilot/id6472538445)|✔|No settings|✔ Supported for v28.1.420324001 or later|N/A|✖|✖|N/A|✖| +|Microsoft Designer|[Android](https://play.google.com/store/apps/details?id=com.microsoft.designer&hl=en_IN)|✔|No settings|✔|N/A|✔|✔|✔|✖| +|Microsoft Designer|[iOS](https://apps.apple.com/us/app/microsoft-designer/id6448308247)|✔|No settings|✔|N/A|✔|✔|✔|✖| |Microsoft Edge|[Android](https://play.google.com/store/apps/details?id=com.microsoft.emmx)|✔|✔ see [Edge app config](manage-microsoft-edge.md)|✔|N/A|N/A|N/A|✔|✔ Supported for v125.0.2535.96 or later| |Microsoft Edge|[iOS](https://apps.apple.com/us/app/microsoft-edge/id1288723196)|✔|✔ see [Edge app config](manage-microsoft-edge.md)|✔|N/A|N/A|N/A|✔|✔ Supported for v126.2592.56 or later| |Microsoft Excel|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.excel)|✔|No settings|✔|N/A|✖|✖|✔|✖| From 0135f93b03ee6373e3ec90124e1ebdde287c12c0 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Tue, 5 Nov 2024 16:17:05 -0800 Subject: [PATCH 03/33] Added details --- memdocs/analytics/device-query.md | 50 ++++++++++++++++++++++++++----- 1 file changed, 43 insertions(+), 7 deletions(-) diff --git a/memdocs/analytics/device-query.md b/memdocs/analytics/device-query.md index c288c73daef..f69305a9f9a 100644 --- a/memdocs/analytics/device-query.md +++ b/memdocs/analytics/device-query.md @@ -35,19 +35,22 @@ Device query allows you to quickly gain on-demand information about the state of ## Prerequisites -To use Device query in your tenant, you must have a license that includes Microsoft Intune Advanced Analytics. Advanced Analytics features are available with: +- To use Device query in your tenant, you must have a license that includes Microsoft Intune Advanced Analytics. Advanced Analytics features are available with: -- The Intune Advanced Analytics Add-on -- Microsoft Intune Suite + - The Intune Advanced Analytics Add-on + - Microsoft Intune Suite -To use Device query on a device, the device must be enrolled in Endpoint Analytics. Learn [how to enroll a device in Endpoint Analytics](enroll-intune.md). +- To use Device query on a device, the device must be enrolled in Endpoint Analytics. Learn [how to enroll a device in Endpoint Analytics](enroll-intune.md). -You cannot opt out of cloud notifications (WNS) +- You cannot opt out of cloud notifications (WNS) -For a user to use Device query, you must assign the **Managed Devices** - **Query** permission to them. +- For a user to use Device query, you must assign the **Managed Devices** - **Query** permission to them. -To use Device query, devices must be Intune managed and corporate owned. +- To use Device query, devices must be Intune managed and corporate owned. +- To run remote actions, at a minimum, sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) with an account that has the **Help Desk Operator** role. For more information on the different roles, go to [Role-based access control (RBAC) with Microsoft Intune](../intune/fundamentals/role-based-access-control.md). + +- To receive the remote action, the device must be connected to the internet and powered on. ## Supported platforms @@ -64,6 +67,39 @@ For more information on Kusto Query Language, see [Learn more about Kusto Query > [!TIP] > You can now use Copilot in Intune (public preview) to generate KQL queries for device query using natural language requests. To learn more, go to [Query with Copilot in device query](../intune/copilot/copilot-intune-overview.md#query-with-copilot-in-device-query). +## Remote device actions + +Use the Intune remote device actions in Single device query to help you manage your devices remotely. From the device query interface, you can now run device actions based on query results for faster and more efficient troubleshooting. + +### Available remote actions + +The available device actions depend on the device configuration. Not all actions are available for all devices. + +For a complete list of what can be done on your devices, in the Intune admin center, select Devices > All devices, and select a specific device. The available device actions are shown at the top. + +The following list includes supported device actions: + +|Action|Description| +|---|---| +|[Autopilot reset](/windows/deployment/windows-autopilot/windows-autopilot-reset#reset-devices-with-remote-windows-autopilot-reset)|Restores a device to its original settings and removes personal files, apps, and settings.| +|[BitLocker key rotation](../intune/protect/encrypt-devices.md#rotate-bitlocker-recovery-keys)|Changes the BitLocker recovery key for a device and uploads the new key to Intune.| +|[Collect diagnostics](../intune/remote-actions/collect-diagnostics.md)|Collects diagnostic logs from a device and uploads the logs to Intune.| +|[Delete](../intune/remote-actions/devices-wipe.md)|Removes a device from Intune management, any company data is removed, and the device is retired.| +|[Fresh start](../intune/remote-actions/device-fresh-start.md)|Reinstalls the latest version of Windows on a device and removes apps that the manufacturer installed.| +|[Full scan](../intune/configuration/device-restrictions-windows-10.md#microsoft-defender-antivirus)|Initiates a full scan of the device by Microsoft Defender Antivirus.| +|[Locate device](../intune/remote-actions/device-locate.md)|Shows the approximate location of a device on a map.| +|[Pause ConfigRefresh](../intune/remote-actions/pause-config-refresh.md)|Pause ConfigRefresh to run remediation on a device for troubleshooting or maintenance or to make changes.| +|[Quick scan](../intune/configuration/device-restrictions-windows-10.md#microsoft-defender-antivirus)|Initiates a quick scan of the device by Microsoft Defender Antivirus.| +|[Remote control with Team Viewer](../intune/remote-actions/teamviewer-support.md)|Allows you to remotely control a device using TeamViewer.| +|[Rename device](../intune/remote-actions/device-rename.md)|Changes the device name in Intune.| +|[Restart](../intune/remote-actions/device-rename.md)|Restarts a device.| +|[Retire](../intune/remote-actions/devices-wipe.md#retire)|Removes company data and settings from a device, and leaves personal data intact.| +|[Rotate Local admin password](../intune/protect/windows-laps-policy.md#manually-rotate-passwords)|Changes the local administrator password for a device and stores the password in Intune.| +|[Synchronize device](../intune/remote-actions/device-sync.md)|Syncs a device with Intune to apply the latest policies and configurations.| +|[Update Windows Defender Security Intelligence](/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus)|Updates the security intelligence files for Microsoft Defender Antivirus.| +|[Windows 10 PIN reset](../intune/remote-actions/device-windows-pin-reset.md)|Resets the PIN of a device that uses Microsoft Entra authentication.| +|[Wipe](../intune/remote-actions/devices-wipe.md#wipe)|This action restores a device to its factory settings and removes all data and settings.| + ## Supported Operators  Device query supports only a subset of the operators supported in the Kusto Query Language (KQL). The following operators are currently supported: From 5c9625e7152748a33459c69abf5206eeea56e56e Mon Sep 17 00:00:00 2001 From: "Arnab Biswas [MSFT]" Date: Thu, 7 Nov 2024 13:43:34 -0500 Subject: [PATCH 04/33] Update compliance-policy-create-windows.md 2411 doc changes for Feature 24557103 --- .../protect/compliance-policy-create-windows.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/memdocs/intune/protect/compliance-policy-create-windows.md b/memdocs/intune/protect/compliance-policy-create-windows.md index 341fbb4bf61..f1b96673c52 100644 --- a/memdocs/intune/protect/compliance-policy-create-windows.md +++ b/memdocs/intune/protect/compliance-policy-create-windows.md @@ -279,6 +279,20 @@ For additional information on Microsoft Defender for Endpoint integration in con To set up Microsoft Defender for Endpoint as your defense threat service, see [Enable Microsoft Defender for Endpoint with Conditional Access](advanced-threat-protection.md). +## Windows Subsystem for Linux (WSL) + +These settings require the Intune WSL plug-in. For additional information, see [Evaluate compliance for Windows Subsystem for Linux](compliance-wsl.md). + +- **Allowed Linux distributions and versions** - Specify at least one Linux distribution name and optionally, a minimum or maximum OS version. + > [!NOTE] + > The provided distribution names and versions affect the compliance policy as follows: + > - If no distribution is listed, all distributions are allowed (default). + > - If only distribution names are provided, any installed version of that distribution are allowed. + > - If a distribution name and a minimum OS version are provided, installed distributions with the provided name and at least the provided version number or higher are allowed. + > - If a distribution name and a maximum OS version are provided, installed distributions with the provided name and up to the provided version number are allowed. + > - If a distribution name, a minimum OS version and a maximum OS version are provided, installed distributions and OS version numbers within the provided range are allowed. + + ## Windows Holographic for Business Windows Holographic for Business uses the **Windows 10 and later** platform. Windows Holographic for Business supports the following setting: From 9a30ee4403f6aa8790289485f2927e764431f6ca Mon Sep 17 00:00:00 2001 From: "Arnab Biswas [MSFT]" Date: Thu, 7 Nov 2024 15:18:14 -0500 Subject: [PATCH 05/33] Update compliance-wsl.md 2411 doc changes for Feature 24557103 --- memdocs/intune/protect/compliance-wsl.md | 139 +++++++---------------- 1 file changed, 41 insertions(+), 98 deletions(-) diff --git a/memdocs/intune/protect/compliance-wsl.md b/memdocs/intune/protect/compliance-wsl.md index b6baa5663dc..6e329e9fd47 100644 --- a/memdocs/intune/protect/compliance-wsl.md +++ b/memdocs/intune/protect/compliance-wsl.md @@ -41,128 +41,71 @@ Create a Microsoft Intune policy that checks the compliance of devices running W This article describes how to set up compliance checks for WSL. -> [!IMPORTANT] -> This feature is in public preview. For more information, see [Public preview in Microsoft Intune](../fundamentals/public-preview.md). - ## Requirements -These resources are required to create your custom compliance script: +These requirements must be followed to create your compliance policy with WSL settings: + +- [Intune WSL plug-in](https://github.com/microsoft/shell-intune-samples/tree/master/Linux/WSL/WSL%20Management%20Example) must be installed for compliance evaluation. +- The Microsoft Intune management extension (IME) must be installed on the target device. This is automatically installed when any of the following conditions are met: + - A PowerShell script or a proactive remediation is assigned to the user or device. + - A Win32 app or Microsoft Store app is deployed. + - A custom compliance policy is assigned. +- Windows custom compliance and WSL compliance settings must be configured in separate compliance policies. + +## Before you begin + +Ensure that you have unassigned and removed any existing custom compliance policy for WSL. -- [Intune WSL plug-in](https://github.com/microsoft/shell-intune-samples/blob/master/Linux/WSL/IntuneWSLPluginInstaller/IntuneWSLPluginInstaller.msi): Use the example Powershell script to get the installation package file for the Intune WSL plug-in. +## Add Intune WSL plug-in as a win32 app -- [Custom compliance script](https://github.com/microsoft/shell-intune-samples/blob/master/Linux/WSL/WSL%20Management%20Example/WSLDistroVersionCompliance.ps1): The example PowerShell script calculates compliance against WSL distros based on Distro and Distro Version. +Create a Win32 app policy for the [Intune WSL plug-in](https://github.com/microsoft/shell-intune-samples/tree/master/Linux/WSL/WSL%20Management%20Example) and assign it to the target Entra group. -- [JSON for validation](https://github.com/microsoft/shell-intune-samples/blob/master/Linux/WSL/WSL%20Management%20Example/WSLDetectionRule.json): Use the example JSON to define WSL detection rules. +1. Use the [Microsoft Win32 Content Prep Tool](https://go.microsoft.com/fwlink/?linkid=2065730) to convert the Intune WSL plug-in into the *.intunewin* format. [Learn more about converting to .intunewin format](https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-prepare#convert-the-win32-app-content). + +2. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +3. Select **Apps** > **All apps** > **Add**. -## Step 1: Install Intune WSL plug-in +4. On the **Select app type** pane, under the **Other** app types, select **Windows app (Win32)**. -Use the Intune WSL plug-in resource to install the Intune WSL plug-in on the target machine. +5. Click **Select**. The **Add app** steps appear. -## Step 2: Add policy for line-of-business app +6. On the **Add app** pane, click **Select app package file**. -Create an app policy for the Intune WSL plug-in. The Intune WSL plug-in is considered a Windows line-of-business app. +7. On the **App package file** pane, select the browse button. Then, select the converted Intune WSL plugin installation file with the extension _.intunewin_. -1. In the Microsoft Intune admin center, go to **Apps** > **Windows**. +8. When you're finished, select **OK** on the **App package file** pane. -2. Enter app information: +9. Enter app information: - **Select file**: Select this option to upload the installation package file for the Intune WSL plug-in. - **Name**: Enter **Intune WSL Plugin**. - **Description**: Enter a description for the app. This setting is optional but recommended. - **Publisher**: Enter **Microsoft Intune**. -3. Select **Next** to go to **Assignments**. - -4. Add Microsoft Entra users under **Required** to assign the policy. - -5. Select **Next** to go to **Review + create**. - -6. Review the summary and then select **Create** to save the policy. - -## Step 3: Set up custom script -In a command line, complete the following steps: - -1. Modify the following properties in lines 23-28 of the custom compliance script to match your organization's requirements: - - - Distros - - - Minimum/maximum version - - - Number of days since last check-in a device can remain compliant - -1. In the JSON for validation resource, modify the following fields with your organization's custom values: - - - **MoreInfoUrl** - Enter the URL where device users can go to learn more about how to meet compliance requirements. - - - **RemediationStrings**: Enter helpful information for the device user about the compliance requirement for WSL. - - - **Language** - Example: `en-us` - - **Title** - Example: `WSL distros not in compliance with company policy` - - **Description** - Example: `Make sure only allowed distros and versions are registered in WSL.` - -## Step 4: Deploy custom compliance policy - Deploy the custom compliance policy to targeted devices. - - 1. In the admin center, go to **Endpoint security** > **Device compliance**. - - 1. Go to **Scripts**. - - 1. Select **Add** > **Windows 10 and later**. - - 1. Enter the basic information for your policy, including name and description. - - 1. Select **Next** to go to **Settings**. - - 1. Copy and paste your custom compliance script into **Detection Script**. - - 1. Leave all other settings as is. - -## Step 5: Create device compliance policy -Create a new device compliance policy for devices running Windows 10 and later. - -1. In the admin center, go to **Endpoint security** > **Device compliance**. - -1. Go to **Policies**. - -1. Select **Create policy**. - -1. For platform, choose **Windows 10 and later**. - -1. Select **Create**. - -1. Enter the basic information for your policy, including **Name** and **Description**. - -1. Select **Next** to go to **Compliance settings**. - -1. Expand **Custom Compliance**: - - 1. Select the custom compliance script file as the discovery script. - - 1. Upload your JSON validation file. - -1. Leave all other settings as is. Select **Next**. +10. Select **Next** to go to **Program**. Review the pre-populated settings. These shouldn't be changed. -1. Review the summary of your policy, and then select **Create** to save it. +11. Select **Next** to go to **Requirements**. Specify the requirements that devices must meet before the app is installed. -## Remediation +12. Select **Next** to go to **Detection rules**. Review the pre-populated detection rules. These shouldn't be changed. -A quick way to get a device back to a compliant state is to unregister the noncompliant distro on the device. Use the following command to unregister a distro: +13. Select **Next** to go to **Dependencies**. Leave it as-is. -```PowerShell +14. Select **Next** to go to **Supersedence**. Leave it as-is. -wsl --unregister [DISTRONAME] +15. Select **Next** to go to **Assignments**. -``` -## Troubleshooting +16. Add Microsoft Entra users under **Required** to assign the policy. -**Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_MOD_NOT_FOUND** +17. Select **Next** to go to **Review + create**. -Restart the WSL service. In an elevated PowerShell window, run the following commands: - -```PowerShell - sc.exe stop wslservice +18. Review the summary and then select **Create** to save the policy. - wsl.exe echo “test” +> [!NOTE] +> Creating a compliance policy with WSL settings will automatically generate a read-only custom script. Editing the compliance policy will edit the associated custom script. These scripts appear under **Microsoft Intune admin center** > **Devices** > **Compliance** > **Scripts** and are named as _Built-in WSL Compliance-_. -``` +## Next steps -For WSL troubleshooting help, see [Windows Subsystem for Linux](/windows/wsl/troubleshooting). +- [Create a compliance policy](create-compliance-policy.md#create-the-policy). For **Platform**, select **Windows 10 and later**. To learn about **Compliance settings** applicable to Windows Subsystem for Linux, see Device Compliance settings for [Windows Subsystem for Linux](compliance-policy-create-windows.md#windows-subsystem-for-linux-wsl). +- [Add actions for noncompliant devices](actions-for-noncompliance.md) and [use scope tags to filter policies](../fundamentals/scope-tags.md). +- [Monitor your compliance policies](compliance-policy-monitor.md). +- For WSL troubleshooting help, see [Windows Subsystem for Linux](/windows/wsl/troubleshooting). From b42eb92135a19282621b713b0cacf2901cc4520f Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Mon, 11 Nov 2024 12:04:46 -0500 Subject: [PATCH 06/33] 2411 changes for user keychain feature --- .../configuration/custom-settings-macos.md | 2 +- .../intune/configuration/vpn-settings-macos.md | 14 +++++++++++--- .../intune/configuration/wi-fi-settings-macos.md | 16 ++++++++++++---- .../intune/protect/certificates-pfx-configure.md | 7 +++++-- .../intune/protect/certificates-profile-scep.md | 9 ++++++--- 5 files changed, 35 insertions(+), 13 deletions(-) diff --git a/memdocs/intune/configuration/custom-settings-macos.md b/memdocs/intune/configuration/custom-settings-macos.md index 0d2ccbf9f3d..20816d12c99 100644 --- a/memdocs/intune/configuration/custom-settings-macos.md +++ b/memdocs/intune/configuration/custom-settings-macos.md @@ -60,7 +60,7 @@ This feature applies to: When you configure the profile, enter the following settings: - **Configuration profile name**: Enter a name for the policy. This name is shown on the device, and in the Intune status in the Intune admin center. -- **Deployment channel**: Select the channel you want to use to deploy your configuration profile. If you send the profile to the wrong channel, deployment can fail. After you select a channel and save the profile, the channel can't be changed. To select a different channel, create a new profile. +- **Deployment channel**: Select the channel you want to use to deploy your configuration profile. If you send the profile to the wrong channel, deployment can fail. After you select a channel and save the profile, the channel can't be changed. To select a different channel, create a new profile. We don't recommend placing SCEP and PKCS user certificates in the device channel due to increased security risks. User-targeted payloads don't apply to devices enrolled without user affinity. For more information on whether a payload can be used for a device configuration profile or a user configuration profile, go to [Profile-Specific Payload Keys](https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys) (opens Apple's developer website). diff --git a/memdocs/intune/configuration/vpn-settings-macos.md b/memdocs/intune/configuration/vpn-settings-macos.md index f2391ab5732..37c7e3ea7f9 100644 --- a/memdocs/intune/configuration/vpn-settings-macos.md +++ b/memdocs/intune/configuration/vpn-settings-macos.md @@ -7,7 +7,7 @@ keywords: author: MandiOhlinger ms.author: mandia manager: dougeby -ms.date: 04/15/2024 +ms.date: 11/11/2024 ms.topic: reference ms.service: microsoft-intune ms.subservice: configuration @@ -35,7 +35,10 @@ Depending on the settings you choose, not all values in the following list are c This feature applies to: -- macOS +- macOS + +## Verify deployment channel +We recommend checking the deployment channel in existing enterprise VPN profiles when they're up for renewal to ensure that any authentication certificates you're using, either SCEP or PKCS, are stored in the proper keychain. Certificates in VPN profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. ## Before you begin @@ -47,11 +50,16 @@ This feature applies to: ## Base VPN +- **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are stored, so it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. + + You have two options: + - **User channel**: Always select the user deployment channel in profiles with user certificates. This option stores certificates in the user keychain. + - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the device keychain. **Connection name**: Enter a name for this connection. End users see this name when they browse their device for the list of available VPN connections. - **VPN server address**: Enter the IP address or fully qualified domain name of the VPN server that devices connect to. For example, enter `192.168.1.1` or `vpn.contoso.com`. - **Authentication method**: Choose how devices authenticate to the VPN server. Your options: - - **Certificates**: Under **Authentication certificate**, select a SCEP or PKCS certificate profile you previously created to authenticate the connection. For more information about certificate profiles, go to [How to configure certificates](../protect/certificates-configure.md). + - **Certificates**: Under **Authentication certificate**, select a SCEP or PKCS certificate profile you previously created to authenticate the connection. For more information about certificate profiles, go to [How to configure certificates](../protect/certificates-configure.md). Choose the certificates that align with your deployment channel selection. If you selected the user channel, your certificate options are limited to user certificate profiles. If you selected the device channel, you have both user and device certificate profiles to choose from, but we recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the device keychain increases security risks. - **Username and password**: End users must enter a username and password to sign into the VPN server. - **Connection type**: Select the VPN connection type from the following list of vendors: diff --git a/memdocs/intune/configuration/wi-fi-settings-macos.md b/memdocs/intune/configuration/wi-fi-settings-macos.md index 03de0653506..e5f5435265f 100644 --- a/memdocs/intune/configuration/wi-fi-settings-macos.md +++ b/memdocs/intune/configuration/wi-fi-settings-macos.md @@ -8,7 +8,7 @@ keywords: author: MandiOhlinger ms.author: mandia manager: dougeby -ms.date: 06/25/2024 +ms.date: 11/11/2024 ms.topic: reference ms.service: microsoft-intune ms.subservice: configuration @@ -39,13 +39,16 @@ This feature applies to: These Wi-Fi settings are separated in to two categories: Basic settings and Enterprise settings. -This article describes the settings you can configure. +This article describes the settings you can configure. + +## Verify deployment channel +We recommend checking the deployment channel in existing enterprise Wi-Fi profiles when they're up for renewal to ensure that any authentication certificates you're using, either SCEP or PKCS, are stored in the proper keychain. Certificates in Wi-Fi profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. ## Before you begin - Create a [macOS Wi-Fi device configuration profile](wi-fi-settings-configure.md). -- These settings are available for all enrollment types. For more information on the enrollment types, go to [macOS enrollment](../enrollment/macos-enroll.md). +- These settings are available for all enrollment types. For more information on the enrollment types, go to [macOS enrollment](../enrollment/macos-enroll.md). ## Basic profiles @@ -72,6 +75,11 @@ Basic or personal profiles use WPA/WPA2 to secure the Wi-Fi connection on device Enterprise profiles use Extensible Authentication Protocol (EAP) to authenticate Wi-Fi connections. EAP is often used by enterprises, as you can use certificates to authenticate and secure connections, and configure more security options. +- **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are stored, so it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. + + You have two options: + - **User channel**: Always select the user deployment channel in profiles with user certificates. This option stores certificates in the user keychain. + - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the device keychain. - **Wi-Fi type**: Select **Enterprise**. - **SSID**: Short for **service set identifier**. This property is the real name of the wireless network that devices connect to. However, users only see the network name you configured when they choose the connection. - **Connect automatically**: Select **Enable** to automatically connect to this network when the device is in range. Select **Disable** to prevent devices from automatically connecting. @@ -92,7 +100,7 @@ Enterprise profiles use Extensible Authentication Protocol (EAP) to authenticate - **Certificate server names**: **Add** one or more common names used in the certificates issued by your trusted certificate authority (CA). When you enter this information, you can bypass the dynamic trust window displayed on user's devices when they connect to this Wi-Fi network. - **Root certificate for server validation**: Select one or more existing trusted root certificate profiles. When the client connects to the network, these certificates are used to establish a chain of trust with the server. If your authentication server uses a public certificate, then you don't need to include a root certificate. - - **Certificates**: Select the SCEP or PKCS client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection. + - **Certificates**: Select the SCEP or PKCS client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection. Choose the certificates that align with your deployment channel selection. If you selected the user channel, your certificate options are limited to user certificate profiles. If you selected the device channel, you have both user and device certificate profiles to choose from, but we recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the device keychain increases security risks. - **Identity privacy (outer identity)**: Enter the text sent in the response to an EAP identity request. This text can be any value, such as `anonymous`. During authentication, this anonymous identity is initially sent. Then, the real identification is sent in a secure tunnel. diff --git a/memdocs/intune/protect/certificates-pfx-configure.md b/memdocs/intune/protect/certificates-pfx-configure.md index 06c5940cecb..2f59abc669c 100644 --- a/memdocs/intune/protect/certificates-pfx-configure.md +++ b/memdocs/intune/protect/certificates-pfx-configure.md @@ -5,7 +5,7 @@ keywords: author: lenewsad ms.author: lanewsad manager: dougeby -ms.date: 10/01/2024 +ms.date: 11/11/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect @@ -16,7 +16,7 @@ ms.localizationpriority: high #ROBOTS: #audience: -ms.reviewer: lacranda +ms.reviewer: sheetg ms.suite: ems search.appverid: MET150 #ms.tgt_pltfrm: @@ -73,6 +73,9 @@ To use PKCS certificates with Intune, you need the following infrastructure: - [Prerequisites](certificate-connector-prerequisites.md) - [Installation and configuration](certificate-connector-install.md) +## Verify deployment channel +We recommend checking the deployment channel in existing PKCS profiles, and linked VPN and Wi-Fi profiles when they're up for renewal to ensure that any authentication certificates you're using are stored in the proper keychain. Always select the user channel in profiles when you're deploying user-targeted authentication certificates. And always select the device channel when you're deploying device-targeted authentication certificates. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. + ## Update certificate connector: Strong mapping requirements for KB5014754 The Key Distribution Center (KDC) requires a strong mapping format in PKCS certificates deployed by Microsoft Intune and used for certificate-based authentication. The mapping must have a security identifier (SID) extension that maps to the user or device SID. If a certificate doesn't meet the new strong mapping criteria set by the full enforcement mode date, authentication will be denied. For more information about the requirements, see [KB5014754: Certificate-based authentication changes on Windows domain controllers ](https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16). diff --git a/memdocs/intune/protect/certificates-profile-scep.md b/memdocs/intune/protect/certificates-profile-scep.md index c44baf140eb..6f4046ab1c1 100644 --- a/memdocs/intune/protect/certificates-profile-scep.md +++ b/memdocs/intune/protect/certificates-profile-scep.md @@ -5,7 +5,7 @@ keywords: author: lenewsad ms.author: lanewsad manager: dougeby -ms.date: 10/15/2024 +ms.date: 11/11/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect @@ -15,7 +15,7 @@ ms.subservice: protect #ROBOTS: #audience: -ms.reviewer: lacranda +ms.reviewer: sheetg ms.suite: ems search.appverid: MET150 #ms.tgt_pltfrm: @@ -138,7 +138,7 @@ For more information about the KDC's requirements and enforcement date for stron > [!NOTE] > Storage of certificates provisioned by SCEP: - > - *macOS* - Certificates you provision with SCEP are always placed in the system keychain (System store) of the device. + > - *macOS* - You can store certificates you provision with SCEP in the system keychain, known as the *system store*, of the device or the user keychain. > > - *Android* - Devices have both a *VPN and apps* certificate store, and a *WIFI* certificate store. Intune always stores SCEP certificates in the VPN and apps store on a device. Use of the VPN and apps store makes the certificate available for use by any other app. > @@ -461,6 +461,9 @@ Consider the following before you continue: > - Certificates delivered by SCEP are each unique. Certificates delivered by PKCS are the same certificate, but appear different as each profile instance is represented by a separate line in the management profile. > - On iOS 13 and macOS 10.15, there are [additional security requirements that are documented by Apple](https://support.apple.com/HT210176) to take into consideration. +## Verify deployment channel +We recommend checking the deployment channel in existing SCEP profiles, and linked VPN and Wi-Fi profiles when they're up for renewal to ensure that any authentication certificates you're using are stored in the proper keychain. Always select the user channel in profiles when you're deploying user-targeted authentication certificates. And always select the device channel when you're deploying device-targeted authentication certificates. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. + ## Next steps [Assign profiles](../configuration/device-profile-assign.md) From 5659f36a167d8b24fa1653c06cd2ac1bcbb0fa3e Mon Sep 17 00:00:00 2001 From: "Arnab Biswas [MSFT]" Date: Thu, 14 Nov 2024 11:05:13 -0500 Subject: [PATCH 07/33] Update compliance-wsl.md 2411 doc changes for Feature 24557103 --- memdocs/intune/protect/compliance-wsl.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/memdocs/intune/protect/compliance-wsl.md b/memdocs/intune/protect/compliance-wsl.md index 6e329e9fd47..b49c8ec5d22 100644 --- a/memdocs/intune/protect/compliance-wsl.md +++ b/memdocs/intune/protect/compliance-wsl.md @@ -45,7 +45,7 @@ This article describes how to set up compliance checks for WSL. These requirements must be followed to create your compliance policy with WSL settings: -- [Intune WSL plug-in](https://github.com/microsoft/shell-intune-samples/tree/master/Linux/WSL/WSL%20Management%20Example) must be installed for compliance evaluation. +- [Intune WSL plug-in](https://go.microsoft.com/fwlink/?linkid=2296896) must be installed for compliance evaluation. - The Microsoft Intune management extension (IME) must be installed on the target device. This is automatically installed when any of the following conditions are met: - A PowerShell script or a proactive remediation is assigned to the user or device. - A Win32 app or Microsoft Store app is deployed. @@ -54,11 +54,12 @@ These requirements must be followed to create your compliance policy with WSL se ## Before you begin -Ensure that you have unassigned and removed any existing custom compliance policy for WSL. +1. Ensure that you have unassigned and removed any existing custom compliance policy for WSL. +2. Review the [Limitations](./#Limitations) of using WSL settings in compliance policies. ## Add Intune WSL plug-in as a win32 app -Create a Win32 app policy for the [Intune WSL plug-in](https://github.com/microsoft/shell-intune-samples/tree/master/Linux/WSL/WSL%20Management%20Example) and assign it to the target Entra group. +Create a Win32 app policy for the [Intune WSL plug-in](https://go.microsoft.com/fwlink/?linkid=2296896) and assign it to the target Entra group. 1. Use the [Microsoft Win32 Content Prep Tool](https://go.microsoft.com/fwlink/?linkid=2065730) to convert the Intune WSL plug-in into the *.intunewin* format. [Learn more about converting to .intunewin format](https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-prepare#convert-the-win32-app-content). @@ -101,7 +102,15 @@ Create a Win32 app policy for the [Intune WSL plug-in](https://github.com/micros 18. Review the summary and then select **Create** to save the policy. > [!NOTE] -> Creating a compliance policy with WSL settings will automatically generate a read-only custom script. Editing the compliance policy will edit the associated custom script. These scripts appear under **Microsoft Intune admin center** > **Devices** > **Compliance** > **Scripts** and are named as _Built-in WSL Compliance-_. +> Creating a compliance policy with WSL settings will automatically generate a read-only custom script. Editing the compliance policy will edit the associated custom script. These scripts appear under **Microsoft Intune admin center** > **Devices** > **Compliance** > **Scripts** and are named as _Built-in WSL Compliance-< compliance policy id >_. + +## Limitations + +The known limitations of using the Intune WSL plugin for compliance evaluation are as follows: + +- Compliance evaluation requires that the installed Linux distributions in WSL have run at least once. +- Compliance evaluation is not guaranteed to function as expected on custom Linux images or Linux images without `etc/os-release` directory. +- The Intune WSL plugin cannot guarantee that malicious software or user actions have not compromised the compliance evaluation mechanism. ## Next steps From abec51902e05bbb5f50438468ed39e85b08ddf12 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Thu, 14 Nov 2024 12:29:28 -0800 Subject: [PATCH 08/33] added support for samsung --- autopilot/dfci-management.md | 1 + 1 file changed, 1 insertion(+) diff --git a/autopilot/dfci-management.md b/autopilot/dfci-management.md index 2501ce555d5..ce0e2f4c3aa 100644 --- a/autopilot/dfci-management.md +++ b/autopilot/dfci-management.md @@ -90,6 +90,7 @@ For more information, see [Intune devices and apps API overview](/graph/intune-c - [Microsoft Surface](/surface/surface-manage-dfci-guide). - Panasonic. - VAIO. +- Samsung. Other OEMs are pending. From 50cb47747d49769bbcf99bf21de84667b477fcbd Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Thu, 14 Nov 2024 21:17:38 +0000 Subject: [PATCH 09/33] Update compliance-wsl.md Style edits --- memdocs/intune/protect/compliance-wsl.md | 48 +++++++++++++----------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/memdocs/intune/protect/compliance-wsl.md b/memdocs/intune/protect/compliance-wsl.md index b49c8ec5d22..19f5605a697 100644 --- a/memdocs/intune/protect/compliance-wsl.md +++ b/memdocs/intune/protect/compliance-wsl.md @@ -7,7 +7,7 @@ keywords: author: lenewsad ms.author: lanewsad manager: dougeby -ms.date: 5/29/2024 +ms.date: 11/14/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect @@ -59,47 +59,51 @@ These requirements must be followed to create your compliance policy with WSL se ## Add Intune WSL plug-in as a win32 app -Create a Win32 app policy for the [Intune WSL plug-in](https://go.microsoft.com/fwlink/?linkid=2296896) and assign it to the target Entra group. +Create a Win32 app policy for the [Intune WSL plug-in](https://github.com/microsoft/shell-intune-samples/blame/master/Linux/WSL/IntuneWSLPluginInstaller/IntuneWSLPluginInstaller.msi) and assign it to the target Entra group. -1. Use the [Microsoft Win32 Content Prep Tool](https://go.microsoft.com/fwlink/?linkid=2065730) to convert the Intune WSL plug-in into the *.intunewin* format. [Learn more about converting to .intunewin format](https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-prepare#convert-the-win32-app-content). +1. Use the [Microsoft Win32 Content Prep Tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) to convert the Intune WSL plug-in into the *.intunewin* format. For more information, see [Convert the Win32 app content](https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-prepare#convert-the-win32-app-content). -2. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as at least a . -3. Select **Apps** > **All apps** > **Add**. +3. Go to **Apps** > **All apps** > **Add**. -4. On the **Select app type** pane, under the **Other** app types, select **Windows app (Win32)**. +4. For **App type**, scroll down to **Other**, and then select **Windows app (Win32)**. -5. Click **Select**. The **Add app** steps appear. +5. Choose **Select**. The **Add app** steps appear. -6. On the **Add app** pane, click **Select app package file**. +6. Choose **Select app package file**. -7. On the **App package file** pane, select the browse button. Then, select the converted Intune WSL plugin installation file with the extension _.intunewin_. +7. Select the **Folder** button to browse your files for the app package file. Then choose the Intune WSL plug-in installation file with the `.intunewin` extension.   -8. When you're finished, select **OK** on the **App package file** pane. +8. Select **OK** to continue to the next step. -9. Enter app information: - - **Select file**: Select this option to upload the installation package file for the Intune WSL plug-in. +9. Enter the following app information: + - **Select file**: The app package file you selected in the previous step appears here. Select the file to upload a different installation package file for the Intune WSL plug-in. - **Name**: Enter **Intune WSL Plugin**. - - **Description**: Enter a description for the app. This setting is optional but recommended. + - **Description**: Select **Edit Description** to enter a description for the app. For example, you can describe its purpose or how your organization plans to use it. This setting is optional but recommended. - **Publisher**: Enter **Microsoft Intune**. -10. Select **Next** to go to **Program**. Review the pre-populated settings. These shouldn't be changed. +10. Select **Next** to continue to **Program**. -11. Select **Next** to go to **Requirements**. Specify the requirements that devices must meet before the app is installed. +11. Review the settings that are prepopulated so that you are familiar with how the app behaves. You shouldn't need to change any of these settings. -12. Select **Next** to go to **Detection rules**. Review the pre-populated detection rules. These shouldn't be changed. +12. Select **Next** to go to **Requirements**. +13. Enter the requirements devices must meet to install the app. -13. Select **Next** to go to **Dependencies**. Leave it as-is. +14. Select **Next** to go to **Detection rules**. +15. Review the detection rules that are prepopulated. These rules are app-specific and detect the presence of the app. You shouldn't need to change any of these settings. -14. Select **Next** to go to **Supersedence**. Leave it as-is. +16. Select **Next** to go to **Dependencies**. Leave it as-is. -15. Select **Next** to go to **Assignments**. +17. Select **Next** to go to **Supersedence**. Leave it as-is. -16. Add Microsoft Entra users under **Required** to assign the policy. +18. Select **Next** to go to **Assignments**. -17. Select **Next** to go to **Review + create**. +19. Add Microsoft Entra users under **Required** to assign the policy. -18. Review the summary and then select **Create** to save the policy. +20. Select **Next** to go to **Review + create**. + +21. Review the summary and then select **Create** to save the policy. > [!NOTE] > Creating a compliance policy with WSL settings will automatically generate a read-only custom script. Editing the compliance policy will edit the associated custom script. These scripts appear under **Microsoft Intune admin center** > **Devices** > **Compliance** > **Scripts** and are named as _Built-in WSL Compliance-< compliance policy id >_. From 8f312f33892c1413cc14953ff42df2c823213ffc Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Thu, 14 Nov 2024 22:04:36 +0000 Subject: [PATCH 10/33] Update compliance-wsl.md Acrolinx, more style edits --- memdocs/intune/protect/compliance-wsl.md | 67 +++++++++++++----------- 1 file changed, 35 insertions(+), 32 deletions(-) diff --git a/memdocs/intune/protect/compliance-wsl.md b/memdocs/intune/protect/compliance-wsl.md index 19f5605a697..7816ad9bd25 100644 --- a/memdocs/intune/protect/compliance-wsl.md +++ b/memdocs/intune/protect/compliance-wsl.md @@ -7,7 +7,7 @@ keywords: author: lenewsad ms.author: lanewsad manager: dougeby -ms.date: 11/14/2024 +ms.date: 11/19/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect @@ -43,27 +43,27 @@ This article describes how to set up compliance checks for WSL. ## Requirements -These requirements must be followed to create your compliance policy with WSL settings: +To create your compliance policy with WSL settings, you must meet these requirements: -- [Intune WSL plug-in](https://go.microsoft.com/fwlink/?linkid=2296896) must be installed for compliance evaluation. -- The Microsoft Intune management extension (IME) must be installed on the target device. This is automatically installed when any of the following conditions are met: - - A PowerShell script or a proactive remediation is assigned to the user or device. - - A Win32 app or Microsoft Store app is deployed. - - A custom compliance policy is assigned. -- Windows custom compliance and WSL compliance settings must be configured in separate compliance policies. +- Install the [Intune WSL plug-in](https://go.microsoft.com/fwlink/?linkid=2296896) for compliance evaluation. + +- Install the Microsoft Intune management extension on the target device. The management extension automatically installs on devices that meet the following conditions: + + - A PowerShell script or a proactive remediation is assigned to the user or device. + - A Win32 app or Microsoft Store app has been deployed to the user or device. + - A custom compliance policy is assigned to the user or device. +- Configure Windows custom compliance settings and WSL compliance settings in separate compliance policies. ## Before you begin +Unassign and remove existing custom compliance policies for WSL. Then review the [limitations](#limitations) with WSL settings in compliance policies so that you know what to expect. -1. Ensure that you have unassigned and removed any existing custom compliance policy for WSL. -2. Review the [Limitations](./#Limitations) of using WSL settings in compliance policies. +## Add Intune WSL plug-in as a Win32 app -## Add Intune WSL plug-in as a win32 app +Create a Win32 app policy for the [Intune WSL plug-in](https://github.com/microsoft/shell-intune-samples/blame/master/Linux/WSL/IntuneWSLPluginInstaller/IntuneWSLPluginInstaller.msi), and assign it to the target Microsoft Entra group. -Create a Win32 app policy for the [Intune WSL plug-in](https://github.com/microsoft/shell-intune-samples/blame/master/Linux/WSL/IntuneWSLPluginInstaller/IntuneWSLPluginInstaller.msi) and assign it to the target Entra group. - -1. Use the [Microsoft Win32 Content Prep Tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) to convert the Intune WSL plug-in into the *.intunewin* format. For more information, see [Convert the Win32 app content](https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-prepare#convert-the-win32-app-content). +1. Use the [Microsoft Win32 Content Prep Tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) to convert the Intune WSL plug-in to the *.intunewin* format. For more information, see [Convert the Win32 app content](../apps/apps-win32-prepare.md#convert-the-win32-app-content). -2. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as at least a . +2. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as at least a . 3. Go to **Apps** > **All apps** > **Add**. @@ -73,9 +73,9 @@ Create a Win32 app policy for the [Intune WSL plug-in](https://github.com/micros 6. Choose **Select app package file**. -7. Select the **Folder** button to browse your files for the app package file. Then choose the Intune WSL plug-in installation file with the `.intunewin` extension.   +7. Select the **Folder** button and browse your files for the app package file. Upload the Intune WSL plug-in installation file with the `.intunewin` extension. -8. Select **OK** to continue to the next step. +8. Select **OK** to continue. 9. Enter the following app information: - **Select file**: The app package file you selected in the previous step appears here. Select the file to upload a different installation package file for the Intune WSL plug-in. @@ -83,42 +83,45 @@ Create a Win32 app policy for the [Intune WSL plug-in](https://github.com/micros - **Description**: Select **Edit Description** to enter a description for the app. For example, you can describe its purpose or how your organization plans to use it. This setting is optional but recommended. - **Publisher**: Enter **Microsoft Intune**. -10. Select **Next** to continue to **Program**. +10. Select **Next** to go to **Program**. 11. Review the settings that are prepopulated so that you are familiar with how the app behaves. You shouldn't need to change any of these settings. -12. Select **Next** to go to **Requirements**. +12. Select **Next** to go to **Requirements**. 13. Enter the requirements devices must meet to install the app. 14. Select **Next** to go to **Detection rules**. 15. Review the detection rules that are prepopulated. These rules are app-specific and detect the presence of the app. You shouldn't need to change any of these settings. -16. Select **Next** to go to **Dependencies**. Leave it as-is. +16. Select **Next** to go to **Dependencies**. Leave the settings as-is. -17. Select **Next** to go to **Supersedence**. Leave it as-is. +17. Select **Next** to go to **Supersedence**. Leave the settings as-is. 18. Select **Next** to go to **Assignments**. -19. Add Microsoft Entra users under **Required** to assign the policy. +19. To asssign the policy, add Microsoft Entra users under **Required**. 20. Select **Next** to go to **Review + create**. -21. Review the summary and then select **Create** to save the policy. +21. Review the summary, and then select **Create** to save the policy. > [!NOTE] -> Creating a compliance policy with WSL settings will automatically generate a read-only custom script. Editing the compliance policy will edit the associated custom script. These scripts appear under **Microsoft Intune admin center** > **Devices** > **Compliance** > **Scripts** and are named as _Built-in WSL Compliance-< compliance policy id >_. +> When you create a compliance policy with WSL settings, it automatically generates a read-only custom script. Editing the compliance policy also edits the associated custom script. These scripts appear in the Microsoft Intune admin center in **Devices** > **Compliance** > **Scripts** and are called *Built-in WSL Compliance-< compliance policy id >*. ## Limitations -The known limitations of using the Intune WSL plugin for compliance evaluation are as follows: +This section describes the known limitations with using the Intune WSL plugin for compliance evaluation. -- Compliance evaluation requires that the installed Linux distributions in WSL have run at least once. -- Compliance evaluation is not guaranteed to function as expected on custom Linux images or Linux images without `etc/os-release` directory. -- The Intune WSL plugin cannot guarantee that malicious software or user actions have not compromised the compliance evaluation mechanism. +- Compliance evaluation requires the installed Linux distributions in WSL to have run at least once. +- Compliance evaluation is not guaranteed to function as expected on custom Linux images or Linux images without `etc/os-release` directory. +- Even with the Intune WSL plugin, it's possible for malicious software or user actions to compromise the compliance evaluation mechanism. ## Next steps -- [Create a compliance policy](create-compliance-policy.md#create-the-policy). For **Platform**, select **Windows 10 and later**. To learn about **Compliance settings** applicable to Windows Subsystem for Linux, see Device Compliance settings for [Windows Subsystem for Linux](compliance-policy-create-windows.md#windows-subsystem-for-linux-wsl). -- [Add actions for noncompliant devices](actions-for-noncompliance.md) and [use scope tags to filter policies](../fundamentals/scope-tags.md). -- [Monitor your compliance policies](compliance-policy-monitor.md). -- For WSL troubleshooting help, see [Windows Subsystem for Linux](/windows/wsl/troubleshooting). +- [Create a compliance policy](create-compliance-policy.md#create-the-policy), and set the **Platform** to **Windows 10 and later**. For more information about the compliance settings for Windows Subsystem for Linux, see [Windows Subsystem for Linux](compliance-policy-create-windows.md#windows-subsystem-for-linux-wsl). + +- [Add actions for noncompliant devices](actions-for-noncompliance.md) and [use scope tags to filter policies](../fundamentals/scope-tags.md). + +- [Monitor your compliance policies](compliance-policy-monitor.md). + +- For troubleshooting help, see [Troubleshooting Windows Subsystem for Linux](/windows/wsl/troubleshooting). From 8452df2d26e10b7995376c8dc1336a8adebbb288 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Thu, 14 Nov 2024 22:46:13 +0000 Subject: [PATCH 11/33] Update compliance-policy-create-windows.md Style edits --- .../compliance-policy-create-windows.md | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/memdocs/intune/protect/compliance-policy-create-windows.md b/memdocs/intune/protect/compliance-policy-create-windows.md index f1b96673c52..32a36401240 100644 --- a/memdocs/intune/protect/compliance-policy-create-windows.md +++ b/memdocs/intune/protect/compliance-policy-create-windows.md @@ -7,7 +7,7 @@ keywords: author: lenewsad ms.author: lanewsad manager: dougeby -ms.date: 6/18/2024 +ms.date: 11/19/2024 ms.topic: reference ms.service: microsoft-intune ms.subservice: protect @@ -279,18 +279,19 @@ For additional information on Microsoft Defender for Endpoint integration in con To set up Microsoft Defender for Endpoint as your defense threat service, see [Enable Microsoft Defender for Endpoint with Conditional Access](advanced-threat-protection.md). -## Windows Subsystem for Linux (WSL) +## Windows Subsystem for Linux -These settings require the Intune WSL plug-in. For additional information, see [Evaluate compliance for Windows Subsystem for Linux](compliance-wsl.md). +The settings in this section require the Windows Subsystem for Linux (WSL) plug-in. For more information, see [Evaluate compliance for Windows Subsystem for Linux](compliance-wsl.md). + +For **Allowed Linux distributions and versions**, enter at least one Linux distribution name. Optionally, enter a minimum or maximum OS version. -- **Allowed Linux distributions and versions** - Specify at least one Linux distribution name and optionally, a minimum or maximum OS version. > [!NOTE] - > The provided distribution names and versions affect the compliance policy as follows: - > - If no distribution is listed, all distributions are allowed (default). - > - If only distribution names are provided, any installed version of that distribution are allowed. - > - If a distribution name and a minimum OS version are provided, installed distributions with the provided name and at least the provided version number or higher are allowed. - > - If a distribution name and a maximum OS version are provided, installed distributions with the provided name and up to the provided version number are allowed. - > - If a distribution name, a minimum OS version and a maximum OS version are provided, installed distributions and OS version numbers within the provided range are allowed. + > The distribution names and versions you enter affect the compliance policy in the following ways: + > - If no distribution is provided, all distributions are allowed. This is the default behavior. + > - If only distribution names are provided, all installed versions of that distribution are allowed. + > - If a distribution name and a minimum OS version are provided, all installed distributions with the provided name and minimum version or later are allowed. + > - If a distribution name and a maximum OS version are provided, all installed distributions with the provided name and maximum version or earlier are allowed. + > - If a distribution name, a minimum OS version, and a maximum OS version are provided, all installed distributions and OS versions within the provided range are allowed. ## Windows Holographic for Business From 1d87a3b1a7ee4e0c7ca920f2315174c445f6c15a Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Thu, 14 Nov 2024 14:52:45 -0800 Subject: [PATCH 12/33] first draft --- memdocs/analytics/data-platform-schema.md | 51 +++++- .../configuration/properties-catalog.md | 156 ++++++++++++++++++ 2 files changed, 203 insertions(+), 4 deletions(-) create mode 100644 memdocs/intune/configuration/properties-catalog.md diff --git a/memdocs/analytics/data-platform-schema.md b/memdocs/analytics/data-platform-schema.md index 86e4d6a2da9..83a0bcc9a00 100644 --- a/memdocs/analytics/data-platform-schema.md +++ b/memdocs/analytics/data-platform-schema.md @@ -7,7 +7,7 @@ keywords: ms.author: smbhardwaj author: smritib17 manager: dougeby -ms.date: 02/01/2024 +ms.date: 11/14/2024 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: fundamentals @@ -33,9 +33,7 @@ ms.collection: *Applies to: Microsoft Intune* -This article goes over the properties supported in the Intune Data Platform. - -Device query allows you to quickly assess the state of devices in your environment and take action. When you enter a query on a selected device, Device query runs a query in real time. The data returned can then be filtered, grouped, and refined to answer business questions, troubleshoot issues in your environment, or respond to security threats. +This article goes over the properties supported in the Intune Data Platform. The Intune Data Platform can be accessed via Device query for single devices, Inventory, and Device query for Multiple Devices. Each table (entity) in this page lists the types of queries that are supported. @@ -418,4 +416,49 @@ possible value:CRITICAL\_ERROR,ERROR,WARNING,INFORMATION,VERBOSE | | ServiceDescription | string (max 256 characters) | Service Description | | WindowsUserAccount | string (max 256 characters) | The name of the account that the service process is logged on as when it runs. This name can be of the form Domain\UserName | +## Battery + +**Description**: Provides details about battery and battery health + +**Supported Features**: Inventory + +**Supported Platforms**: Windows + +| **Property** | **Type** | **Description** | +| --- | --- | --- | +| CycleCount | Long | The number of times a battery has gone through a full charge and discharge. Can be used to assess the battery state| +| DesignCapacity | Long (milliwatt hours) | The theoretical capacity of the battery when new.| +| FullChargedCapacity | Long (milliwatt hours) | Full charge capacity of the battery.| +| InstanceName| String | Name used to identify the battery instance.| +| Manufacturer| String | Manufacturer of the battery.| +| Model| String | Display name of the battery.| +| SerialNumber| String | Battery serial number that is assigned by the manufacturer.| + +#### NetworkAdapter +- **Description**: Provide basic network adapter information +- **Supported Features**: Inventory +- **Supported Platforms**: Windows +- **Property**: Type, Description + - Identifier: String, Unique identifier of the adapter from other devices on the system + - Manufacturer: String, Name of the network adapters manufacturer + - Type: String, Network medium in use + +#### Time +- **Description**: Provides basic time information +- **Supported Features**: Inventory +- **Supported Platforms**: Windows +- **Property**: Type, Description + - TimeZone: String, Describes the time zone the device is in + +#### VideoController +- **Description**: Provides video controller and graphics information +- **Supported Features**: Inventory +- **Supported Platforms**: Windows +- **Property**: Type, Description + - AdapterDacType: String, Name or identifier of the digital-to-analog converter (DAC) chip. The character set of this property is alphanumeric. + - AdapterRam: Long, Memory size of the video adapter + - CurrentScanMode: String, Current scan mode + - GraphicsModel: String, Provides manufacturer and model information of graphics card + - Identifier: String, Identifier (unique to the computer system) for this video controller. + - VideoModeDescription: String, Current resolution, color, and scan mode settings of the video controller. diff --git a/memdocs/intune/configuration/properties-catalog.md b/memdocs/intune/configuration/properties-catalog.md new file mode 100644 index 00000000000..15534301346 --- /dev/null +++ b/memdocs/intune/configuration/properties-catalog.md @@ -0,0 +1,156 @@ +--- +# required metadata + +title: Properties catalog in Microsoft Intune +description: Configure device configuration policy to manage Delivery Optimization settings on Windows devices you manage with Intune. +keywords: +author: smbhardwaj +ms.author: smbhardwaj +manager: dougeby +ms.date: 11/14/2024 +ms.topic: how-to +ms.service: microsoft-intune +ms.subservice: configuration +ms.localizationpriority: high +# optional metadata + +#ROBOTS: +#audience: + +ms.suite: ems +#ms.tgt_pltfrm: +ms.custom: intune-azure +ms.collection: +- tier2 +- M365-identity-device-management +ms.reviewer: abbystarr +--- +# Properties catalog in Microsoft Intune + +## Device inventory + +With Intune, you can use Device inventory to collect and view additional hardware properties from your managed devices to help you better understand the state of your devices and make business decisions. + +This article describes how to configure Device Inventory settings as part of an Intune device configuration profile. After you create a profile, you then assign or deploy that profile to your Windows devices. + +This feature applies to: + +Windows 11 +Windows 10 + +## Prerequisites + +- To use Inventory, devices must be corporate owned, Intune managed (includes co-managed), and Entra joined. +- For a user to configure a policy to start collecting inventory data from devices, they must have the Device Configurations **Create** permission. +- For a user to view collected data about devices, they must have the Managed Devices **Read** permission. + +## Supported platforms + +Inventory is currently only supported on devices running Windows 10 and later. Inventory is only supported on the following minimum Windows versions: + +- Windows 11, version 23H2 (22631.2506 or later) with KB5031455 +- Windows 11, version 22H2 (22621.2215 or later) with KB5029351 +- Windows 11, version 21H2 (22000.2713 or later) with KB5034121 +- Windows 10, version 22H2 (19045.3393 or later) with KB5030211 +- Windows 10, version 21H2 (19044.3393 or later) with KB5030211 + +## How to use + +To configure Inventory collection, create a new **Properties Catalog** profile in the Intune admin center. This profile allows you to select which properties you would like to collect from your devices. After the profile is created, you can apply the profile to specific devices in the selected groups. + +### Create the profile + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +2. Select **Devices** > **Manage devices** > **Configuration** > **Create** > **New Policy**. + +3. Enter the following properties: + + - **Platform**: Select **Windows 10 and later**. + - **Profile type**: Select **Properties catalog**. + +4. Select **Create**. + +5. In **Basics**, enter the following properties: + + - **Name**: Enter a descriptive name for the new profile. + - **Description**: Enter a description for the profile. This setting is optional, but recommended. + +6. Select **Next**. + +7. Select **Add properties**.Expand out categories to view individual properties and then select which properties you would like to collect from the Properties Picker. + + When you're done, select **Next**. + +8. On the **Scope (Tags)** page, select **Select scope tags** to open the *Select tags* pane to assign scope tags to the profile. + + Select **Next** to continue. + +9. On the **Assignments** page, select the groups that receive this profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md). + + Select **Next**. + +10. On the **Applicability Rules** page, use the **Rule**, **Property**, and **Value** options to define how this profile applies within assigned groups. + +11. On the **Review + create** page, when you're done, choose **Create**. The profile is created and is shown in the list. + +The next time each device checks in, the policy is applied. + +### View collected data + +To view collected inventory information, navigate to **Devices** > **Windows Devices** and select a device. +Under **Monitor** select **Resource Explorer**. Choose a category to view hardware information that was configured to be collected. +After a device syncs with Intune, it can take up to 24 hours for initial harvesting of inventory data. + +### Required Properties + +Certain **required** properties are automatically collected when you collect any properties in that category. +The following properties are required: + +- **Battery**: Instance Name +- **Bios Info**: Bios Name, Software Element ID, Software Element State, Target Operating System +- **Cpu**: Processor Id +- **Disk Drive**: Drive Id +- **Encryptable Volume**: Volume Id +- **Logical Drive**: Drive Identifier +- **Network Adapter**: Identifier +- **System Enclosure**: Serial Number +- **Video Controller**: Identifier +- **Windows Qfe**: Hot Fix Id + +## Known Limitations + +Collection of properties can only be stopped (deleted) at the category level. To stop collecting properties, navigate to the **Properties catalog** profile, and remove collection for every property in a particular category. + +## Supported Properties + +Inventory supports the following entities. To learn more about what properties are supported for each entity, see Intune Data Platform Schema. + +- Battery +- Bios Info +- Cpu +- Disk Drive +- Encryptable Volume +- Logical Drive +- Memory Info +- Network Adapter +- Os Version +- System Enclosure +- Time +- Tpm +- Video Controller +- Windows Qfe + +## Frequently Asked Questions + +### Is this different than the Hardware tab for a device? + +Yes, the Hardware tab data and Resource Explorer data come from different places. We recommend using Inventory and Resource Explorer for the most up-to-date and comprehensive data about your devices. In the future, the Hardware tab will be fed by the same data as Resource Explorer. + +### I am using Co-management with Tenant Attach and I see two Resource Explorer nodes. Which one should I use? + +You will see a **Resource Explorer** tab for Intune collected data and a **Resource Explorer** tab for Configuration Manager collected data. Feel free to use the source that best fits your use case. In the future, we recommend using the Intune-based Resource Explorer. + +### How can I troubleshoot this feature? + +Client logs are available at `C:\Program Files\Microsoft Device Inventory Agent\Logs` and logs can also be collected via Collect MDM Diagnostics. \ No newline at end of file From 37dc5b96625879b77fc023369bbe04bd82b1e5b3 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Thu, 14 Nov 2024 16:32:06 -0800 Subject: [PATCH 13/33] updated TOC --- memdocs/analytics/data-platform-schema.md | 137 +++++++++++++----- .../configuration/properties-catalog.md | 24 +-- memdocs/intune/toc.yml | 3 + 3 files changed, 113 insertions(+), 51 deletions(-) diff --git a/memdocs/analytics/data-platform-schema.md b/memdocs/analytics/data-platform-schema.md index 83a0bcc9a00..6a3d69e2841 100644 --- a/memdocs/analytics/data-platform-schema.md +++ b/memdocs/analytics/data-platform-schema.md @@ -41,7 +41,9 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: Provides basic BIOS Information. -**Supported for**: Device query, single device on-demand. +**Supported platforms**: Windows + +**Supported for**: Device query, single device on-demand, Inventory. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -53,7 +55,10 @@ Each table (entity) in this page lists the types of queries that are supported. ## Certificate **Description**: Certificate Authorities installed in Keychains/ca-bundles. Only certificates for computers are returned. - **Supported for**: Device query, single device on-demand. + +**Supported platforms**: Windows + +**Supported for**: Device query, single device on-demand. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -76,7 +81,9 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: Retrieves CPU hardware info on the machine. -**Supported for**: Device query, single device on-demand. +**Supported platforms**: Windows + +**Supported for**: Device query, single device on-demand, Inventory. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -98,7 +105,9 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: Retrieves basic information about the physical disks of a system. -**Supported for**: Device query, single device on-demand. +**Supported platforms**: Windows + +**Supported for**: Device query, single device on-demand, Inventory. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -118,7 +127,9 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: Retrieves encryptable volume status of the machine. -**Supported for**: Device query, single device on-demand +**Supported platforms**: Windows + +**Supported for**: Device query, single device on-demand, Inventory. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -134,6 +145,8 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: Lists all file info of the passed file or files under the passed directory. +**Supported platforms**: Windows + **Supported for**: Device query, single device on-demand. > [!NOTE] @@ -159,6 +172,8 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: Lists local user groups. +**Supported platforms**: Windows + **Supported for**: Device query, single device on-demand. | **Property** | **Type** | **Description** | @@ -171,6 +186,8 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: Lists local user accounts. +**Supported platforms**: Windows + **Supported for**: Device query, single device on-demand. | **Property** | **Type** | **Description** | @@ -185,7 +202,9 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: Details for logical drives on the system. A logical drive generally represents a single partition. -**Supported for**: Device query, single device on-demand. +**Supported platforms**: Windows + +**Supported for**: Device query, single device on-demand, Inventory. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -200,7 +219,10 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: Memory Information. -**Supported for**: Device query, single device on-demand. +**Supported platforms**: Windows + +**Supported for**: Device query, single device on-demand, Inventory. +Note that PhysicalMemoryFreeBytes and VirtualMemoryFreeBytes properties are only supported for Device query, single device on-demand. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -213,7 +235,9 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: A single row containing the operating system name and version. -**Supported for**: Device query, single device on-demand, +**Supported platforms**: Windows + +**Supported for**: Device query, single device on-demand, Inventory. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -230,6 +254,8 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: All running processes on the host system. +**Supported platforms**: Windows + **Supported for**: Device query, single device on-demand. | **Property** | **Type** | **Description** | @@ -259,7 +285,9 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: Displays information pertaining to the chassis and its security status. -**Supported for**: Device query, single device on-demand. +**Supported platforms**: Windows + +**Supported for**: Device query, single device on-demand, Inventory. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -281,6 +309,8 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: System information of the device. +**Supported platforms**: Windows + **Supported for**: Device query, single device on-demand. | **Property** | **Type** | **Description** | @@ -297,7 +327,9 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: Provides TPM related information of the device. -**Supported for**: Device query, single device on-demand. +**Supported platforms**: Windows + +**Supported for**: Device query, single device on-demand, Inventory. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -315,6 +347,8 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: Provides App Crash info in Windows event log file Application in look back time. +**Supported platforms**: Windows + **Supported for**: Device query, single device on-demand. | ReportId(Key) | string (max 256 characters) | Report ID of the App crash | @@ -329,6 +363,8 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: Details for in-use Windows device drivers. This doesn't display installed but unused drivers. +**Supported platforms**: Windows + **Supported for**: Device query, single device on-demand. | **Property** | **Type** | **Description** | @@ -348,6 +384,8 @@ Each table (entity) in this page lists the types of queries that are supported. **Description**: Get Windows Event logs in the specified log name and look back in time. +**Supported platforms**: Windows + **Supported for**: Device query, single device on-demand. > [!NOTE] @@ -367,7 +405,10 @@ possible value:CRITICAL\_ERROR,ERROR,WARNING,INFORMATION,VERBOSE | ## WindowsQfe **Description**: Information about security patches on the device. -**Supported for**: Device query, single device on-demand. + +**Supported platforms**: Windows + +**Supported for**: Device query, single device on-demand, Inventory. | Property | Type | Description | | --- | --- | --- | @@ -383,6 +424,8 @@ possible value:CRITICAL\_ERROR,ERROR,WARNING,INFORMATION,VERBOSE | **Description**: Lists registry under the passed registry key. +**Supported platforms**: Windows + **Supported for**: Device query, single device on-demand. > [!NOTE] @@ -399,6 +442,8 @@ possible value:CRITICAL\_ERROR,ERROR,WARNING,INFORMATION,VERBOSE | **Description**: Lists all installed Windows services and their relevant data. +**Supported platforms**: Windows + **Supported for**: Device query, single device on-demand. | **Property** | **Type** | **Description** | @@ -418,7 +463,7 @@ possible value:CRITICAL\_ERROR,ERROR,WARNING,INFORMATION,VERBOSE | ## Battery -**Description**: Provides details about battery and battery health +**Description**: Provides details about battery and battery health. **Supported Features**: Inventory @@ -434,31 +479,45 @@ possible value:CRITICAL\_ERROR,ERROR,WARNING,INFORMATION,VERBOSE | | Model| String | Display name of the battery.| | SerialNumber| String | Battery serial number that is assigned by the manufacturer.| -#### NetworkAdapter -- **Description**: Provide basic network adapter information -- **Supported Features**: Inventory -- **Supported Platforms**: Windows -- **Property**: Type, Description - - Identifier: String, Unique identifier of the adapter from other devices on the system - - Manufacturer: String, Name of the network adapters manufacturer - - Type: String, Network medium in use - -#### Time -- **Description**: Provides basic time information -- **Supported Features**: Inventory -- **Supported Platforms**: Windows -- **Property**: Type, Description - - TimeZone: String, Describes the time zone the device is in - -#### VideoController -- **Description**: Provides video controller and graphics information -- **Supported Features**: Inventory -- **Supported Platforms**: Windows -- **Property**: Type, Description - - AdapterDacType: String, Name or identifier of the digital-to-analog converter (DAC) chip. The character set of this property is alphanumeric. - - AdapterRam: Long, Memory size of the video adapter - - CurrentScanMode: String, Current scan mode - - GraphicsModel: String, Provides manufacturer and model information of graphics card - - Identifier: String, Identifier (unique to the computer system) for this video controller. - - VideoModeDescription: String, Current resolution, color, and scan mode settings of the video controller. +## NetworkAdapter + +**Description**: Provides basic network adapter information. + +**Supported Features**: Inventory + +**Supported Platforms**: Windows + +| **Property** | **Type** | **Description** | +| --- | --- | --- | +| Identifier | String | Unique identifier of the adapter from other devices on the system. | +| Manufacturer | String | Name of the network adapter's manufacturer. | +| Type | String | Network medium in use. | + +## Time + +**Description**: Provides basic time information. + +**Supported Features**: Inventory + +**Supported Platforms**: Windows + +| **Property** | **Type** | **Description** | +| --- | --- | --- | +| TimeZone | String | Describes the device's time zone. | + +## VideoController +**Description**: Provides video controller and graphics information. + +**Supported Features**: Inventory + +**Supported Platforms**: Windows + +| **Property** | **Type** | **Description** | +| --- | --- | --- | +| AdapterDacType | String | Name or identifier of the digital-to-analog converter (DAC) chip. The character set of this property is alphanumeric. | +| AdapterRam | Long | Memory size of the video adapter. | +| CurrentScanMode | String | Current scan mode. | +| GraphicsModel | String | Provides manufacturer and model information of graphics card. | +| Identifier | String | Identifier (unique to the computer system) for this video controller. | +| VideoModeDescription | String | Current resolution, color, and scan mode settings of the video controller. | diff --git a/memdocs/intune/configuration/properties-catalog.md b/memdocs/intune/configuration/properties-catalog.md index 15534301346..8aa8b7b0996 100644 --- a/memdocs/intune/configuration/properties-catalog.md +++ b/memdocs/intune/configuration/properties-catalog.md @@ -29,7 +29,7 @@ ms.reviewer: abbystarr ## Device inventory -With Intune, you can use Device inventory to collect and view additional hardware properties from your managed devices to help you better understand the state of your devices and make business decisions. +With Intune, you can use Device inventory to collect and view more hardware properties from your managed devices to help you better understand the state of your devices and make business decisions. This article describes how to configure Device Inventory settings as part of an Intune device configuration profile. After you create a profile, you then assign or deploy that profile to your Windows devices. @@ -40,7 +40,7 @@ Windows 10 ## Prerequisites -- To use Inventory, devices must be corporate owned, Intune managed (includes co-managed), and Entra joined. +- To use Inventory, devices must be corporate owned, Intune managed (includes co-managed), and Microsoft Entra joined. - For a user to configure a policy to start collecting inventory data from devices, they must have the Device Configurations **Create** permission. - For a user to view collected data about devices, they must have the Managed Devices **Read** permission. @@ -99,7 +99,7 @@ The next time each device checks in, the policy is applied. ### View collected data To view collected inventory information, navigate to **Devices** > **Windows Devices** and select a device. -Under **Monitor** select **Resource Explorer**. Choose a category to view hardware information that was configured to be collected. +Under **Monitor** select **Resource Explorer**. Choose a category to view hardware information. After a device syncs with Intune, it can take up to 24 hours for initial harvesting of inventory data. ### Required Properties @@ -109,14 +109,14 @@ The following properties are required: - **Battery**: Instance Name - **Bios Info**: Bios Name, Software Element ID, Software Element State, Target Operating System -- **Cpu**: Processor Id -- **Disk Drive**: Drive Id -- **Encryptable Volume**: Volume Id +- **Cpu**: Processor ID +- **Disk Drive**: Drive ID +- **Encryptable Volume**: Volume ID - **Logical Drive**: Drive Identifier - **Network Adapter**: Identifier - **System Enclosure**: Serial Number - **Video Controller**: Identifier -- **Windows Qfe**: Hot Fix Id +- **Windows Qfe**: Hot Fix ID ## Known Limitations @@ -124,7 +124,7 @@ Collection of properties can only be stopped (deleted) at the category level. To ## Supported Properties -Inventory supports the following entities. To learn more about what properties are supported for each entity, see Intune Data Platform Schema. +Inventory supports the following entities. To learn more about what properties are supported for each entity, see [Intune Data Platform Schema](../../analytics/data-platform-schema.md). - Battery - Bios Info @@ -143,13 +143,13 @@ Inventory supports the following entities. To learn more about what properties a ## Frequently Asked Questions -### Is this different than the Hardware tab for a device? +### Is Resource Explorer different than the Hardware tab for a device? -Yes, the Hardware tab data and Resource Explorer data come from different places. We recommend using Inventory and Resource Explorer for the most up-to-date and comprehensive data about your devices. In the future, the Hardware tab will be fed by the same data as Resource Explorer. +Yes, the **Hardware** tab data and **Resource Explorer** data come from different places. We recommend using Inventory and Resource Explorer for the most up-to-date and comprehensive data about your devices. In the future, the data source for **Hardware** tab and the Resource Explorer will be the same. -### I am using Co-management with Tenant Attach and I see two Resource Explorer nodes. Which one should I use? +### I'm using Co-management with Tenant Attach and I see two Resource Explorer nodes. Which one should I use? -You will see a **Resource Explorer** tab for Intune collected data and a **Resource Explorer** tab for Configuration Manager collected data. Feel free to use the source that best fits your use case. In the future, we recommend using the Intune-based Resource Explorer. +You'll see a **Resource Explorer** tab for Intune collected data and a **Resource Explorer** tab for Configuration Manager collected data. Feel free to use the source that best fits your use case. In the future, we recommend using the Intune-based Resource Explorer. ### How can I troubleshoot this feature? diff --git a/memdocs/intune/toc.yml b/memdocs/intune/toc.yml index 40b23352f01..ed77190cb90 100644 --- a/memdocs/intune/toc.yml +++ b/memdocs/intune/toc.yml @@ -1168,6 +1168,9 @@ items: - name: Universal Print policy displayName: printers, gpo, admx, windows href: ./configuration/settings-catalog-printer-provisioning.md + - name: Properties catalog + displayName: windows + href: ./configuration/properties-catalog.md - name: Custom settings & scripts items: - name: Create custom profiles From b6529449359f00ed32d1b0577d3868deeaab9151 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Thu, 14 Nov 2024 16:39:59 -0800 Subject: [PATCH 14/33] updated description --- memdocs/intune/configuration/properties-catalog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/configuration/properties-catalog.md b/memdocs/intune/configuration/properties-catalog.md index 8aa8b7b0996..57f4742ff41 100644 --- a/memdocs/intune/configuration/properties-catalog.md +++ b/memdocs/intune/configuration/properties-catalog.md @@ -2,7 +2,7 @@ # required metadata title: Properties catalog in Microsoft Intune -description: Configure device configuration policy to manage Delivery Optimization settings on Windows devices you manage with Intune. +description: Configure Properties catalog policy to manage Device Inventory settings on Windows devices you manage with Intune. keywords: author: smbhardwaj ms.author: smbhardwaj From 57bac6d71b91e42338424c75346b7f0728e89893 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Thu, 14 Nov 2024 16:43:28 -0800 Subject: [PATCH 15/33] Fixed alignment --- memdocs/intune/configuration/properties-catalog.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/configuration/properties-catalog.md b/memdocs/intune/configuration/properties-catalog.md index 57f4742ff41..70b0c358afa 100644 --- a/memdocs/intune/configuration/properties-catalog.md +++ b/memdocs/intune/configuration/properties-catalog.md @@ -36,12 +36,15 @@ This article describes how to configure Device Inventory settings as part of an This feature applies to: Windows 11 + Windows 10 ## Prerequisites - To use Inventory, devices must be corporate owned, Intune managed (includes co-managed), and Microsoft Entra joined. + - For a user to configure a policy to start collecting inventory data from devices, they must have the Device Configurations **Create** permission. + - For a user to view collected data about devices, they must have the Managed Devices **Read** permission. ## Supported platforms @@ -56,7 +59,9 @@ Inventory is currently only supported on devices running Windows 10 and later. I ## How to use -To configure Inventory collection, create a new **Properties Catalog** profile in the Intune admin center. This profile allows you to select which properties you would like to collect from your devices. After the profile is created, you can apply the profile to specific devices in the selected groups. +To configure Inventory collection, create a new **Properties Catalog** profile in the Intune admin center. This profile allows you to select which properties you would like to collect from your devices. + +After the profile is created, you can apply the profile to specific devices in the selected groups. ### Create the profile @@ -99,12 +104,15 @@ The next time each device checks in, the policy is applied. ### View collected data To view collected inventory information, navigate to **Devices** > **Windows Devices** and select a device. + Under **Monitor** select **Resource Explorer**. Choose a category to view hardware information. + After a device syncs with Intune, it can take up to 24 hours for initial harvesting of inventory data. ### Required Properties Certain **required** properties are automatically collected when you collect any properties in that category. + The following properties are required: - **Battery**: Instance Name @@ -120,7 +128,9 @@ The following properties are required: ## Known Limitations -Collection of properties can only be stopped (deleted) at the category level. To stop collecting properties, navigate to the **Properties catalog** profile, and remove collection for every property in a particular category. +Collection of properties can only be stopped (deleted) at the category level. + +To stop collecting properties, navigate to the **Properties catalog** profile, and remove collection for every property in a particular category. ## Supported Properties From 61439618c1757b2972a307ae639bfd77807a0de5 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Fri, 15 Nov 2024 21:22:24 +0000 Subject: [PATCH 16/33] Update compliance-wsl.md PM edits, acrolinx --- memdocs/intune/protect/compliance-wsl.md | 40 +++++++++++++----------- 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/memdocs/intune/protect/compliance-wsl.md b/memdocs/intune/protect/compliance-wsl.md index 7816ad9bd25..074b55cc699 100644 --- a/memdocs/intune/protect/compliance-wsl.md +++ b/memdocs/intune/protect/compliance-wsl.md @@ -45,25 +45,25 @@ This article describes how to set up compliance checks for WSL. To create your compliance policy with WSL settings, you must meet these requirements: -- Install the [Intune WSL plug-in](https://go.microsoft.com/fwlink/?linkid=2296896) for compliance evaluation. +- The [Intune WSL plugin](https://go.microsoft.com/fwlink/?linkid=2296896) must be installed for compliance evaluation. -- Install the Microsoft Intune management extension on the target device. The management extension automatically installs on devices that meet the following conditions: +- The Microsoft Intune management extension must be installed on the target device. Make sure devices meet one of the following conditions so that the management extension can install: - - A PowerShell script or a proactive remediation is assigned to the user or device. - - A Win32 app or Microsoft Store app has been deployed to the user or device. - - A custom compliance policy is assigned to the user or device. -- Configure Windows custom compliance settings and WSL compliance settings in separate compliance policies. + - Assign a PowerShell script or a proactive remediation to the user or device. + - Deploy a Win32 app or Microsoft Store app to the user or device. + - Assign a custom compliance policy to the user or device. + ## Before you begin Unassign and remove existing custom compliance policies for WSL. Then review the [limitations](#limitations) with WSL settings in compliance policies so that you know what to expect. -## Add Intune WSL plug-in as a Win32 app +## Add Intune WSL plugin as a Win32 app -Create a Win32 app policy for the [Intune WSL plug-in](https://github.com/microsoft/shell-intune-samples/blame/master/Linux/WSL/IntuneWSLPluginInstaller/IntuneWSLPluginInstaller.msi), and assign it to the target Microsoft Entra group. +Create a Win32 app policy for the [Intune WSL plugin](https://github.com/microsoft/shell-intune-samples/blame/master/Linux/WSL/IntuneWSLPluginInstaller/IntuneWSLPluginInstaller.msi), and assign it to the target Microsoft Entra group. -1. Use the [Microsoft Win32 Content Prep Tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) to convert the Intune WSL plug-in to the *.intunewin* format. For more information, see [Convert the Win32 app content](../apps/apps-win32-prepare.md#convert-the-win32-app-content). +1. Use the [Microsoft Win32 Content Prep Tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) to convert the Intune WSL plugin to the *.intunewin* format. For more information, see [Convert the Win32 app content](../apps/apps-win32-prepare.md#convert-the-win32-app-content). -2. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as at least a . +2. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as at least an Intune administrator. 3. Go to **Apps** > **All apps** > **Add**. @@ -73,25 +73,27 @@ Create a Win32 app policy for the [Intune WSL plug-in](https://github.com/micros 6. Choose **Select app package file**. -7. Select the **Folder** button and browse your files for the app package file. Upload the Intune WSL plug-in installation file with the `.intunewin` extension. +7. Select the **Folder** button and browse your files for the app package file. Upload the Intune WSL plugin installation file with the *.intunewin* extension. 8. Select **OK** to continue. 9. Enter the following app information: - - **Select file**: The app package file you selected in the previous step appears here. Select the file to upload a different installation package file for the Intune WSL plug-in. + - **Select file**: The app package file you selected in the previous step appears here. Select the file to upload a different installation package file for the Intune WSL plugin. - **Name**: Enter **Intune WSL Plugin**. - **Description**: Select **Edit Description** to enter a description for the app. For example, you can describe its purpose or how your organization plans to use it. This setting is optional but recommended. - **Publisher**: Enter **Microsoft Intune**. 10. Select **Next** to go to **Program**. -11. Review the settings that are prepopulated so that you are familiar with how the app behaves. You shouldn't need to change any of these settings. +11. Review the settings that are prepopulated so that you're familiar with how the app behaves. Leave the settings as-is. 12. Select **Next** to go to **Requirements**. + 13. Enter the requirements devices must meet to install the app. 14. Select **Next** to go to **Detection rules**. -15. Review the detection rules that are prepopulated. These rules are app-specific and detect the presence of the app. You shouldn't need to change any of these settings. + +15. Review the detection rules that are prepopulated. These rules are app-specific and detect the presence of the app. Leave the settings as-is. 16. Select **Next** to go to **Dependencies**. Leave the settings as-is. @@ -99,7 +101,7 @@ Create a Win32 app policy for the [Intune WSL plug-in](https://github.com/micros 18. Select **Next** to go to **Assignments**. -19. To asssign the policy, add Microsoft Entra users under **Required**. +19. To assign the policy, add Microsoft Entra users under **Required**. 20. Select **Next** to go to **Review + create**. @@ -112,13 +114,15 @@ Create a Win32 app policy for the [Intune WSL plug-in](https://github.com/micros This section describes the known limitations with using the Intune WSL plugin for compliance evaluation. -- Compliance evaluation requires the installed Linux distributions in WSL to have run at least once. -- Compliance evaluation is not guaranteed to function as expected on custom Linux images or Linux images without `etc/os-release` directory. +- Compliance evaluation requires the installed Linux distributions in WSL to run at least once before it works. If you install a Linux distribution with the `--no-launch` [command for WSL](/windows/wsl/basic-commands), the compliance evaluation won't work. + +- Compliance evaluation might not function as expected on custom Linux images or Linux images without the `etc/os-release` directory. + - Even with the Intune WSL plugin, it's possible for malicious software or user actions to compromise the compliance evaluation mechanism. ## Next steps -- [Create a compliance policy](create-compliance-policy.md#create-the-policy), and set the **Platform** to **Windows 10 and later**. For more information about the compliance settings for Windows Subsystem for Linux, see [Windows Subsystem for Linux](compliance-policy-create-windows.md#windows-subsystem-for-linux-wsl). +- [Create a compliance policy](create-compliance-policy.md#create-the-policy), and set the **Platform** to **Windows 10 and later**. For more information about the compliance settings for Windows Subsystem for Linux, see [Windows Subsystem for Linux](compliance-policy-create-windows.md#windows-subsystem-for-linux). - [Add actions for noncompliant devices](actions-for-noncompliance.md) and [use scope tags to filter policies](../fundamentals/scope-tags.md). From 32614c761348d31aa2826e27c8c00a0de33f8e95 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Fri, 15 Nov 2024 21:33:09 +0000 Subject: [PATCH 17/33] Update compliance-wsl.md Acrolinx --- memdocs/intune/protect/compliance-wsl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/protect/compliance-wsl.md b/memdocs/intune/protect/compliance-wsl.md index 074b55cc699..7a11980e098 100644 --- a/memdocs/intune/protect/compliance-wsl.md +++ b/memdocs/intune/protect/compliance-wsl.md @@ -114,7 +114,7 @@ Create a Win32 app policy for the [Intune WSL plugin](https://github.com/microso This section describes the known limitations with using the Intune WSL plugin for compliance evaluation. -- Compliance evaluation requires the installed Linux distributions in WSL to run at least once before it works. If you install a Linux distribution with the `--no-launch` [command for WSL](/windows/wsl/basic-commands), the compliance evaluation won't work. +- Compliance evaluation requires the installed Linux distributions in WSL to run at least one time before it works. If you install a Linux distribution with the `--no-launch` [command for WSL](/windows/wsl/basic-commands), the compliance evaluation won't work. - Compliance evaluation might not function as expected on custom Linux images or Linux images without the `etc/os-release` directory. From bab7d1e16ffa87035a9fb06155b5e2099033061e Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Mon, 18 Nov 2024 09:58:37 -0500 Subject: [PATCH 18/33] Update wired-network-settings-macos.md Added deployment channel setting for 2411 --- .../configuration/wired-network-settings-macos.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/memdocs/intune/configuration/wired-network-settings-macos.md b/memdocs/intune/configuration/wired-network-settings-macos.md index 5b83fc6d797..4ecac5d9816 100644 --- a/memdocs/intune/configuration/wired-network-settings-macos.md +++ b/memdocs/intune/configuration/wired-network-settings-macos.md @@ -8,7 +8,7 @@ keywords: author: MandiOhlinger ms.author: mandia manager: dougeby -ms.date: 06/25/2024 +ms.date: 11/19/2024 ms.topic: reference ms.service: microsoft-intune ms.subservice: configuration @@ -39,13 +39,13 @@ This feature applies to: - macOS -This article describes the settings you can configure. +This article describes the settings you can configure. ## Before you begin - Create a [macOS wired network device configuration profile](wired-networks-configure.md). -- These settings are available for all enrollment types. For more information on the enrollment types, go to [macOS enrollment](../enrollment/macos-enroll.md). +- These settings are available for all enrollment types. For more information on the enrollment types, go to [macOS enrollment](../enrollment/macos-enroll.md). ## Wired Network @@ -61,6 +61,12 @@ This article describes the settings you can configure. Options with "active" in the title use interfaces that are actively working on the device. If there are no active interfaces, the next interface in service-order priority is configured. By default, **First active Ethernet** is selected, which is also the default setting configured by macOS. +- **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are stored, so it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. + + You have two options: + - **User channel**: Always select the user deployment channel in profiles with user certificates. This option stores certificates in the user keychain. + - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the device keychain. + - **EAP type**: To authenticate secured wired connections, select the Extensible Authentication Protocol (EAP) type. Your options: - **EAP-FAST**: Enter the **Protected Access Credential (PAC) Settings**. This option uses protected access credentials to create an authenticated tunnel between the client and the authentication server. Your options: @@ -87,7 +93,7 @@ This article describes the settings you can configure. - **Challenge Handshake Authentication Protocol (CHAP)** - **Microsoft CHAP (MS-CHAP)** - **Microsoft CHAP Version 2 (MS-CHAP v2)** - - **Certificates**: Select an existing SCEP client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection. PKCS certificates aren't supported. + - **Certificates**: Select an existing SCEP client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection. PKCS certificates aren't supported. Choose the certificate that aligns with your deployment channel selection. If you selected the user channel, your certificate options are limited to user certificate profiles. If you selected the device channel, you have both user and device certificate profiles to choose from, but we recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the device keychain increases security risks. - **Identity privacy (outer identity)**: Enter the text sent in the response to an EAP identity request. This text can be any value, such as `anonymous`. During authentication, this anonymous identity is initially sent. Then, the real identification is sent in a secure tunnel. - **LEAP** From 711bdf081cc8c597b8cd6bc0f743b1e73ddaf28a Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Mon, 18 Nov 2024 14:51:38 -0800 Subject: [PATCH 19/33] erikre-rel2411-27157460a --- memdocs/intune/apps/apps-monitor.md | 56 ++++++++++++++++++++++++++--- 1 file changed, 52 insertions(+), 4 deletions(-) diff --git a/memdocs/intune/apps/apps-monitor.md b/memdocs/intune/apps/apps-monitor.md index 89ea6267ae6..d1d5caf882f 100644 --- a/memdocs/intune/apps/apps-monitor.md +++ b/memdocs/intune/apps/apps-monitor.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 09/17/2024 +ms.date: 11/18/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps @@ -60,7 +60,7 @@ The **Essentials** section provides the following information about the app if a | **Operating system** | The app operating system (Windows, iOS/iPadOS, Android, and so on) | | **Version** | If applicable, the version number of the app | | **MAM SDK enabled** | If applicable, whether the app uses the Intune MAM SDK (**Yes** or **No**) | -| **Created** | The date and time when this revision was created **Note**: This date value is updated when an IT admin changes app metadata, such as changing the app category or app description. | +| **Created** | The date and time when this revision was created **Note**: This date value is updated when an admin changes app metadata, such as changing the app category or app description. | | **Assigned** | Whether the app has been assigned (**Yes** or **No**) | **App package file** | If applicable, the app package file name | @@ -74,7 +74,7 @@ The graphs show the number of apps for the following status: | **Not Installed** | The number of apps not installed | | **Failed** | The number of failed installations | | **Install Pending** | The number of apps that are in the process of being installed | -| **Not Applicable** | The number of apps for which status is not applicable | +| **Not Applicable** | The number of apps for which status isn't applicable | > [!NOTE] > Be aware that Android LOB apps (.APK) deployed as **Available with or without enrollment** only report app installation status for enrolled devices. App installation status is not available for devices that are not enrolled in Intune. @@ -108,7 +108,55 @@ A user status list is shown when you select **User install status** in the **Mon | **Failures** | The number of failed app installations for the user | | **Not installed** | The number of apps not installed by the user | +## App installation error reporting + +Additional error details are available for Line of Business (LOB) apps on Android Open Source Project (AOSP) devices. You can view installation error codes for LOB apps in Intune. + +### LOB apps on AOSP devices + +The following table provides addition installation error code details for LOB apps on AOSP devices: + +| Error code | Description | Retry automatically | Additional information | +|---|---|---|---| +| 0x87D54FB0 | The app couldn't be installed. The end user didn't allow it or didn't accept permissions. | Yes | Ask the end user to accept any installation request when prompted. | +| 0x87D54FB1 | The operating system couldn't install the app. | No | The Android system failed to install the app. | +| 0x87D54FB2 | The operating system blocked installation. | Yes | A device policy or the Android package verifier may have blocked the operation. | +| 0x87D54FB3 | Either the end user or the system stopped the installation. | Yes | The end user may have declined a permission request or is missing permissions. The OS might also block the APK for security reasons. For example, the APK could have been marked as "dangerous" by Google Play Protect. | +| 0x87D54FB4 | The app couldn't be installed. The app is corrupt or invalid. | No | The Android system detected the APK as being invalid. This error could have occurred for several reasons. For example, the APK isn't signed, or the package manifest is missing or is malformed. Upload a new APK. Check that the APK wasn't corrupted before upload. | +| 0x87D54FB5 | Installation failed. | No | | +| 0x87D54FB6 | Couldn't install the app because it conflicts with the version of the app already on the device. Remove the existing app first. | Yes | The conflict could be for a variety of reasons. For example, the package on the device could have a different signature than the one being installed. If the policy is intended to upgrade an existing application, sign the upgraded version with the same certificate used for the original app. If not, uninstall the existing app before deploying the new one. Or, there could be an existing package that defines a permission that the installing app also defines. In that case, the OS rejects the installation because certain permissions can only be owned by one app. Uninstall the existing application for the policy to succeed. | +| 0x87D54FB7 | Install failed. Insufficient storage space on device. | Yes | Free up space on the device. | +| 0x87D54FB8 | Installation failed because this app won't work with the device. | No | Upload a new APK that is compatible with the device architecture and SDK version running on the device, or upgrade the device. | +| 0x87D54FB9 | Installation failed because it took too long. | Yes | | +| 0x87D54FBA | Installation failed because it took too long. | No | | +| 0x87D54FBB | The app couldn't be uninstalled. | No | | +| 0x87D55014 | The app couldn't be downloaded. | Yes | A generic download failure occurred. | +| 0x87D55015 | The app couldn't be downloaded. There's not enough room on the device. | Yes | Free up space on the device. | +| 0x87D55016 | The app couldn't be downloaded. The service gave a bad response. | Yes | | +| 0x87D55017 | The app couldn't be downloaded. It was too large. | No | The admin uploaded an APK that exceeded the allowable download size of 2GB. Upload a smaller APK. | +| 0x87D55018 | The app couldn't be downloaded. There was no network connection. | Yes | The download resumes when the network resumes. | +| 0x87D55019 | The app couldn't be downloaded. There was a network error. | Yes | The download failed due to an unspecified network error. The admin may have a firewall restriction, or something else is blocking the network. The admin could temporarily enroll the device using a different Wi-Fi network, which may allow enrollment SCEP certificates to be installed and more secure firewall rules to take effect. | +| 0x87D5501A | The app couldn't be downloaded. | No | Confirm the network connection and sufficient bandwidth. Additionally, confirm nothing is interfering with network traffic. | +| 0x87D5501B | The app couldn't be downloaded. Contact Microsoft Intune support and include the error code. | No | The app couldn't be downloaded. Contact Microsoft Intune support and include the error code. | +| 0x87D5501C | The app couldn't be downloaded. The downloaded file couldn't be found. | No | The downloaded content was corrupted or deleted before it was installed. The downloaded app files were removed before the app could install. Make sure the app is installed immediately after downloading. Ask the end user to accept the installation request when prompted. | +| 0x87D5501D | The app couldn't be downloaded. There was an input/output error. | Yes | | +| 0x87D5501E | The app couldn't be downloaded. It took too long. | Yes | If a download takes more than 8 hours, Intune cancels and retries the download. | +| 0x87D5501F | The downloaded app couldn't be validated. | Yes | The hash code of the downloaded content doesn't equal the hash code of the content from the policy. There are multiple reasons this could occur. The OS may not support encryption/decryption. In this case, you should try updating the OS to latest version. Alternatively, an intermittent issue occurred which may have corrupted the download. Lastly, a less likely scenario where this error occurs is due to a machine in the middle (MITM) attack. | +| 0x87D55078 | The app couldn't be downloaded. Intune had an error. | Yes | | +| 0x87D55079 | The app couldn't be downloaded. There was a network error. | Yes | A generic HTTP failure occurred. | +| 0x87D5507A | The app couldn't be downloaded. The app either doesn't exist or it isn't assigned to this device. | No | While the policy was being applied, the policy was removed by the admin. | +| 0x87D5507B | The app couldn't be downloaded. Intune had an error. | Yes | | +| 0x87D5507C | The app couldn't be downloaded. Intune had an error. | Yes | | +| 0x87D5507D | The app couldn't be downloaded. Intune had an error. | Yes | | +| 0x87D550DC | The uploaded app is missing the versionCode property. | No | The versionCode is missing from the uploaded APK. For more information on versionCode, see Android documentation. | +| 0x87D550DD | The uploaded app is missing the minSdkVersion value. | No | Ensure the android:minSdkVersion parameter is specified in the APK manifest. | +| 0x87D550DE | The policy is missing the minSdkVersion value. | No | If the admin creates the policy in the admin portal, there's a requirement that the admin specify what the minimum SDK version the policy supports. If the admin creates the policy by Graph, this property isn't always required. If this parameter is missing, this exception is thrown. | +| 0x87D550DF | The app couldn't be uninstalled. There's another policy to install the same app. | No | If you have two policies that target the same package and version, but one is an install and one is an uninstall, the install is applied and the uninstall is marked as a conflict. | +| 0x87D550E0 | The app couldn't be installed. There's another policy to install a newer version of the same app. | No | If there's more than one install policy for the same package but different versions, the policy with the highest package version takes priority. Remove the conflicting policy. | +| 0x87D550E1 | The app couldn't be found on the device. Intune will try to reinstall it. | Yes | Data indicates that the install policy was previously applied successfully (package was installed), but the package isn't found on the device anymore. The end user shouldn't be able to uninstall any required apps, so this scenario is less likely. | +| 0x87D550E2 | Intune will try to uninstall the app. | Yes | This error may happen if the end user manually reinstalled an app that was supposed to be uninstalled. This error is unlikely to persist. | + ## Next steps - To learn more about working with your Intune data, see [Use the Intune Data Warehouse](../developer/reports-nav-create-intune-reports.md). -- To learn about app configuration policies, see [App configuration policies for Intune](app-configuration-policies-overview.md). +- To learn about app configuration policies, see [App configuration policies for Intune](app-configuration-policies-overview.md). \ No newline at end of file From f7b0d01a8235ec65ca72c01729ce5ba92ed366cc Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Mon, 18 Nov 2024 15:06:11 -0800 Subject: [PATCH 20/33] erikre-rel2411-27157460a 1.2 --- memdocs/intune/apps/apps-monitor.md | 60 ++++++++++++++--------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/memdocs/intune/apps/apps-monitor.md b/memdocs/intune/apps/apps-monitor.md index d1d5caf882f..795cc62d3c9 100644 --- a/memdocs/intune/apps/apps-monitor.md +++ b/memdocs/intune/apps/apps-monitor.md @@ -116,45 +116,45 @@ Additional error details are available for Line of Business (LOB) apps on Androi The following table provides addition installation error code details for LOB apps on AOSP devices: -| Error code | Description | Retry automatically | Additional information | +| Error code | Error string | Retry automatically | Additional information | |---|---|---|---| -| 0x87D54FB0 | The app couldn't be installed. The end user didn't allow it or didn't accept permissions. | Yes | Ask the end user to accept any installation request when prompted. | +| 0x87D54FB0 | Couldn't install the app because the user didn't allow it or accept permissions. | Yes | Ask the end user to accept any installation request when prompted. | | 0x87D54FB1 | The operating system couldn't install the app. | No | The Android system failed to install the app. | | 0x87D54FB2 | The operating system blocked installation. | Yes | A device policy or the Android package verifier may have blocked the operation. | -| 0x87D54FB3 | Either the end user or the system stopped the installation. | Yes | The end user may have declined a permission request or is missing permissions. The OS might also block the APK for security reasons. For example, the APK could have been marked as "dangerous" by Google Play Protect. | -| 0x87D54FB4 | The app couldn't be installed. The app is corrupt or invalid. | No | The Android system detected the APK as being invalid. This error could have occurred for several reasons. For example, the APK isn't signed, or the package manifest is missing or is malformed. Upload a new APK. Check that the APK wasn't corrupted before upload. | -| 0x87D54FB5 | Installation failed. | No | | +| 0x87D54FB3 | Either the user or the system stopped the installation. | Yes | The end user may have declined a permission request or is missing permissions. The OS might also block the APK for security reasons. For example, the APK could have been marked as "dangerous" by Google Play Protect. | +| 0x87D54FB4 | Couldn't install the app because it's corrupt or not valid. | No | The Android system detected the APK as being invalid. This error could have occurred for several reasons. For example, the APK isn't signed, or the package manifest is missing or is malformed. Upload a new APK. Check that the APK wasn't corrupted before upload. | +| 0x87D54FB5 | Installation failed. | No | | | 0x87D54FB6 | Couldn't install the app because it conflicts with the version of the app already on the device. Remove the existing app first. | Yes | The conflict could be for a variety of reasons. For example, the package on the device could have a different signature than the one being installed. If the policy is intended to upgrade an existing application, sign the upgraded version with the same certificate used for the original app. If not, uninstall the existing app before deploying the new one. Or, there could be an existing package that defines a permission that the installing app also defines. In that case, the OS rejects the installation because certain permissions can only be owned by one app. Uninstall the existing application for the policy to succeed. | | 0x87D54FB7 | Install failed. Insufficient storage space on device. | Yes | Free up space on the device. | | 0x87D54FB8 | Installation failed because this app won't work with the device. | No | Upload a new APK that is compatible with the device architecture and SDK version running on the device, or upgrade the device. | -| 0x87D54FB9 | Installation failed because it took too long. | Yes | | -| 0x87D54FBA | Installation failed because it took too long. | No | | -| 0x87D54FBB | The app couldn't be uninstalled. | No | | -| 0x87D55014 | The app couldn't be downloaded. | Yes | A generic download failure occurred. | -| 0x87D55015 | The app couldn't be downloaded. There's not enough room on the device. | Yes | Free up space on the device. | -| 0x87D55016 | The app couldn't be downloaded. The service gave a bad response. | Yes | | -| 0x87D55017 | The app couldn't be downloaded. It was too large. | No | The admin uploaded an APK that exceeded the allowable download size of 2GB. Upload a smaller APK. | -| 0x87D55018 | The app couldn't be downloaded. There was no network connection. | Yes | The download resumes when the network resumes. | -| 0x87D55019 | The app couldn't be downloaded. There was a network error. | Yes | The download failed due to an unspecified network error. The admin may have a firewall restriction, or something else is blocking the network. The admin could temporarily enroll the device using a different Wi-Fi network, which may allow enrollment SCEP certificates to be installed and more secure firewall rules to take effect. | -| 0x87D5501A | The app couldn't be downloaded. | No | Confirm the network connection and sufficient bandwidth. Additionally, confirm nothing is interfering with network traffic. | -| 0x87D5501B | The app couldn't be downloaded. Contact Microsoft Intune support and include the error code. | No | The app couldn't be downloaded. Contact Microsoft Intune support and include the error code. | -| 0x87D5501C | The app couldn't be downloaded. The downloaded file couldn't be found. | No | The downloaded content was corrupted or deleted before it was installed. The downloaded app files were removed before the app could install. Make sure the app is installed immediately after downloading. Ask the end user to accept the installation request when prompted. | -| 0x87D5501D | The app couldn't be downloaded. There was an input/output error. | Yes | | -| 0x87D5501E | The app couldn't be downloaded. It took too long. | Yes | If a download takes more than 8 hours, Intune cancels and retries the download. | -| 0x87D5501F | The downloaded app couldn't be validated. | Yes | The hash code of the downloaded content doesn't equal the hash code of the content from the policy. There are multiple reasons this could occur. The OS may not support encryption/decryption. In this case, you should try updating the OS to latest version. Alternatively, an intermittent issue occurred which may have corrupted the download. Lastly, a less likely scenario where this error occurs is due to a machine in the middle (MITM) attack. | -| 0x87D55078 | The app couldn't be downloaded. Intune had an error. | Yes | | -| 0x87D55079 | The app couldn't be downloaded. There was a network error. | Yes | A generic HTTP failure occurred. | -| 0x87D5507A | The app couldn't be downloaded. The app either doesn't exist or it isn't assigned to this device. | No | While the policy was being applied, the policy was removed by the admin. | -| 0x87D5507B | The app couldn't be downloaded. Intune had an error. | Yes | | -| 0x87D5507C | The app couldn't be downloaded. Intune had an error. | Yes | | -| 0x87D5507D | The app couldn't be downloaded. Intune had an error. | Yes | | +| 0x87D54FB9 | Installation failed because it took too long. | Yes | | +| 0x87D54FBA | Installation failed because it took too long. | No | | +| 0x87D54FBB | Couldn't uninstall the app. | No | | +| 0x87D55014 | Couldn't download the app. | Yes | A generic download failure occurred. | +| 0x87D55015 | Couldn't download the app because there's not enough room on the device. | Yes | Free up space on the device. | +| 0x87D55016 | Couldn't download the app because the service gave a bad response. | Yes | | +| 0x87D55017 | Couldn't download the app because it was too large. | No | The admin uploaded an APK that exceeded the allowable download size of 2GB. Upload a smaller APK. | +| 0x87D55018 | Couldn't download the app because there was no network connection. | Yes | The download resumes when the network resumes. | +| 0x87D55019 | Couldn't download the app because of a network error. | Yes | The download failed due to an unspecified network error. The admin may have a firewall restriction, or something else is blocking the network. The admin could temporarily enroll the device using a different Wi-Fi network, which may allow enrollment SCEP certificates to be installed and more secure firewall rules to take effect. | +| 0x87D5501A | Couldn't download the app. | No | Confirm the network connection and sufficient bandwidth. Additionally, confirm nothing is interfering with network traffic. | +| 0x87D5501B | Couldn't download the app. Contact Microsoft Intune support and include the error code. | No | The app couldn't be downloaded. Contact Microsoft Intune support and include the error code. | +| 0x87D5501C | Couldn't download the app because the downloaded file couldn't be found. | No | The downloaded content was corrupted or deleted before it was installed. The downloaded app files were removed before the app could install. Make sure the app is installed immediately after downloading. Ask the end user to accept the installation request when prompted. | +| 0x87D5501D | Couldn't download the app because of an input/output error. | Yes | | +| 0x87D5501E | Couldn't download the app because it took too long. | Yes | If a download takes more than 8 hours, Intune cancels and retries the download. | +| 0x87D5501F | The downloaded app couldn't be validated. | Yes | The hash code of the downloaded content doesn't equal the hash code of the content from the policy. There are multiple reasons this could occur. The OS may not support encryption/decryption. In this case, you should try updating the OS to latest version. Alternatively, an intermittent issue occurred which may have corrupted the download. Lastly, a less likely scenario where this error occurs is due to a machine in the middle (MITM) attack. | +| 0x87D55078 | Couldn't download the app because Intune had an error. | Yes | | +| 0x87D55079 | Couldn't download the app because of a network error. | Yes | A generic HTTP failure occurred. | +| 0x87D5507A | Couldn't download the app because it doesn't seem to exist or it isn't assigned to this device. | No | While the policy was being applied, the policy was removed by the admin. | +| 0x87D5507B | Couldn't download the app because Intune had an error. | Yes | | +| 0x87D5507C | Couldn't download the app because Intune had an error. | Yes | | +| 0x87D5507D | Couldn't download the app because Intune had an error. | Yes | | | 0x87D550DC | The uploaded app is missing the versionCode property. | No | The versionCode is missing from the uploaded APK. For more information on versionCode, see Android documentation. | | 0x87D550DD | The uploaded app is missing the minSdkVersion value. | No | Ensure the android:minSdkVersion parameter is specified in the APK manifest. | | 0x87D550DE | The policy is missing the minSdkVersion value. | No | If the admin creates the policy in the admin portal, there's a requirement that the admin specify what the minimum SDK version the policy supports. If the admin creates the policy by Graph, this property isn't always required. If this parameter is missing, this exception is thrown. | -| 0x87D550DF | The app couldn't be uninstalled. There's another policy to install the same app. | No | If you have two policies that target the same package and version, but one is an install and one is an uninstall, the install is applied and the uninstall is marked as a conflict. | -| 0x87D550E0 | The app couldn't be installed. There's another policy to install a newer version of the same app. | No | If there's more than one install policy for the same package but different versions, the policy with the highest package version takes priority. Remove the conflicting policy. | -| 0x87D550E1 | The app couldn't be found on the device. Intune will try to reinstall it. | Yes | Data indicates that the install policy was previously applied successfully (package was installed), but the package isn't found on the device anymore. The end user shouldn't be able to uninstall any required apps, so this scenario is less likely. | -| 0x87D550E2 | Intune will try to uninstall the app. | Yes | This error may happen if the end user manually reinstalled an app that was supposed to be uninstalled. This error is unlikely to persist. | +| 0x87D550DF | Couldn't uninstall this app because there's another policy to install the same app. | No | If you have two policies that target the same package and version, but one is an install and one is an uninstall, the install is applied and the uninstall is marked as a conflict. | +| 0x87D550E0 | Couldn't install this app because there's another policy to install a newer version of the same app. | No | If there's more than one install policy for the same package but different versions, the policy with the highest package version takes priority. Remove the conflicting policy. | +| 0x87D550E1 | Couldn't find the app on the device. Intune will try to reinstall it. | Yes | Data indicates that the install policy was previously applied successfully (package was installed), but the package isn't found on the device anymore. The end user shouldn't be able to uninstall any required apps, so this scenario is less likely. | +| 0x87D550E2 | Intune will try to uninstall the app. | Yes | This error may happen if the end user manually reinstalled an app that was supposed to be uninstalled. This error is unlikely to persist. | ## Next steps From 4acca8713475e8c5c7b9c4817951c6df9404661e Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Tue, 19 Nov 2024 05:09:57 +0530 Subject: [PATCH 21/33] Update apps-monitor.md --- memdocs/intune/apps/apps-monitor.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/apps/apps-monitor.md b/memdocs/intune/apps/apps-monitor.md index 795cc62d3c9..3e53853364e 100644 --- a/memdocs/intune/apps/apps-monitor.md +++ b/memdocs/intune/apps/apps-monitor.md @@ -150,13 +150,13 @@ The following table provides addition installation error code details for LOB ap | 0x87D5507D | Couldn't download the app because Intune had an error. | Yes | | | 0x87D550DC | The uploaded app is missing the versionCode property. | No | The versionCode is missing from the uploaded APK. For more information on versionCode, see Android documentation. | | 0x87D550DD | The uploaded app is missing the minSdkVersion value. | No | Ensure the android:minSdkVersion parameter is specified in the APK manifest. | -| 0x87D550DE | The policy is missing the minSdkVersion value. | No | If the admin creates the policy in the admin portal, there's a requirement that the admin specify what the minimum SDK version the policy supports. If the admin creates the policy by Graph, this property isn't always required. If this parameter is missing, this exception is thrown. | +| 0x87D550DE | The policy is missing the minSdkVersion value. | No | If the admin creates the policy in the admin portal, there's a requirement that the admin specifies what the minimum SDK version the policy supports. If the admin creates the policy by Graph, this property isn't always required. If this parameter is missing, this exception is thrown. | | 0x87D550DF | Couldn't uninstall this app because there's another policy to install the same app. | No | If you have two policies that target the same package and version, but one is an install and one is an uninstall, the install is applied and the uninstall is marked as a conflict. | -| 0x87D550E0 | Couldn't install this app because there's another policy to install a newer version of the same app. | No | If there's more than one install policy for the same package but different versions, the policy with the highest package version takes priority. Remove the conflicting policy. | +| 0x87D550E0 | Couldn't install this app because there's another policy to install a newer version of the same app. | No | If there is more than one install policy for the same package but with different versions, the policy with the highest package version takes priority. Remove the conflicting policy. | | 0x87D550E1 | Couldn't find the app on the device. Intune will try to reinstall it. | Yes | Data indicates that the install policy was previously applied successfully (package was installed), but the package isn't found on the device anymore. The end user shouldn't be able to uninstall any required apps, so this scenario is less likely. | | 0x87D550E2 | Intune will try to uninstall the app. | Yes | This error may happen if the end user manually reinstalled an app that was supposed to be uninstalled. This error is unlikely to persist. | ## Next steps - To learn more about working with your Intune data, see [Use the Intune Data Warehouse](../developer/reports-nav-create-intune-reports.md). -- To learn about app configuration policies, see [App configuration policies for Intune](app-configuration-policies-overview.md). \ No newline at end of file +- To learn about app configuration policies, see [App configuration policies for Intune](app-configuration-policies-overview.md). From 63f0e0a0860698ad15360f7ca7ee50a17ffa5bd0 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 19 Nov 2024 09:05:45 -0500 Subject: [PATCH 22/33] Update custom-settings-macos.md Reverted changes --- memdocs/intune/configuration/custom-settings-macos.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/configuration/custom-settings-macos.md b/memdocs/intune/configuration/custom-settings-macos.md index 20816d12c99..88968802a8b 100644 --- a/memdocs/intune/configuration/custom-settings-macos.md +++ b/memdocs/intune/configuration/custom-settings-macos.md @@ -60,7 +60,7 @@ This feature applies to: When you configure the profile, enter the following settings: - **Configuration profile name**: Enter a name for the policy. This name is shown on the device, and in the Intune status in the Intune admin center. -- **Deployment channel**: Select the channel you want to use to deploy your configuration profile. If you send the profile to the wrong channel, deployment can fail. After you select a channel and save the profile, the channel can't be changed. To select a different channel, create a new profile. We don't recommend placing SCEP and PKCS user certificates in the device channel due to increased security risks. +- **Deployment channel**: Select the channel you want to use to deploy your configuration profile. If you send the profile to the wrong channel, deployment can fail. After you select a channel and save the profile, the channel can't be changed. To select a different channel, create a new profile. User-targeted payloads don't apply to devices enrolled without user affinity. For more information on whether a payload can be used for a device configuration profile or a user configuration profile, go to [Profile-Specific Payload Keys](https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys) (opens Apple's developer website). From e957894730c70d01b3f8d998d04a4241bb061d6b Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 19 Nov 2024 09:19:53 -0500 Subject: [PATCH 23/33] Update vpn-settings-macos.md Added what's new link --- memdocs/intune/configuration/vpn-settings-macos.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/configuration/vpn-settings-macos.md b/memdocs/intune/configuration/vpn-settings-macos.md index 37c7e3ea7f9..c2b5318587f 100644 --- a/memdocs/intune/configuration/vpn-settings-macos.md +++ b/memdocs/intune/configuration/vpn-settings-macos.md @@ -7,7 +7,7 @@ keywords: author: MandiOhlinger ms.author: mandia manager: dougeby -ms.date: 11/11/2024 +ms.date: 11/19/2024 ms.topic: reference ms.service: microsoft-intune ms.subservice: configuration @@ -38,7 +38,7 @@ This feature applies to: - macOS ## Verify deployment channel -We recommend checking the deployment channel in existing enterprise VPN profiles when they're up for renewal to ensure that any authentication certificates you're using, either SCEP or PKCS, are stored in the proper keychain. Certificates in VPN profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. +We recommend that you check the deployment channel setting in existing enterprise VPN profiles when your linked authentication certificates are up for renewal. Under the base VPN settings, check the deployment channel value to ensure that the linked certificates, either SCEP or PKCS, are being stored in the proper keychain. Certificates in VPN profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). ## Before you begin From 4dbdd5c458ee19321375c823f495794b9962e482 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 19 Nov 2024 09:36:20 -0500 Subject: [PATCH 24/33] Update wi-fi-settings-macos.md Added what's new link --- memdocs/intune/configuration/wi-fi-settings-macos.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/configuration/wi-fi-settings-macos.md b/memdocs/intune/configuration/wi-fi-settings-macos.md index e5f5435265f..2069073e052 100644 --- a/memdocs/intune/configuration/wi-fi-settings-macos.md +++ b/memdocs/intune/configuration/wi-fi-settings-macos.md @@ -8,7 +8,7 @@ keywords: author: MandiOhlinger ms.author: mandia manager: dougeby -ms.date: 11/11/2024 +ms.date: 11/19/2024 ms.topic: reference ms.service: microsoft-intune ms.subservice: configuration @@ -42,7 +42,7 @@ These Wi-Fi settings are separated in to two categories: Basic settings and Ente This article describes the settings you can configure. ## Verify deployment channel -We recommend checking the deployment channel in existing enterprise Wi-Fi profiles when they're up for renewal to ensure that any authentication certificates you're using, either SCEP or PKCS, are stored in the proper keychain. Certificates in Wi-Fi profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. +We recommend that you check the deployment channel setting in existing enterprise Wi-Fi profiles when your linked authentication certificates are up for renewal. Under the enterprise profiles settings, check the deployment channel value to ensure that the linked certificates, either SCEP or PKCS, are being stored in the proper keychain. Certificates in Wi-Fi profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). ## Before you begin From 64deb220920ccc1ffe934668b539e69d5d399f2d Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 19 Nov 2024 09:37:39 -0500 Subject: [PATCH 25/33] Update vpn-settings-macos.md Removed inaccurate word --- memdocs/intune/configuration/vpn-settings-macos.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/configuration/vpn-settings-macos.md b/memdocs/intune/configuration/vpn-settings-macos.md index c2b5318587f..4f3f7efb9cc 100644 --- a/memdocs/intune/configuration/vpn-settings-macos.md +++ b/memdocs/intune/configuration/vpn-settings-macos.md @@ -38,7 +38,7 @@ This feature applies to: - macOS ## Verify deployment channel -We recommend that you check the deployment channel setting in existing enterprise VPN profiles when your linked authentication certificates are up for renewal. Under the base VPN settings, check the deployment channel value to ensure that the linked certificates, either SCEP or PKCS, are being stored in the proper keychain. Certificates in VPN profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). +We recommend that you check the deployment channel setting in existing VPN profiles when your linked authentication certificates are up for renewal. Under the base VPN settings, check the deployment channel value to ensure that the linked certificates, either SCEP or PKCS, are being stored in the proper keychain. Certificates in VPN profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). ## Before you begin From e1ca7be4f2a2725a6ebd0179145e47b34a4de8a9 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 19 Nov 2024 09:42:25 -0500 Subject: [PATCH 26/33] Update certificates-pfx-configure.md Added what's new link --- memdocs/intune/protect/certificates-pfx-configure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/protect/certificates-pfx-configure.md b/memdocs/intune/protect/certificates-pfx-configure.md index 2f59abc669c..f74f472edfc 100644 --- a/memdocs/intune/protect/certificates-pfx-configure.md +++ b/memdocs/intune/protect/certificates-pfx-configure.md @@ -74,7 +74,7 @@ To use PKCS certificates with Intune, you need the following infrastructure: - [Installation and configuration](certificate-connector-install.md) ## Verify deployment channel -We recommend checking the deployment channel in existing PKCS profiles, and linked VPN and Wi-Fi profiles when they're up for renewal to ensure that any authentication certificates you're using are stored in the proper keychain. Always select the user channel in profiles when you're deploying user-targeted authentication certificates. And always select the device channel when you're deploying device-targeted authentication certificates. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. +We recommend checking the deployment channel in existing PKCS profiles when they're up for renewal to ensure that any authentication certificates you're using are stored in the proper keychain. Always select the user channel in profiles when you're deploying user-targeted authentication certificates. And always select the device channel when you're deploying device-targeted authentication certificates. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). ## Update certificate connector: Strong mapping requirements for KB5014754 From e3cde2065904e2f3b3c128977945ee50a840e282 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 19 Nov 2024 09:50:27 -0500 Subject: [PATCH 27/33] Update certificates-profile-scep.md Added whats new link --- memdocs/intune/protect/certificates-profile-scep.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/protect/certificates-profile-scep.md b/memdocs/intune/protect/certificates-profile-scep.md index 6f4046ab1c1..b6e4acf123a 100644 --- a/memdocs/intune/protect/certificates-profile-scep.md +++ b/memdocs/intune/protect/certificates-profile-scep.md @@ -5,7 +5,7 @@ keywords: author: lenewsad ms.author: lanewsad manager: dougeby -ms.date: 11/11/2024 +ms.date: 11/19/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect @@ -138,7 +138,7 @@ For more information about the KDC's requirements and enforcement date for stron > [!NOTE] > Storage of certificates provisioned by SCEP: - > - *macOS* - You can store certificates you provision with SCEP in the system keychain, known as the *system store*, of the device or the user keychain. + > - *macOS* - Certificates you provision with SCEP are always placed in the system keychain (also called *system store* or *device keychain*) of the device. > > - *Android* - Devices have both a *VPN and apps* certificate store, and a *WIFI* certificate store. Intune always stores SCEP certificates in the VPN and apps store on a device. Use of the VPN and apps store makes the certificate available for use by any other app. > @@ -462,7 +462,7 @@ Consider the following before you continue: > - On iOS 13 and macOS 10.15, there are [additional security requirements that are documented by Apple](https://support.apple.com/HT210176) to take into consideration. ## Verify deployment channel -We recommend checking the deployment channel in existing SCEP profiles, and linked VPN and Wi-Fi profiles when they're up for renewal to ensure that any authentication certificates you're using are stored in the proper keychain. Always select the user channel in profiles when you're deploying user-targeted authentication certificates. And always select the device channel when you're deploying device-targeted authentication certificates. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. +We recommend checking the deployment channel in existing SCEP profiles when they're up for renewal to ensure that any authentication certificates you're using are stored in the proper keychain. Always select the user channel in profiles when you're deploying user-targeted authentication certificates. And always select the device channel when you're deploying device-targeted authentication certificates. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). ## Next steps From 95b2a80370edef48c2ed950d362819383d053432 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 19 Nov 2024 09:54:49 -0500 Subject: [PATCH 28/33] Update wired-network-settings-macos.md Added new deployment channel section --- memdocs/intune/configuration/wired-network-settings-macos.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/memdocs/intune/configuration/wired-network-settings-macos.md b/memdocs/intune/configuration/wired-network-settings-macos.md index 4ecac5d9816..2ec64025a8d 100644 --- a/memdocs/intune/configuration/wired-network-settings-macos.md +++ b/memdocs/intune/configuration/wired-network-settings-macos.md @@ -41,6 +41,9 @@ This feature applies to: This article describes the settings you can configure. +## Verify deployment channel +We recommend that you check the deployment channel setting in existing wired network settings profiles when your linked authentication certificates are up for renewal. Under wired network settings, check the deployment channel value to ensure that the linked certificate is being stored in the proper keychain. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). + ## Before you begin - Create a [macOS wired network device configuration profile](wired-networks-configure.md). From d6e9e1439fe13ca3fe0d592bd30d3203fc8512c7 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 19 Nov 2024 09:56:10 -0500 Subject: [PATCH 29/33] Update custom-settings-macos.md Reverting changes --- memdocs/intune/configuration/custom-settings-macos.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/configuration/custom-settings-macos.md b/memdocs/intune/configuration/custom-settings-macos.md index 88968802a8b..0d2ccbf9f3d 100644 --- a/memdocs/intune/configuration/custom-settings-macos.md +++ b/memdocs/intune/configuration/custom-settings-macos.md @@ -60,7 +60,7 @@ This feature applies to: When you configure the profile, enter the following settings: - **Configuration profile name**: Enter a name for the policy. This name is shown on the device, and in the Intune status in the Intune admin center. -- **Deployment channel**: Select the channel you want to use to deploy your configuration profile. If you send the profile to the wrong channel, deployment can fail. After you select a channel and save the profile, the channel can't be changed. To select a different channel, create a new profile. +- **Deployment channel**: Select the channel you want to use to deploy your configuration profile. If you send the profile to the wrong channel, deployment can fail. After you select a channel and save the profile, the channel can't be changed. To select a different channel, create a new profile. User-targeted payloads don't apply to devices enrolled without user affinity. For more information on whether a payload can be used for a device configuration profile or a user configuration profile, go to [Profile-Specific Payload Keys](https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys) (opens Apple's developer website). From 3223cfa124e9243c86e58978b7902ffa4925b787 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 19 Nov 2024 10:08:57 -0500 Subject: [PATCH 30/33] Update certificates-pfx-configure.md shortened deployment channel blurb --- memdocs/intune/protect/certificates-pfx-configure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/protect/certificates-pfx-configure.md b/memdocs/intune/protect/certificates-pfx-configure.md index f74f472edfc..2a155b3a338 100644 --- a/memdocs/intune/protect/certificates-pfx-configure.md +++ b/memdocs/intune/protect/certificates-pfx-configure.md @@ -74,7 +74,7 @@ To use PKCS certificates with Intune, you need the following infrastructure: - [Installation and configuration](certificate-connector-install.md) ## Verify deployment channel -We recommend checking the deployment channel in existing PKCS profiles when they're up for renewal to ensure that any authentication certificates you're using are stored in the proper keychain. Always select the user channel in profiles when you're deploying user-targeted authentication certificates. And always select the device channel when you're deploying device-targeted authentication certificates. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). +We recommend that you check the deployment channel in existing PKCS profiles when your linked authentication certificates are up for renewal. Always select the user channel in profiles when you're deploying user-targeted authentication certificates. And always select the device channel when you're deploying device-targeted authentication certificates. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). ## Update certificate connector: Strong mapping requirements for KB5014754 From 00eca95e13ec4b532d31c5698d8d7bb3afa5d676 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 19 Nov 2024 10:11:38 -0500 Subject: [PATCH 31/33] Update certificates-pfx-configure.md Moved deployment channel blurb --- memdocs/intune/protect/certificates-pfx-configure.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/memdocs/intune/protect/certificates-pfx-configure.md b/memdocs/intune/protect/certificates-pfx-configure.md index 2a155b3a338..96724889dbe 100644 --- a/memdocs/intune/protect/certificates-pfx-configure.md +++ b/memdocs/intune/protect/certificates-pfx-configure.md @@ -73,9 +73,6 @@ To use PKCS certificates with Intune, you need the following infrastructure: - [Prerequisites](certificate-connector-prerequisites.md) - [Installation and configuration](certificate-connector-install.md) -## Verify deployment channel -We recommend that you check the deployment channel in existing PKCS profiles when your linked authentication certificates are up for renewal. Always select the user channel in profiles when you're deploying user-targeted authentication certificates. And always select the device channel when you're deploying device-targeted authentication certificates. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). - ## Update certificate connector: Strong mapping requirements for KB5014754 The Key Distribution Center (KDC) requires a strong mapping format in PKCS certificates deployed by Microsoft Intune and used for certificate-based authentication. The mapping must have a security identifier (SID) extension that maps to the user or device SID. If a certificate doesn't meet the new strong mapping criteria set by the full enforcement mode date, authentication will be denied. For more information about the requirements, see [KB5014754: Certificate-based authentication changes on Windows domain controllers ](https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16). @@ -419,7 +416,10 @@ Platforms: > > - When you specify a variable, enclose the variable name in curly brackets { } as seen in the example, to avoid an error. > - Device properties used in the *subject* or *SAN* of a device certificate, like **IMEI**, **SerialNumber**, and **FullyQualifiedDomainName**, are properties that could be spoofed by a person with access to the device. - > - A device must support all variables specified in a certificate profile for that profile to install on that device. For example, if **{{IMEI}}** is used in the subject name of a SCEP profile and is assigned to a device that doesn't have an IMEI number, the profile fails to install. + > - A device must support all variables specified in a certificate profile for that profile to install on that device. For example, if **{{IMEI}}** is used in the subject name of a SCEP profile and is assigned to a device that doesn't have an IMEI number, the profile fails to install. + +## Verify deployment channel +We recommend that you check the deployment channel in existing PKCS profiles when your linked authentication certificates are up for renewal. Always select the user channel in profiles when you're deploying user-targeted authentication certificates. And always select the device channel when you're deploying device-targeted authentication certificates. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). ## Next steps From 7f99079fc1fe5888bccf02873d5356af455d4b20 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 19 Nov 2024 14:28:45 -0500 Subject: [PATCH 32/33] PM edits --- .../configuration/vpn-settings-macos.md | 11 ++++---- .../configuration/wi-fi-settings-macos.md | 16 +++++------ .../wired-network-settings-macos.md | 12 ++++---- .../protect/certificates-pfx-configure.md | 28 +++++++++---------- .../protect/certificates-profile-scep.md | 14 ++++++---- 5 files changed, 42 insertions(+), 39 deletions(-) diff --git a/memdocs/intune/configuration/vpn-settings-macos.md b/memdocs/intune/configuration/vpn-settings-macos.md index 4f3f7efb9cc..db7c7ce0c15 100644 --- a/memdocs/intune/configuration/vpn-settings-macos.md +++ b/memdocs/intune/configuration/vpn-settings-macos.md @@ -37,8 +37,6 @@ This feature applies to: - macOS -## Verify deployment channel -We recommend that you check the deployment channel setting in existing VPN profiles when your linked authentication certificates are up for renewal. Under the base VPN settings, check the deployment channel value to ensure that the linked certificates, either SCEP or PKCS, are being stored in the proper keychain. Certificates in VPN profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). ## Before you begin @@ -50,16 +48,19 @@ We recommend that you check the deployment channel setting in existing VPN profi ## Base VPN -- **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are stored, so it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. +- **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are stored, so it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. To change it, you must create a new profile. + + >[!NOTE] + > We recommend rechecking the deployment channel setting in existing profiles when the linked authentication certificates are up for renewal to ensure the intended channel is selected. If it isn't, create a new profile with the correct deployment channel. You have two options: - **User channel**: Always select the user deployment channel in profiles with user certificates. This option stores certificates in the user keychain. - - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the device keychain. + - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the system keychain. **Connection name**: Enter a name for this connection. End users see this name when they browse their device for the list of available VPN connections. - **VPN server address**: Enter the IP address or fully qualified domain name of the VPN server that devices connect to. For example, enter `192.168.1.1` or `vpn.contoso.com`. - **Authentication method**: Choose how devices authenticate to the VPN server. Your options: - - **Certificates**: Under **Authentication certificate**, select a SCEP or PKCS certificate profile you previously created to authenticate the connection. For more information about certificate profiles, go to [How to configure certificates](../protect/certificates-configure.md). Choose the certificates that align with your deployment channel selection. If you selected the user channel, your certificate options are limited to user certificate profiles. If you selected the device channel, you have both user and device certificate profiles to choose from, but we recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the device keychain increases security risks. + - **Certificates**: Under **Authentication certificate**, select a SCEP or PKCS certificate profile you previously created to authenticate the connection. For more information about certificate profiles, go to [How to configure certificates](../protect/certificates-configure.md). Choose the certificates that align with your deployment channel selection. If you selected the user channel, your certificate options are limited to user certificate profiles. If you selected the device channel, you have both user and device certificate profiles to choose from. However, we recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the system keychain increases security risks. - **Username and password**: End users must enter a username and password to sign into the VPN server. - **Connection type**: Select the VPN connection type from the following list of vendors: diff --git a/memdocs/intune/configuration/wi-fi-settings-macos.md b/memdocs/intune/configuration/wi-fi-settings-macos.md index 2069073e052..48bc97cce36 100644 --- a/memdocs/intune/configuration/wi-fi-settings-macos.md +++ b/memdocs/intune/configuration/wi-fi-settings-macos.md @@ -39,10 +39,7 @@ This feature applies to: These Wi-Fi settings are separated in to two categories: Basic settings and Enterprise settings. -This article describes the settings you can configure. - -## Verify deployment channel -We recommend that you check the deployment channel setting in existing enterprise Wi-Fi profiles when your linked authentication certificates are up for renewal. Under the enterprise profiles settings, check the deployment channel value to ensure that the linked certificates, either SCEP or PKCS, are being stored in the proper keychain. Certificates in Wi-Fi profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). +This article describes the settings you can configure. ## Before you begin @@ -52,7 +49,7 @@ We recommend that you check the deployment channel setting in existing enterpris ## Basic profiles -Basic or personal profiles use WPA/WPA2 to secure the Wi-Fi connection on devices. Typically, WPA/WPA2 is used on home networks or personal networks. You can also add a pre-shared key to authenticate the connection. +Basic or personal profiles use WPA/WPA2 to secure the Wi-Fi connection on devices. Typically, WPA/WPA2 is used on home networks or personal networks. You can also add a preshared key to authenticate the connection. - **Wi-Fi type**: Select **Basic**. - **SSID**: This **service set identifier** (SSID) property is the real name of the wireless network that devices connect to. However, users only see the network name you configured when they choose the connection. @@ -75,11 +72,14 @@ Basic or personal profiles use WPA/WPA2 to secure the Wi-Fi connection on device Enterprise profiles use Extensible Authentication Protocol (EAP) to authenticate Wi-Fi connections. EAP is often used by enterprises, as you can use certificates to authenticate and secure connections, and configure more security options. -- **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are stored, so it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. +- **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are stored, so it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. To do so, you must create a new profile. + + >[!NOTE] + > We recommend rechecking the deployment channel setting in existing profiles when the linked authentication certificates are up for renewal to ensure the intended channel is selected. If it isn't, create a new profile with the correct deployment channel. You have two options: - **User channel**: Always select the user deployment channel in profiles with user certificates. This option stores certificates in the user keychain. - - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the device keychain. + - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the system keychain. - **Wi-Fi type**: Select **Enterprise**. - **SSID**: Short for **service set identifier**. This property is the real name of the wireless network that devices connect to. However, users only see the network name you configured when they choose the connection. - **Connect automatically**: Select **Enable** to automatically connect to this network when the device is in range. Select **Disable** to prevent devices from automatically connecting. @@ -100,7 +100,7 @@ Enterprise profiles use Extensible Authentication Protocol (EAP) to authenticate - **Certificate server names**: **Add** one or more common names used in the certificates issued by your trusted certificate authority (CA). When you enter this information, you can bypass the dynamic trust window displayed on user's devices when they connect to this Wi-Fi network. - **Root certificate for server validation**: Select one or more existing trusted root certificate profiles. When the client connects to the network, these certificates are used to establish a chain of trust with the server. If your authentication server uses a public certificate, then you don't need to include a root certificate. - - **Certificates**: Select the SCEP or PKCS client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection. Choose the certificates that align with your deployment channel selection. If you selected the user channel, your certificate options are limited to user certificate profiles. If you selected the device channel, you have both user and device certificate profiles to choose from, but we recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the device keychain increases security risks. + - **Certificates**: Select the SCEP or PKCS client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection. Choose the certificates that align with your deployment channel selection. If you selected the user channel, your certificate options are limited to user certificate profiles. If you selected the device channel, you have both user and device certificate profiles to choose from. However, we recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the system keychain increases security risks. - **Identity privacy (outer identity)**: Enter the text sent in the response to an EAP identity request. This text can be any value, such as `anonymous`. During authentication, this anonymous identity is initially sent. Then, the real identification is sent in a secure tunnel. diff --git a/memdocs/intune/configuration/wired-network-settings-macos.md b/memdocs/intune/configuration/wired-network-settings-macos.md index 2ec64025a8d..c274edd3cda 100644 --- a/memdocs/intune/configuration/wired-network-settings-macos.md +++ b/memdocs/intune/configuration/wired-network-settings-macos.md @@ -41,9 +41,6 @@ This feature applies to: This article describes the settings you can configure. -## Verify deployment channel -We recommend that you check the deployment channel setting in existing wired network settings profiles when your linked authentication certificates are up for renewal. Under wired network settings, check the deployment channel value to ensure that the linked certificate is being stored in the proper keychain. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). - ## Before you begin - Create a [macOS wired network device configuration profile](wired-networks-configure.md). @@ -64,11 +61,14 @@ We recommend that you check the deployment channel setting in existing wired net Options with "active" in the title use interfaces that are actively working on the device. If there are no active interfaces, the next interface in service-order priority is configured. By default, **First active Ethernet** is selected, which is also the default setting configured by macOS. -- **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are stored, so it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. +- **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are stored, so it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. To do so, you must create a new profile. + + >[!NOTE] + > We recommend rechecking the deployment channel setting in existing profiles when the linked authentication certificates are up for renewal to ensure the intended channel is selected. If it isn't, create a new profile with the correct deployment channel. You have two options: - **User channel**: Always select the user deployment channel in profiles with user certificates. This option stores certificates in the user keychain. - - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the device keychain. + - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the system keychain. - **EAP type**: To authenticate secured wired connections, select the Extensible Authentication Protocol (EAP) type. Your options: @@ -96,7 +96,7 @@ We recommend that you check the deployment channel setting in existing wired net - **Challenge Handshake Authentication Protocol (CHAP)** - **Microsoft CHAP (MS-CHAP)** - **Microsoft CHAP Version 2 (MS-CHAP v2)** - - **Certificates**: Select an existing SCEP client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection. PKCS certificates aren't supported. Choose the certificate that aligns with your deployment channel selection. If you selected the user channel, your certificate options are limited to user certificate profiles. If you selected the device channel, you have both user and device certificate profiles to choose from, but we recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the device keychain increases security risks. + - **Certificates**: Select an existing SCEP client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection. PKCS certificates aren't supported. Choose the certificate that aligns with your deployment channel selection. If you selected the user channel, your certificate options are limited to user certificate profiles. If you selected the device channel, you have both user and device certificate profiles to choose from. However, we recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the system keychain increases security risks. - **Identity privacy (outer identity)**: Enter the text sent in the response to an EAP identity request. This text can be any value, such as `anonymous`. During authentication, this anonymous identity is initially sent. Then, the real identification is sent in a secure tunnel. - **LEAP** diff --git a/memdocs/intune/protect/certificates-pfx-configure.md b/memdocs/intune/protect/certificates-pfx-configure.md index 96724889dbe..dcfb48092df 100644 --- a/memdocs/intune/protect/certificates-pfx-configure.md +++ b/memdocs/intune/protect/certificates-pfx-configure.md @@ -5,7 +5,7 @@ keywords: author: lenewsad ms.author: lanewsad manager: dougeby -ms.date: 11/11/2024 +ms.date: 11/19/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect @@ -303,17 +303,18 @@ For guidance, see [Install and configure the Certificate Connector for Microsoft |Setting | Platform | Details | |------------|------------|------------| - |**Renewal threshold (%)** |
  • All |Recommended is 20% | - |**Certificate validity period** |
    • All |If you didn't change the certificate template, this option might be set to one year.

      Use a validity period of five days or up to 24 months. When the validity period is less than five days, there's a high likelihood of the certificate entering a near-expiry or expired state, which can cause the MDM agent on devices to reject the certificate before it’s installed. | - |**Key storage provider (KSP)** |
      • Windows 10/11 |For Windows, select where to store the keys on the device. | - |**Certification authority** |
        • All |Displays the internal fully qualified domain name (FQDN) of your Enterprise CA. | - |**Certification authority name** |
          • All |Lists the name of your Enterprise CA, such as "Contoso Certification Authority." | - |**Certificate template name** |
            • All |Lists the name of your certificate template. | - |**Certificate type** |
              • Android Enterprise (*Corporate-Owned and Personally-Owned Work Profile*)
              • iOS
              • macOS
              • Windows 10/11 |Select a type:
                • **User** certificates can contain both user and device attributes in the subject and subject alternative name (SAN) of the certificate.
                • **Device** certificates can only contain device attributes in the subject and SAN of the certificate. Use Device for scenarios such as user-less devices, like kiosks or other shared devices.

                  This selection affects the Subject name format. | - |**Subject name format** |
                  • All |For details on how to configure the subject name format, see [Subject name format](#subject-name-format) later in this article.

                    For the following platforms, the Subject name format is determined by the certificate type:
                    • Android Enterprise (*Work Profile*)
                    • iOS
                    • macOS
                    • Windows 10/11

                    | - |**Subject alternative name** |

                    • All |For *Attribute*, select **User principal name (UPN)** unless otherwise required, configure a corresponding *Value*, and then select **Add**.

                      You can use variables or static text for the SAN of both certificate types. Use of a variable isn't required.

                      For more information, see [Subject name format](#subject-name-format) later in this article.| + |**Deployment channel**|macOS|Select how you want to deploy the profile. This setting also determines the keychain where the linked certificates are stored, so it's important to select the proper channel.

                      Always select the user deployment channel in profiles with user certificates. The user channel stores certificates in the user keychain. Always select the device deployment channel in profiles with device certificates. The device channel stores certificates in the system keychain.

                      It's not possible to edit the deployment channel after you deploy the profile. You must create a new profile to select a different channel. + |**Renewal threshold (%)** |All |Recommended is 20% | + |**Certificate validity period** |All |If you didn't change the certificate template, this option might be set to one year.

                      Use a validity period of five days or up to 24 months. When the validity period is less than five days, there's a high likelihood of the certificate entering a near-expiry or expired state, which can cause the MDM agent on devices to reject the certificate before it’s installed. | + |**Key storage provider (KSP)** |Windows 10/11 |For Windows, select where to store the keys on the device. | + |**Certification authority** |All |Displays the internal fully qualified domain name (FQDN) of your Enterprise CA. | + |**Certification authority name** |All |Lists the name of your Enterprise CA, such as "Contoso Certification Authority." | + |**Certificate template name** |All |Lists the name of your certificate template. | + |**Certificate type** |
                      • Android Enterprise (*Corporate-Owned and Personally-Owned Work Profile*)
                      • iOS
                      • macOS
                      • Windows 10/11 |Select a type:
                        • **User** certificates can contain both user and device attributes in the subject and subject alternative name (SAN) of the certificate.
                        • **Device** certificates can only contain device attributes in the subject and SAN of the certificate. Use Device for scenarios such as user-less devices, like kiosks or other shared devices.

                          This selection affects the Subject name format.

                          For macOS, if this profile is configured to use the device deployment channel, you can select **User** or **Device**. If the profile is configured to use the user deployment channel, you can select only **User**. | + |**Subject name format** |All |For details on how to configure the subject name format, see [Subject name format](#subject-name-format) later in this article.

                          For the following platforms, the Subject name format is determined by the certificate type:
                          • Android Enterprise (*Work Profile*)
                          • iOS
                          • macOS
                          • Windows 10/11

                          | + |**Subject alternative name** |All |For *Attribute*, select **User principal name (UPN)** unless otherwise required, configure a corresponding *Value*, and then select **Add**.

                          You can use variables or static text for the SAN of both certificate types. Use of a variable isn't required.

                          For more information, see [Subject name format](#subject-name-format) later in this article.| |**Extended key usage** |

                          • Android device administrator
                          • Android Enterprise (*Device Owner*, *Corporate-Owned and Personally-Owned Work Profile*)
                          • Windows 10/11 |Certificates usually require *Client Authentication* so that the user or device can authenticate to a server. | - |**Allow all apps access to private key** |
                            • macOS |Set to **Enable** to give apps that are configured for the associated mac device access to the PKCS certificate's private key.

                              For more information on this setting, see *AllowAllAppsAccess* the Certificate Payload section of [Configuration Profile Reference](https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf) in the Apple developer documentation. | + |**Allow all apps access to private key** |macOS |Set to **Enable** to give apps that are configured for the associated mac device access to the PKCS certificate's private key.

                              For more information on this setting, see *AllowAllAppsAccess* the Certificate Payload section of [Configuration Profile Reference](https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf) in the Apple developer documentation. | |**Root Certificate** |
                              • Android device administrator
                              • Android Enterprise (*Device Owner*, *Corporate-Owned and Personally-Owned Work Profile*) |Select a root CA certificate profile that was previously assigned. | 8. This step applies only to **Android Enterprise** devices profiles for **Fully Managed, Dedicated, and Corporate-Owned work Profile**. @@ -416,10 +417,7 @@ Platforms: > > - When you specify a variable, enclose the variable name in curly brackets { } as seen in the example, to avoid an error. > - Device properties used in the *subject* or *SAN* of a device certificate, like **IMEI**, **SerialNumber**, and **FullyQualifiedDomainName**, are properties that could be spoofed by a person with access to the device. - > - A device must support all variables specified in a certificate profile for that profile to install on that device. For example, if **{{IMEI}}** is used in the subject name of a SCEP profile and is assigned to a device that doesn't have an IMEI number, the profile fails to install. - -## Verify deployment channel -We recommend that you check the deployment channel in existing PKCS profiles when your linked authentication certificates are up for renewal. Always select the user channel in profiles when you're deploying user-targeted authentication certificates. And always select the device channel when you're deploying device-targeted authentication certificates. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). + > - A device must support all variables specified in a certificate profile for that profile to install on that device. For example, if **{{IMEI}}** is used in the subject name of a SCEP profile and is assigned to a device that doesn't have an IMEI number, the profile fails to install. ## Next steps diff --git a/memdocs/intune/protect/certificates-profile-scep.md b/memdocs/intune/protect/certificates-profile-scep.md index b6e4acf123a..21ed1993773 100644 --- a/memdocs/intune/protect/certificates-profile-scep.md +++ b/memdocs/intune/protect/certificates-profile-scep.md @@ -124,6 +124,11 @@ For more information about the KDC's requirements and enforcement date for stron 7. In **Configuration settings**, complete the following configurations: + - **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the linked certificates are stored, so it's important to select the proper channel. + + Always select the user deployment channel in profiles with user certificates. The user channel stores certificates in the user keychain. Always select the device deployment channel in profiles with device certificates. The device channel stores certificates in the system keychain. + + It's not possible to edit the deployment channel after you deploy the profile. You must create a new profile to select a different channel. - **Certificate type**: *(Applies to: Android, Android Enterprise, Android (AOSP), iOS/iPadOS, macOS, Windows 8.1, and Windows 10/11)* @@ -134,11 +139,13 @@ For more information about the KDC's requirements and enforcement date for stron - **Device**: *Device* certificates can only contain device attributes in the subject and SAN of the certificate. - Use **Device** for scenarios such as user-less devices, like kiosks, or for Windows devices. On Windows devices, the certificate is placed in the Local Computer certificate store. + Use **Device** for scenarios such as user-less devices, like kiosks, or for Windows devices. On Windows devices, the certificate is placed in the Local Computer certificate store. + + For macOS, if this profile is configured to use the device deployment channel, you can select **User** or **Device**. If the profile is configured to use the user deployment channel, you can select only **User**. > [!NOTE] > Storage of certificates provisioned by SCEP: - > - *macOS* - Certificates you provision with SCEP are always placed in the system keychain (also called *system store* or *device keychain*) of the device. + > - *macOS* - Certificates you provision with SCEP are always placed in the system keychain (also called *system store* or *device keychain*) of the device, unless you select the user deployment channel. > > - *Android* - Devices have both a *VPN and apps* certificate store, and a *WIFI* certificate store. Intune always stores SCEP certificates in the VPN and apps store on a device. Use of the VPN and apps store makes the certificate available for use by any other app. > @@ -461,9 +468,6 @@ Consider the following before you continue: > - Certificates delivered by SCEP are each unique. Certificates delivered by PKCS are the same certificate, but appear different as each profile instance is represented by a separate line in the management profile. > - On iOS 13 and macOS 10.15, there are [additional security requirements that are documented by Apple](https://support.apple.com/HT210176) to take into consideration. -## Verify deployment channel -We recommend checking the deployment channel in existing SCEP profiles when they're up for renewal to ensure that any authentication certificates you're using are stored in the proper keychain. Always select the user channel in profiles when you're deploying user-targeted authentication certificates. And always select the device channel when you're deploying device-targeted authentication certificates. Certificates in profiles you created prior to the introduction of the deployment channel setting will continue to be stored in the device keychain until you create a new profile and select the user deployment channel. For the latest information about the deployment channel setting, see [What's New in Microsoft Intune](../fundamentals/whats-new.md). - ## Next steps [Assign profiles](../configuration/device-profile-assign.md) From 7793f4b60669952ed90baac277c41e3748b3f288 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 19 Nov 2024 14:36:29 -0500 Subject: [PATCH 33/33] Format fix --- memdocs/intune/configuration/vpn-settings-macos.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/configuration/vpn-settings-macos.md b/memdocs/intune/configuration/vpn-settings-macos.md index db7c7ce0c15..1a3f03b3dbc 100644 --- a/memdocs/intune/configuration/vpn-settings-macos.md +++ b/memdocs/intune/configuration/vpn-settings-macos.md @@ -56,7 +56,8 @@ This feature applies to: You have two options: - **User channel**: Always select the user deployment channel in profiles with user certificates. This option stores certificates in the user keychain. - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the system keychain. -**Connection name**: Enter a name for this connection. End users see this name when they browse their device for the list of available VPN connections. + +- **Connection name**: Enter a name for this connection. End users see this name when they browse their device for the list of available VPN connections. - **VPN server address**: Enter the IP address or fully qualified domain name of the VPN server that devices connect to. For example, enter `192.168.1.1` or `vpn.contoso.com`. - **Authentication method**: Choose how devices authenticate to the VPN server. Your options: