diff --git a/memdocs/configmgr/comanage/autopilot-enrollment.md b/memdocs/configmgr/comanage/autopilot-enrollment.md
index 37bcd03bce7..c66b33772e5 100644
--- a/memdocs/configmgr/comanage/autopilot-enrollment.md
+++ b/memdocs/configmgr/comanage/autopilot-enrollment.md
@@ -9,7 +9,7 @@ ms.topic: how-to
ms.localizationpriority: medium
author: gowdhamankarthikeyan
ms.author: gokarthi
-ms.reviewer: mstewart,aaroncz
+ms.reviewer: mstewart,aaroncz,frankroj
manager: apoorvseth
ms.collection: tier3
---
@@ -83,12 +83,16 @@ The following components are required to support Autopilot into co-management:
- Windows devices running one of the following versions:
- - Windows 11
+ - Windows 11
-> [!NOTE]
- > For Windows 11 devices, if a device has not been targeted with a co-management settings policy, the management authority will be set to Intune, during the Autopilot process. Installing Configuration Manager client as Win32 app does not change management authority to Configuration Manager and thus Intune will continue to manage all the co-management workloads. To mitigate this, you must create a co-management settings policy and set **automatically install the Configuration Manager client** to **No** and in Advanced settings, keep default settings for **Override co-management policy and use Intune for all workloads.**
+ For Windows 11 devices, if a device has not been targeted with a co-management settings policy, the management authority will be set to Microsoft Intune during the Autopilot process. Installing the Configuration Manager client as Win32 app doesn't change management authority to Configuration Manager and Microsoft Intune will continue to manage all the co-management workloads. To set the management authority to Configuration Manager, create a co-management settings policy with the following Advanced settings:
+
+ - **Automatically install the Configuration Manager client.**: **No**
+ - **Override co-management policy and use Intune for all workloads.**: **No**
+
+ For additional information, see [Co-management settings: Windows Autopilot with co-management](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/co-management-settings-windows-autopilot-with-co-management/ba-p/3638500).
- - At least Windows 10, version 20H2, with the latest cumulative update
+ - A [currently supported](/windows/release-health/supported-versions-windows-client#windows-10-supported-versions-by-servicing-option) version of Windows 10.
- Register the device for Autopilot. For more information, see [Windows Autopilot registration overview](/autopilot/registration-overview).
@@ -127,19 +131,25 @@ Use these recommendations for a more successful deployment:
## Limitations
-Autopilot into co-management currently doesn't support the following functionality:
+ - For Windows 11 devices in Microsoft Entra hybrid joined scenario, the management authority will be set to Microsoft Intune during the Windows Autopilot process. Installing Configuration Manager client as Win32 app does not change management authority to Configuration Manager and Microsoft Intune will continue to manage all the co-management workloads.
-- Microsoft Entra hybrid joined devices - If the device is targeted with co-management settings policy, in Microsoft Entra hybrid join scenario, the autopilot provisioning times out during ESP phase.
+ To change the management authority to Configuration Manager, set the following registry key value:
+
+ - Path: **HKLM\SOFTWARE\Microsoft\DeviceManageabilityCSP\Provider\MS DM Server**
+ - Value: **ConfigInfo**
+ - REG_SZ: **2**
+
+ For more information, see [Co-management settings: Windows Autopilot with co-management](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/co-management-settings-windows-autopilot-with-co-management/ba-p/3638500).
-> [!NOTE]
->
-> For Windows 11 devices in Microsoft Entra hybrid joined scenario, the management authority will be set to Intune, during the Autopilot process. Installing Configuration Manager client as Win32 app does not change management authority to Configuration Manager and thus Intune will continue to manage all the co-management workloads. To mitigate this, along with Configuration Manager client installation, registry value **ConfigInfo** in registry path **HKLM\SOFTWARE\Microsoft\DeviceManageabilityCSP\Provider\MS DM Server** must be set to **2** which will set the management authority as Configuration Manager.
+- Autopilot into co-management currently doesn't support the following functionality:
+
+ - Microsoft Entra hybrid joined devices - If the device is targeted with co-management settings policy, in Microsoft Entra hybrid join scenario, the autopilot provisioning times out during ESP phase.
-- Autopilot pre-provisioning.
+ - Autopilot pre-provisioning.
-- Workloads switched to **Pilot Intune** with pilot collections. This functionality is dependent upon collection evaluation, which doesn't happen until after the client is installed and registered. Since the client won't get the correct policy until later in the Autopilot process, it can cause indeterminate behaviors.
+ - Workloads switched to **Pilot Intune** with pilot collections. This functionality is dependent upon collection evaluation, which doesn't happen until after the client is installed and registered. Since the client won't get the correct policy until later in the Autopilot process, it can cause indeterminate behaviors.
-- Clients that authenticate with PKI certificates. You can't provision the certificate on the device before the Configuration Manager client installs and needs to authenticate to the CMG. Microsoft Entra ID is recommended for client authentication. For more information, see [Plan for CMG client authentication: Microsoft Entra ID](../core/clients/manage/cmg/plan-client-authentication.md#azure-ad).
+ - Clients that authenticate with PKI certificates. You can't provision the certificate on the device before the Configuration Manager client installs and needs to authenticate to the CMG. Microsoft Entra ID is recommended for client authentication. For more information, see [Plan for CMG client authentication: Microsoft Entra ID](../core/clients/manage/cmg/plan-client-authentication.md#azure-ad).
## Configure
diff --git a/memdocs/intune/developer/app-sdk-android-phase1.md b/memdocs/intune/developer/app-sdk-android-phase1.md
index 2b90fbda21d..0204f285ba7 100644
--- a/memdocs/intune/developer/app-sdk-android-phase1.md
+++ b/memdocs/intune/developer/app-sdk-android-phase1.md
@@ -166,8 +166,8 @@ The user is ***not*** required to sign into or even launch the Company Portal ap
> [!NOTE]
> Ensure that your app is compatible with the [Google Play requirements](https://developer.android.com/google/play/requirements/target-sdk).
-The SDK fully supports Android API 28 (Android 9.0) through Android API 34 (Android 14).
-In order to target Android API 34 (Android 14), you must use Intune App SDK `v10.0.0` or later.
+The SDK fully supports Android API 28 (Android 9.0) through Android API 35 (Android 15).
+In order to target Android API 35 (Android 15), you must use Intune App SDK `v11.0.0` or later.
APIs 26 through 27 (Android 8.0 - 8.1) are in limited support.
The Company Portal app isn't supported below Android API 26 (Android 8.0).
diff --git a/memdocs/intune/fundamentals/intune-govt-service-description.md b/memdocs/intune/fundamentals/intune-govt-service-description.md
index 0093e500d02..1db705490c7 100644
--- a/memdocs/intune/fundamentals/intune-govt-service-description.md
+++ b/memdocs/intune/fundamentals/intune-govt-service-description.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 08/01/2024
+ms.date: 09/19/2024
ms.topic: article
ms.service: microsoft-intune
ms.suite: ems
@@ -73,6 +73,7 @@ The following features are available and supported in Microsoft GCC High and/or
| --- | --- |
| Standard MDM features | ✅
You can use app policies, device configuration profiles, compliance policies, and more. |
| Mobile Threat Defense (MTD) | ✅
Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices with MTD vendors that **also support** the GCC High environment can be used. When you sign in to a GCC High tenant, you see the connectors that are available in these environments. |
+| Microsoft Defender for Endpoint security settings management (public preview)| ✅
On devices onboarded to Defender but not enrolled in Intune, you can use Intune endpoint security policies to manage Defender security settings. For more information on this feature, go to [Defender for Endpoint security settings management](../protect/mde-security-integration.md). |
| Platform support | ✅
You can use the same operating systems - Android, AOSP, iOS/iPadOS, Linux, macOS, and Windows.
- **Android (AOSP)**: There are some device restrictions. For more information, go to [Supported operating systems and browsers in Intune - AOSP](supported-devices-browsers.md#android).
- **Linux**: Generally available (GA) in February 2024.|
| Remote Help | ✅
Remote Help is supported in GCC on Android, macOS, and Windows devices. It's not supported in GCC High or DoD.
For more information on this feature, go to [Remote Help in Microsoft Intune](../fundamentals/remote-help.md). |
| Windows Autopilot device preparation | ✅
Some features are available now, such as user-driven deployments, and some are still [in the planning phase](#in-the-planning-phase). For more information on the recent changes to Windows Autopilot device preparation, go to [Blog: Windows deployment with the next generation of Windows Autopilot](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/windows-deployment-with-the-next-generation-of-windows-autopilot/ba-p/4148169).
To get started with Windows Autopilot device preparation, go to [Windows Autopilot Device Preparation overview](/autopilot/device-preparation/overview). |
diff --git a/memdocs/intune/protect/certificates-configure.md b/memdocs/intune/protect/certificates-configure.md
index 2b3a24ce2ad..cda2beba9d0 100644
--- a/memdocs/intune/protect/certificates-configure.md
+++ b/memdocs/intune/protect/certificates-configure.md
@@ -1,13 +1,13 @@
---
# required metadata
-title: Learn about the types of certificate that are supported by Microsoft Intune
+title: Types of certificate that are supported by Microsoft Intune
description: Learn about Microsoft Intune's support for Simple Certificate Enrollment Protocol (SCEP), Public Key Cryptography Standards (PKCS) certificates.
keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 08/21/2023
+ms.date: 10/04/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: protect
@@ -58,7 +58,8 @@ To provision a user or device with a specific type of certificate, Intune uses a
In addition to the three certificate types and provisioning methods, you need a trusted root certificate from a trusted Certification Authority (CA). The CA can be an on-premises Microsoft Certification Authority, or a [third-party Certification Authority](certificate-authority-add-scep-overview.md). The trusted root certificate establishes a trust from the device to your root or intermediate (issuing) CA from which the other certificates are issued. To deploy this certificate, you use the *trusted certificate* profile, and deploy it to the same devices and users that receive the certificate profiles for SCEP, PKCS, and imported PKCS.
-> [!TIP]
+> [!TIP]
+>
> Intune also supports use of [Derived credentials](derived-credentials.md) for environments that require use of smartcards.
### What’s required to use certificates
@@ -120,11 +121,13 @@ When you use a Microsoft Certification Authority (CA):
When you use a third-party (non-Microsoft) Certification Authority (CA):
-- To use SCEP certificate profiles:
+- SCEP certificate profiles don't require use of the Microsoft Intune Certificate Connector. Instead, the third-party CA handles the certificate issuance and management directly. To use SCEP certificate profiles without the Intune Certificate Connector:
- Configure integration with a third-party CA from [one of our supported partners](certificate-authority-add-scep-overview.md#third-party-certification-authority-partners). Setup includes following the instructions from the third-party CA to complete integration of their CA with Intune.
- [Create an application in Microsoft Entra ID](certificate-authority-add-scep-overview.md#set-up-third-party-ca-integration) that delegates rights to Intune to do SCEP certificate challenge validation.
+
+ For more information, see [Set up third-party CA integration](../protect/certificate-authority-add-scep-overview.md#set-up-third-party-ca-integration)
-- PKCS imported certificates require you to [Install the Certificate Connector for Microsoft Intune](certificate-connector-install.md).
+- PKCS imported certificates require use of the Microsoft Intune Certificate Connector. See [Install the Certificate Connector for Microsoft Intune](certificate-connector-install.md).
- Deploy certificates by using the following mechanisms:
- [Trusted certificate profiles](certificates-trusted-root.md#create-trusted-certificate-profiles) to deploy the Trusted Root CA certificate from your root or intermediate (issuing) CA to devices
@@ -152,10 +155,9 @@ When you use a third-party (non-Microsoft) Certification Authority (CA):
[!INCLUDE [windows-phone-81-windows-10-mobile-support](../includes/windows-phone-81-windows-10-mobile-support.md)]
+[!INCLUDE [android-device-administrator-support](../includes/android-device-administrator-support.md)]
- [!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
-
-## Next steps
+## Related content
More resources:
diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md
index 8a4e58c24db..88fbbb2ef04 100644
--- a/memdocs/intune/protect/mde-security-integration.md
+++ b/memdocs/intune/protect/mde-security-integration.md
@@ -70,6 +70,18 @@ When a supported device onboards to Microsoft Defender for Endpoint:
Security settings management isn't yet supported with Government clouds. For more information, see [Feature parity with commercial](/microsoft-365/security/defender-endpoint/gov#feature-parity-with-commercial) in *Microsoft Defender for Endpoint for US Government customers*.
+### Government cloud support
+
+As a public preview, the Defender for Endpoint security settings management scenario is supported in the following tenants:
+
+- US Government Community (GCC) High
+- Department of Defense (DoD)
+
+For more information, see:
+
+- [Intune US Government service description](../fundamentals/intune-govt-service-description.md)
+- [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov)
+
### Connectivity requirements
Devices must have access to the following endpoint:
diff --git a/windows-365/business-continuity-disaster-recovery.md b/windows-365/business-continuity-disaster-recovery.md
index 0dea3973f92..029605ee5dd 100644
--- a/windows-365/business-continuity-disaster-recovery.md
+++ b/windows-365/business-continuity-disaster-recovery.md
@@ -19,7 +19,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: docoombs
+ms.reviewer: docoombs, olivchen, rkiran
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -29,6 +29,8 @@ ms.collection:
- tier1
---
+
+
# Business continuity and disaster recovery overview
Windows 365 provides highly resilient user cloud pcs, including:
diff --git a/windows-365/enterprise/architecture.md b/windows-365/enterprise/architecture.md
index 03d9b335a38..924fde7b5e0 100644
--- a/windows-365/enterprise/architecture.md
+++ b/windows-365/enterprise/architecture.md
@@ -19,7 +19,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: thhickli
+ms.reviewer: thhickli, mattsha, rikiran
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -29,6 +29,8 @@ ms.collection:
- tier2
---
+
+
# Windows 365 architecture
Windows 365 provides a per-user per-month license model by hosting Cloud PCs on behalf of customers in Microsoft Azure. In this model, there’s no need to consider storage, compute infrastructure architecture, or costs. The Windows 365 architecture also lets you use your existing investments in Azure networking and security. Each Cloud PC is provisioned according to the configuration you define in the Windows 365 section of the Microsoft Intune admin center.
diff --git a/windows-365/enterprise/encryption.md b/windows-365/enterprise/encryption.md
index ddb9d695c68..c83fa6ff1ba 100644
--- a/windows-365/enterprise/encryption.md
+++ b/windows-365/enterprise/encryption.md
@@ -19,7 +19,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: anbiswas
+ms.reviewer: ryclar, pratikshah, saudm, jonshi
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -29,6 +29,8 @@ ms.collection:
- tier2
---
+
+
# Data encryption in Windows 365
Windows 365 encrypts data at rest and in transit as explained in this article.
diff --git a/windows-365/enterprise/identity-authentication.md b/windows-365/enterprise/identity-authentication.md
index e3b0756907f..bd36d73aa95 100644
--- a/windows-365/enterprise/identity-authentication.md
+++ b/windows-365/enterprise/identity-authentication.md
@@ -19,7 +19,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: davidbel
+ms.reviewer: davidbel, pratikshah
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -29,6 +29,8 @@ ms.collection:
- tier2
---
+
+
# Windows 365 identity and authentication
A Cloud PC user's identity defines which access management services manage that user and Cloud PC. This identity defines:
diff --git a/windows-365/enterprise/privacy-personal-data.md b/windows-365/enterprise/privacy-personal-data.md
index 3ddd714e171..2e3185bfc3f 100644
--- a/windows-365/enterprise/privacy-personal-data.md
+++ b/windows-365/enterprise/privacy-personal-data.md
@@ -19,7 +19,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: anbiswas
+ms.reviewer: tnevins1, pratikshah
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -30,6 +30,8 @@ ms.collection:
- essentials-privacy
---
+
+
# Privacy, customer data, and customer content in Windows 365
Windows 365 is a cloud-based service that lets you provision and manage Cloud PC for your users. You manage the Cloud PCs with the rest of your devices by using Microsoft Intune (Windows 365 Enterprise) or a self-serviced experience (Windows 365 Business). This documentation provides details on data platform and privacy compliance for Windows 365. Unless otherwise specified, the term Windows 365 in this document refers to both Windows 365 Enterprise and the Windows 365 Business. Where the details below differ, each product is called out individually.
diff --git a/windows-365/enterprise/resilience.md b/windows-365/enterprise/resilience.md
index ef7b894a036..256891b7655 100644
--- a/windows-365/enterprise/resilience.md
+++ b/windows-365/enterprise/resilience.md
@@ -19,7 +19,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: thhickli
+ms.reviewer: thhickli, rkiran
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -29,6 +29,8 @@ ms.collection:
- tier2
---
+
+
# Windows 365 service resilience
Windows 365 is designed to provide a resilient and reliable service for organizations and end users, connecting to, and using their Cloud PCs.
diff --git a/windows-365/enterprise/security.md b/windows-365/enterprise/security.md
index 5e6fc627a48..3bfc4398950 100644
--- a/windows-365/enterprise/security.md
+++ b/windows-365/enterprise/security.md
@@ -19,7 +19,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: chrimo
+ms.reviewer: lakasa, pratikshah, saudm, jonshi
ms.suite: ems
search.appverid:
#ms.tgt_pltfrm:
@@ -30,6 +30,8 @@ ms.collection:
- essentials-security
---
+
+
# Windows 365 security
Windows 365 provides an end-to-end connection flow for users to do their work effectively and securely. Windows 365 is built with [Zero Trust](/security/zero-trust/zero-trust-overview) in mind, providing the foundation for you to implement controls to better secure your environment across the 6 pillars of Zero Trust. You can implement Zero Trust controls for the following categories: