Merge pull request #16811 from MicrosoftDocs/main

Publish main to live, 12/02/24, 3:30 PM PT

memdocs/analytics/device-scopes.md

@@ -61,7 +61,7 @@ To create custom device scopes:
 The new custom device scope appears in your list of saved device scopes. By default, custom devices scopes are in the *Off* state. To activate custom device scopes, toggle the **State** setting to *On*. Data processing starts for the selected device scope.  
 
 > [!NOTE]
-> Once activated, custom device scopes can take up to 24 hours to process. During this period, custom device scopes that are still processing will not be usable.
+> Once activated, custom device scopes can take up to 24 hours to process. During this period, custom device scopes that are still processing will not be usable. Additionally, custom device scopes require 10 devices at minimum to populate supported reports, otherwise **Insufficient Data** may show when trying to select a custom scope. 
 
 Only the user who created the custom device scopes or a Global administrator can delete the custom device scopes.
 
@@ -103,4 +103,4 @@ For more information, go to:
 - [Anomaly detection](anomaly-detection.md)
 - [What is Intune Advanced Analytics](advanced-endpoint-analytics.md)  
 - [Battery health](battery-health.md)
-- [Resource Performance report](resource-performance-report.md)
+- [Resource Performance report](resource-performance-report.md)

memdocs/intune/fundamentals/role-based-access-control.md

@@ -7,7 +7,7 @@ keywords:
 author: Smritib17
 ms.author: smbhardwaj
 manager: dougeby
-ms.date: 06/20/2024
+ms.date: 12/02/2024
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -18,7 +18,7 @@ ms.localizationpriority: high
 #ROBOTS:
 #audience:
 
-ms.reviewer:
+ms.reviewer: davidra
 ms.suite: ems
 search.appverid: MET150
 #ms.tgt_pltfrm:
@@ -77,7 +77,7 @@ You can create your own roles with custom permissions. For more information abou
 
 ### Microsoft Entra roles with Intune access
 
-Microsoft recommends following the principle of least-permissions by only assigning the minimum required permissions for an administrator to perform their duties.  Global Administrator and Intune Service Administrator
+Microsoft recommends following the principle of least-permissions by only assigning the minimum required permissions for an administrator to perform their duties. Global Administrator and Intune Service Administrator
 are [privileged roles](/entra/identity/role-based-access-control/privileged-roles-permissions) and assignment should be limited.  
 
 | Microsoft Entra role | All Intune data | Intune audit data |
@@ -97,6 +97,16 @@ are [privileged roles](/entra/identity/role-based-access-control/privileged-role
 > [!TIP]
 > Intune also shows three Microsoft Entra extensions: **Users**, **Groups**, and **Conditional Access**, which are controlled using Microsoft Entra RBAC. Additionally, the **User Account Administrator** only performs Microsoft Entra user/group activities and does not have full permissions to perform all activities in Intune. For more information, see [RBAC with Microsoft Entra ID](/azure/active-directory/active-directory-assign-admin-roles).
 
+## Privileged Identity Management for Intune
+
+Intune supports two methods of role elevation. There are performance and least privilege differences between the two methods.
+
+- **Method 1**: Create a just-in-time (JIT) policy with [Microsoft Entra Privileged Identity Management (PIM)](/entra/id-governance/privileged-identity-management/pim-configure) for the Microsoft Entra built-in **Intune Administrator** role and assign it an administrator account.
+
+- **Method 2**: Utilize [Privileged Identity Management (PIM) for Groups](/entra/id-governance/privileged-identity-management/concept-pim-for-groups) with an Intune RBAC role assignment. For more information about using PIM for Groups with Intune RBAC roles, see: [Configuring Microsoft Intune just-in-time admin access with Microsoft Entra PIM for Groups | Microsoft Community Hub](https://techcommunity.microsoft.com/blog/intunecustomersuccess/configuring-microsoft-intune-just-in-time-admin-access-with-azure-ad-pim-for-gro/3843972)
+
+When using PIM elevation for Microsoft Entra ID built-in Intune Administrator role, elevation typically happens within 10 seconds. PIM Groups based elevation for Intune Custom Roles can take up to 15 minutes to be applied.
+
 ## Role assignments
 
 A role assignment defines:

memdocs/intune/fundamentals/scope-tags.md

@@ -55,7 +55,7 @@ The default scope tag feature is similar to the security scopes feature in Micro
 
 ## To create a scope tag
 
-Creating, updating or deleting scope tags requires an administrator assigned the Global Administrator or Intune Adminstrator Entra ID role.
+Creating, updating or deleting scope tags requires an administrator assigned the Global Administrator or Intune Adminstrator Entra ID role. Administrators with a scope tag in their role assignment cannot update or delete the scope tag from the master list of scope tags.
 
 1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Roles** > **Scope (Tags)** > **Create**.
 2. On the **Basics** page, provide a **Name** and optional **Description**. Choose **Next**.

memdocs/intune/protect/microsoft-tunnel-prerequisites.md

@@ -61,20 +61,15 @@ Set up a Linux based virtual machine or a physical server on which to install th
 
   |Distribution version   | Container requirements   | Considerations     |
   |-----------------------|--------------------------|--------------------|
-  | CentOS 7.4+           | Docker CE                | Support ends June 2024. CentOS 8+ isn't supported |
-  | Red Hat (RHEL) 7.4+   | Docker CE                | Support ends June 2024    |
-  | Red Hat (RHEL) 8.6    | Support ends June 2024 Podman 4.0 *(default)* </br> Podman 3.0  | This version of RHEL doesn't automatically load the *ip_tables* module into the Linux kernel. When you use this version, plan to [manually load the ip_tables](#manually-load-ip_tables) before Tunnel is installed. </br></br> [Containers created by Podman v3 and earlier](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.6_release_notes/index#enhancement_containers) aren't usable with Podman v4.0. If upgrading and changing containers from v3 to v4.0, plan to create new containers and to uninstall and then reinstall Microsoft Tunnel.|
   | Red Hat (RHEL) 8.7  <!-- This entry is pending podman version details from PM -->  | Podman 4.2 *(default)*   | This version of RHEL doesn't automatically load the *ip_tables* module into the Linux kernel. When you use this version, plan to [manually load the ip_tables](#manually-load-ip_tables) before Tunnel is installed. </br></br> [Containers created by Podman v3 and earlier](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.7_release_notes/index#enhancement_containers) aren't usable with Podman v4.2 and later. If upgrading and changing containers, plan to create new containers and to uninstall and then reinstall Microsoft Tunnel.|
   | Red Hat (RHEL) 8.8  <!-- This entry is pending podman version details from PM -->  | Podman 4.4.1   | This version of RHEL doesn't automatically load the *ip_tables* module into the Linux kernel. When you use this version, plan to [manually load the ip_tables](#manually-load-ip_tables) before Tunnel is installed. </br></br> [Containers created by Podman v3 and earlier](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.7_release_notes/index#enhancement_containers) aren't usable with Podman v4.2 and later. If upgrading and changing containers, plan to create new containers and to uninstall and then reinstall Microsoft Tunnel.|
    | Red Hat (RHEL) 8.9  <!-- This entry is pending podman version details from PM -->  | Podman 4.4.1   | This version of RHEL doesn't automatically load the *ip_tables* module into the Linux kernel. When you use this version, plan to [manually load the ip_tables](#manually-load-ip_tables) before Tunnel is installed. </br></br> [Containers created by Podman v3 and earlier](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.7_release_notes/index#enhancement_containers) aren't usable with Podman v4.2 and later. If upgrading and changing containers, plan to create new containers and to uninstall and then reinstall Microsoft Tunnel.|
    | Red Hat (RHEL) 8.10  <!-- This entry is pending podman version details from PM -->  | Podman 4.9.4-rhel *(default)*   | This version of RHEL doesn't automatically load the *ip_tables* module into the Linux kernel. When you use this version, plan to [manually load the ip_tables](#manually-load-ip_tables) before Tunnel is installed. </br></br> [Containers created by Podman v3 and earlier](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.7_release_notes/index#enhancement_containers) aren't usable with Podman v4.2 and later. If upgrading and changing containers, plan to create new containers and to uninstall and then reinstall Microsoft Tunnel.|
-  | Red Hat (RHEL) 9.0  <!-- This entry is pending podman version details from PM -->  | Support ends June 2024  Podman 4.4.1 *(default)*   | This version of RHEL doesn't automatically load the *ip_tables* module into the Linux kernel. When you use this version, plan to [manually load the ip_tables](#manually-load-ip_tables) before Tunnel is installed. </br></br> [Containers created by Podman v3 and earlier](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.7_release_notes/index#enhancement_containers) aren't usable with Podman v4.2 and later. If upgrading and changing containers, plan to create new containers and to uninstall and then reinstall Microsoft Tunnel. </br></br> Support ends Feb 2024.  |
-  | Red Hat (RHEL) 9.1  <!-- This entry is pending podman version details from PM -->  | Podman 4.4.1 *(default)*   | This version of RHEL doesn't automatically load the *ip_tables* module into the Linux kernel. When you use this version, plan to [manually load the ip_tables](#manually-load-ip_tables) before Tunnel is installed. </br></br> [Containers created by Podman v3 and earlier](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.7_release_notes/index#enhancement_containers) aren't usable with Podman v4.2 and later. If upgrading and changing containers, plan to create new containers and to uninstall and then reinstall Microsoft Tunnel.|
   | Red Hat (RHEL) 9.2  <!-- This entry is pending podman version details from PM -->  | Podman 4.4.1 *(default)*   | This version of RHEL doesn't automatically load the *ip_tables* module into the Linux kernel. When you use this version, plan to [manually load the ip_tables](#manually-load-ip_tables) before Tunnel is installed. </br></br> [Containers created by Podman v3 and earlier](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.7_release_notes/index#enhancement_containers) aren't usable with Podman v4.2 and later. If upgrading and changing containers, plan to create new containers and to uninstall and then reinstall Microsoft Tunnel.|
   | Red Hat (RHEL) 9.3  | Podman 4.6.1. *(default)*   | This version of RHEL doesn't automatically load the *ip_tables* module into the Linux kernel. When you use this version, plan to [manually load the ip_tables](#manually-load-ip_tables) before Tunnel is installed. </br></br> [Containers created by Podman v3 and earlier](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.7_release_notes/index#enhancement_containers) aren't usable with Podman v4.2 and later. If upgrading and changing containers, plan to create new containers and to uninstall and then reinstall Microsoft Tunnel.|
    | Red Hat (RHEL) 9.4  | Podman 4.9.4-rhel *(default)*   | This version of RHEL doesn't automatically load the *ip_tables* module into the Linux kernel. When you use this version, plan to [manually load the ip_tables](#manually-load-ip_tables) before Tunnel is installed. </br></br> [Containers created by Podman v3 and earlier](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.7_release_notes/index#enhancement_containers) aren't usable with Podman v4.2 and later. If upgrading and changing containers, plan to create new containers and to uninstall and then reinstall Microsoft Tunnel.|
-  | Ubuntu 20.04           | Docker CE               |                    |
   | Ubuntu 22.04           | Docker CE               |                    |
+  | Ubuntu 24.04           | Docker CE               |                    |
 
   > [!IMPORTANT]  
   > In April of 2023, Ubuntu will end support for Ubuntu 18.04. With the end of support by Ubuntu, Intune will also end support for Ubuntu 18.04 for use with Microsoft Tunnel. For more information, see [https://wiki.ubuntu.com/Releases](https://wiki.ubuntu.com/Releases).

memdocs/intune/protect/microsoft-tunnel-upgrade.md

@@ -129,6 +129,16 @@ The Microsoft Tunnel version for a server isn’t available in the Intune UI at
 >
 > Container releases take place in stages. If you notice that your container images are not the most recent, please be assured that they will be updated and delivered within the following week.
 
+### December 2, 2024
+
+Image hash values:
+
+- **agentImageDigest**:  sha256:bf93470b1a4b74b5d4aa8144c09f05fa59a9647d1aeefcdffef29697a172aa6a
+
+- **serverImageDigest**: sha256:9886240ee473583753daf10929921f7c7c54bbf6f68095395aa2089688090fb3
+
+Changes in this release:
+-Diagnostic tool improvements 
 
 ### October 2, 2024
 

memdocs/intune/remote-actions/remove-apps-config.md

@@ -102,7 +102,10 @@ This action aims to resolve the issues that customers face outside of Intune and
 
 ## Permissions for Remove apps and configurations
 
-**Permissions**: To use the **Remove apps and configuration** device action, you require a role based permission known as **Remote tasks: Change assignments**. Set the Permission to **yes** to enable the action. With the permission set to **Yes**, IT admins can initiate a **Change Assignments** action.
+**Permissions**: To use the **Remove apps and configuration** device action, you require the following permissions:
+
+ - **Organization: Read** premission is needed.
+ - **Remote tasks: Change assignments**. Set the Permission to **yes** to enable the action. With the permission set to **Yes**, IT admins can initiate a **Change Assignments** action. 
 
 The administrator can:
 

windows-365/link/overview.md

@@ -9,7 +9,7 @@ ms.author: erikje
 manager: dougeby
 ms.date: 11/19/2024
 ms.topic: overview
-ms.service: windows-365
+ms.service: windows-365-link
 ms.subservice:
 ms.localizationpriority: high
 ms.assetid: 

windows-365/link/quick-settings.md

@@ -9,7 +9,7 @@ ms.author: erikje
 manager: dougeby
 ms.date: 11/19/2024
 ms.topic: overview
-ms.service: windows-365
+ms.service: windows-365-link
 ms.subservice:
 ms.localizationpriority: high
 ms.assetid: 

windows-365/link/requirements.md

@@ -9,7 +9,7 @@ ms.author: erikje
 manager: dougeby
 ms.date: 11/19/2024
 ms.topic: overview
-ms.service: windows-365
+ms.service: windows-365-link
 ms.subservice:
 ms.localizationpriority: high
 ms.assetid: 

windows-365/link/setup.md

@@ -9,7 +9,7 @@ ms.author: erikje
 manager: dougeby
 ms.date: 11/19/2024
 ms.topic: overview
-ms.service: windows-365
+ms.service: windows-365-link
 ms.subservice:
 ms.localizationpriority: high
 ms.assetid: 

windows-365/link/sign-in.md

@@ -9,7 +9,7 @@ ms.author: erikje
 manager: dougeby
 ms.date: 11/19/2024
 ms.topic: overview
-ms.service: windows-365
+ms.service: windows-365-link
 ms.subservice:
 ms.localizationpriority: high
 ms.assetid: 

windows-365/link/single-sign-on-suppress.md

@@ -9,7 +9,7 @@ ms.author: erikje
 manager: dougeby
 ms.date: 11/19/2024
 ms.topic: overview
-ms.service: windows-365
+ms.service: windows-365-link
 ms.subservice:
 ms.localizationpriority: high
 ms.assetid: 

windows-365/link/whats-in-the-box.md

@@ -9,7 +9,7 @@ ms.author: erikje
 manager: dougeby
 ms.date: 11/19/2024
 ms.topic: overview
-ms.service: windows-365
+ms.service: windows-365-link
 ms.subservice:
 ms.localizationpriority: high
 ms.assetid: