Merge branch 'main' into patch-1

autopilot/device-preparation/whats-new.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 manager: aaroncz
 ms.reviewer: jubaptis
-ms.date: 10/09/2024
+ms.date: 10/15/2024
 ms.collection:
   - M365-modern-desktop
   - tier2
@@ -37,11 +37,11 @@ Date added: *October 9, 2024*
 
 Admins can now download diagnostics logs for failed Autopilot device preparation deployments directly from the **Windows Autopilot device preparation deployment status** report. Logs are available for download in the **Device deployment details** when you select a failed deployment under the **Device** tab. Logs are automatically collected when an error occurs during deployment.
 
-## Windows Autopilot Device Preparation Support in Azure China 21Vianet
+## Windows Autopilot Device Preparation Support in Intune operated by 21Vianet in China
 
 Date added: *September 18, 2024*
 
-As part of the 2409 Intune release, we're announcing support for Windows Autopilot Device Preparation policy in the [Azure China 21Vianet](/mem/intune/fundamentals/china) cloud. Customers with tenants located in China can now provision devices and manage through Microsoft Intune. For an overview, see [Overview of Windows Autopilot device preparation](overview.md). For a tutorial on how to set up Windows Autopilot device preparation, see [Windows Autopilot device preparation scenarios](tutorial/scenarios.md).
+As part of the 2409 Intune release, we're announcing support for Windows Autopilot Device Preparation policy in [Intune operated by 21Vianet in China](/mem/intune/fundamentals/china) cloud. Customers with tenants located in China can now provision devices and manage through Microsoft Intune. For an overview, see [Overview of Windows Autopilot device preparation](overview.md). For a tutorial on how to set up Windows Autopilot device preparation, see [Windows Autopilot device preparation scenarios](tutorial/scenarios.md).
 
 <!-- MAXADO-9313795 / INADO-28687730 -->
 

memdocs/intune/apps/app-configuration-managed-home-screen-app.md

@@ -167,7 +167,7 @@ The following table lists the Managed Home Screen available configuration keys,
 
 |     Configuration Key    |     Value Type    |     Default Value    |     Description    |     Available in device configuration profile    |
 |-|-|-|-|-|
-|     Enable sign in    |     bool    |     FALSE    |     Turn this setting to True to enable   end-users to sign into Managed Home Screen. When used with   Microsoft Entra shared device mode, users who sign in to Managed Home Screen will   get automatically signed in to all other apps on the device that have participated   with Microsoft Entra shared device mode. By default this setting is off.     |     ✔️ <p>NOTE:  On devices that have a device configuration profile with the [**Enabled System Navigation Features** setting](../configuration/device-restrictions-android-for-work.md#dedicated-devices) set to **Home and Overview buttons**, end users can ignore and skip the sign in screen.         |
+|     Enable sign in    |     bool    |     FALSE    |     Turn this setting to True to enable   end-users to sign into Managed Home Screen. When used with   Microsoft Entra shared device mode, users who sign in to Managed Home Screen will   get automatically signed in to all other apps on the device that have participated   with Microsoft Entra shared device mode. By default this setting is off. <p>NOTE: After rebooting the device, end users must reauthenticate by signing in to Managed Home Screen.     |     ✔️ <p>NOTE:  On devices that have a device configuration profile with the [**Enabled System Navigation Features** setting](../configuration/device-restrictions-android-for-work.md#dedicated-devices) set to **Home and Overview buttons**, end users can ignore and skip the sign in screen.           |
 |     Sign in type    |     string    |     Microsoft Entra ID    |     Set this configuration to "AAD" to sign in   with a Microsoft Entra account. Otherwise, set this configuration to "Other". Users who   sign in with a non-AAD account won't get single sign-on to all apps that   have integrated with Microsoft Entra shared device mode, but will still get signed   in to Managed Home Screen. By default, this setting uses "AAD" user accounts.   This setting can only be used if **Enable sign in** has been set to True.     |     ✔️          |
 |     Domain name    |     string    |         | Set a domain name to be appended to usernames for sign in. If this is not set, users will need to enter the domain name. To allow users to select between multiple domain name options, add semicolon delimited strings. Enable sign in must be set to TRUE to use this configuration. <p>**NOTE**: This setting does not prevent users from inputting alternative domain names.     |     ❌          |
 |     Login hint text    |     string    |          | Set a custom login hint string by entering a string. If no string is set, the default string "Enter email or phone number" will be displayed. Enable sign in must be set to TRUE to use this configuration.   |     ❌          |

memdocs/intune/apps/app-configuration-policies-use-android.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 08/08/2024
+ms.date: 10/09/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -76,6 +76,7 @@ Android Enterprise has several enrollment methods. The enrollment type depends o
     > * Camera
     > * Record audio
     > * Allow body sensor data
+    > * Background location
 
 11. If the managed app supports configuration settings, the **Configuration settings format** dropdown box is visible. Select one of the following methods to add configuration information:
     - **Use configuration designer**

memdocs/intune/apps/apps-supported-intune-apps.md

@@ -90,7 +90,7 @@ The below apps support the Core Intune App Protection Policy settings and are al
 |Microsoft PowerPoint|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.powerpoint)|✔|No settings|✔|N/A|✖|✖|✔|✖|
 |Microsoft PowerPoint|[iOS](https://apps.apple.com/us/app/microsoft-powerpoint/id586449534)|✔|No settings|✔|N/A|✖|✖|✔|✖|
 |Microsoft Remote Desktop|[Android](https://play.google.com/store/apps/details?id=com.microsoft.rdc.androidx)|✔|✔|✖|N/A|N/A|N/A|N/A|✖|
-|Microsoft Remote Desktop|[iOS](https://apps.apple.com/us/app/remote-desktop-mobile/id714464092)|✔|✔|✖|N/A|N/A|N/A|N/A|✖|
+|Microsoft Windows App|[iOS](https://apps.apple.com/us/app/remote-desktop-mobile/id714464092)|✔|✔ see [Configure device redirection](/azure/virtual-desktop/client-device-redirection-intune).|✖|N/A|N/A|N/A|N/A|✖|
 |Microsoft SharePoint|[Android](https://play.google.com/store/apps/details?id=com.microsoft.sharepoint)|✔|No settings|✖|N/A|✖|✖|N/A|✖|
 |Microsoft SharePoint|[iOS](https://apps.apple.com/us/app/microsoft-sharepoint/id1091505266)|✔|No settings|✖|N/A|✖|✖|N/A|✖|
 |Microsoft Teams|[Android](https://play.google.com/store/apps/details?id=com.microsoft.teams)|✔|No settings|✔|N/A|✔|✔|✔|✔ Supported for v1416/1.0.0.2023226005 (2023226050) or later|

memdocs/intune/configuration/bundle-ids-built-in-ios-apps.md

@@ -78,6 +78,7 @@ This feature applies to:
 | com.apple.mobilenotes       | Notes        | Apple     |
 | com.apple.Numbers           | Numbers      | Apple     |
 | com.apple.Pages             | Pages        | Apple     |
+| com.apple.Passwords         | Passwords    | Apple     |
 | com.apple.mobilephone       | Phone        | Apple     |
 | com.apple.Photo-Booth       | Photo Booth  | Apple     |
 | com.apple.mobileslideshow   | Photos       | Apple     |

memdocs/intune/configuration/device-restrictions-ios.md

@@ -801,6 +801,9 @@ You can also:
   - When set to **Yes**, be sure the device has a Wi-Fi profile. If you don't assign a Wi-Fi profile, then this setting can prevent devices from connecting to the internet. For example, if this device restrictions profile is assigned before a Wi-Fi profile, then the device might be blocked from connecting to the internet.
 
   - If the device can't connect, then unenroll the device, and re-enroll with a Wi-Fi profile. Then, set this setting to **Yes** in a device restrictions profile, and assign the profile to the device.
+
+  > [!NOTE]
+  > **Require devices to use Wi-Fi networks set up via configuration profiles** does not support Wi-Fi profiles deployed using [custom profiles](custom-settings-ios.md).
 
     This feature applies to:  
     - iOS/iPadOS 14.5 and newer

memdocs/intune/configuration/device-restrictions-windows-10.md

@@ -1187,6 +1187,8 @@ You can exclude certain files from Microsoft Defender Antivirus scans by modifyi
 - **File extensions to exclude from scans and real-time protection**: Add one or more file extensions like **jpg** or **txt** to the exclusions list. Any files with these extensions aren't included in any real-time or scheduled scans.
 - **Processes to exclude from scans and real-time protection**: Add one or more processes of the type **.exe**, **.com**, or **.scr** to the exclusions list. These processes aren't included in any real-time, or scheduled scans.
 
+For more information, see [Exclusions overview](/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions) in the Microsoft Defender documentation.
+
 ## Power settings
 
 These settings use the [power policy CSP](/windows/client-management/mdm/policy-csp-power), which also lists the supported Windows editions.

memdocs/intune/copilot/copilot-devices.md

@@ -4,8 +4,8 @@
 title: Copilot in Intune shows device information and errors
 description: Microsoft Copilot in Intune can help you get information about your devices, compare devices, and get error information. Use this information to help you manage and troubleshoot device issues.
 keywords: security copilot, intune, microsoft intune, copilot, device information, device errors, device troubleshooting, analyze error code, compare devices, AI, generative-AI
-author: MandiOhlinger
-ms.author: mandia
+author: Erikre
+ms.author: erikre
 manager: dougeby
 ms.date: 04/01/2024
 ms.topic: how-to

memdocs/intune/copilot/copilot-intune-faq.md

@@ -4,8 +4,8 @@
 title: Copilot in Intune FAQ
 description: Get answers to common questions when using Copilot in Microsoft Intune.
 keywords: security copilot, intune, microsoft intune, copilot, faq
-author: MandiOhlinger
-ms.author: mandia
+author: Erikre
+ms.author: erikre
 manager: dougeby
 ms.date: 04/01/2024
 ms.topic: how-to

memdocs/intune/copilot/copilot-intune-overview.md

@@ -4,8 +4,8 @@
 title: Microsoft Copilot in Intune features overview
 description: Microsoft Copilot in Intune is an AI platform. It can help you create policies, get information about existing policies, and show more details on specific settings, including their impacts on users and devices. You can also use Copilot to troubleshoot device issues.
 keywords: Security Copilot, Intune, Microsoft Intune, AI, Copilot, settings catalog, policies, device details, troubleshooting
-author: MandiOhlinger
-ms.author: mandia
+author: Erikre
+ms.author: erikre
 manager: dougeby
 ms.date: 04/01/2024
 ms.topic: get-started

memdocs/intune/copilot/security-copilot.md

@@ -4,8 +4,8 @@
 title: Use Copilot for Security to get device and policy information
 description: You can use Copilot for Security to get information about your Intune data, including devices, apps, policies, and groups managed in Intune. You can also compare policies, get device specific details, and get target info for policies.
 keywords:
-author: MandiOhlinger
-ms.author: mandia
+author: Erikre
+ms.author: erikre
 manager: dougeby
 ms.date: 04/01/2024
 ms.topic: concept-article

memdocs/intune/developer/app-sdk-android-phase4.md

@@ -95,7 +95,7 @@ MAMStrictMode.global().setHandler(handler);
 If a check fails in a situation where your app is doing nothing
 incorrect, report it as mentioned above.
 In the meantime, it may be necessary to disable the check encountering a false positive, at least while waiting for an updated SDK.
-The check, which failed will be shown in the error raised by the default handler, or will be passed to a custom handler if set.
+The check that failed will be shown in the error raised by the default handler or it will be passed to a custom handler, if set.
 
 Although suppressions can be done globally, temporarily disabling per-thread at the specific call site is preferred.
 The following examples show various ways to disable [MAMStrictCheck.IDENTITY_NO_SUCH_FILE][MAMStrictCheck] (raised if an
@@ -389,7 +389,7 @@ If the enrollment attempt fails, the account's status may change over time as th
 | `UNENROLLMENT_SUCCEEDED` | Unenrollment was successful.|
 | `UNENROLLMENT_FAILED` | The unenrollment request failed.  Further details can be found in the device logs. In general, this won't occur as long as the app passes a valid (neither null nor empty) UPN. There's no direct, reliable remediation the app can take. If this value is received when unregistering a valid UPN, report as a bug to the Intune MAM team.|
 | `PENDING` | The initial enrollment attempt for the account is in progress.  The app can block access to corporate data until the enrollment result is known, but isn't required to do so. |
-| `COMPANY_PORTAL_REQUIRED` | The account is licensed for Intune, but the app can't be enrolled until the Company Portal app is installed on the device. The Intune App SDK attempts to block access to the app for the given account and direct them to install the Company Portal app. When sending this notification to the app, the Intune App SDK will show a nonblocking UI on top of the current Activity if the Activity is currently visible to the user or the next time `onResume` is called. If the user cancels out this nonblocking UI, the Intune App SDK will show a blocking UI the next time `onCreate` is called for an Activity and the current identity is managed (see below for details on troubleshooting). |
+| `COMPANY_PORTAL_REQUIRED` | The account is licensed for Intune, but the app can't be enrolled until the Company Portal app is installed on the device. The Intune App SDK attempts to block access to the app for the given account and directs the user to install the Company Portal app. When sending this notification to the app, the Intune App SDK will show a nonblocking UI on top of the current Activity if the Activity is currently visible to the user or the next time `onResume` is called. If the user cancels out this nonblocking UI, the Intune App SDK will show a blocking UI the next time `onCreate` is called for an Activity and the current identity is managed (see below for details on troubleshooting). |
 
 ## (Recommended) Logging
 
@@ -678,7 +678,7 @@ If you're unsure if any of these sections apply to your app, revisit [Key Decisi
 [First Policy Application Test]:#first-policy-application-test
 [Data Protection Tests]:#data-protection-tests
 [Diagnostics Information]:#recommended-diagnostics-information
-[My app is not receiving or enforcing any policies]:#my-app-is-not-receiving-or-enforcing-any-policies
+[My app isn't receiving or enforcing any policies]:#my-app-isnt-receiving-or-enforcing-any-policies
 
 <!-- Other SDK Guide Markdown documentation -->
 [Stage 1: Plan the Integration]:app-sdk-android-phase1.md

memdocs/intune/fundamentals/android-os-project-supported-devices.md

@@ -7,7 +7,7 @@ keywords:
 author: Smritib17
 ms.author: smbhardwaj
 manager: dougeby
-ms.date: 09/23/2024
+ms.date: 10/15/2024
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -56,3 +56,5 @@ Before setting up Microsoft Intune for Android Open Source Project devices, ensu
 | Realwear| Navigator 500      | 1.1                | AR/VR Headset  |                    |
 | Lenovo| ThinkReality VRX     | VRX_user_S766001_2310192349_kona   | AR/VR Headset  |                   |
 | DigiLens Inc.| DigiLens ARGO    | DigiOS 2068 (B1.0001.2068)            | AR/VR Headset  |                    |
+| Vuzix     | M400   | M-Series Version 3.0.2    | AR/VR Headset  |                    |
+| Vuzix     | M4000   | M-Series Version 3.0.2   | AR/VR Headset  |                    |

memdocs/intune/fundamentals/supported-devices-browsers.md

@@ -7,7 +7,7 @@ keywords:
 author: Smritib17
 ms.author: smbhardwaj
 manager: dougeby
-ms.date: 09/09/2024
+ms.date: 10/10/2024
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals

memdocs/intune/fundamentals/whats-new-archive.md

@@ -4557,7 +4557,7 @@ As of October 12, 2022, the name Microsoft Endpoint Manager will no longer be us
 For more information, see [Intune documentation]( ../../index.yml).
 
 #### Grace period status visible in Windows Company Portal<!-- 14746606 -->  
-Windows Company Portal now displays a grace period status to account for devices that don't meet compliance requirements but are still within their given grace period. Users are shown the date by which they need to become compliant and the instructions for how to become compliant. If users don't update their device by the given date, their device status changes to noncompliant. For more information about setting grace periods, see [Configure compliance policies with actions for noncompliance](../protect/actions-for-noncompliance.md#available-actions-for-noncompliance) and [Check access from Device details page](../user-help/check-device-access-windows-cpapp.md#check-access-from-device-details-page).
+Windows Company Portal now displays a grace period status to account for devices that don't meet compliance requirements but are still within their given grace period. Users are shown the date by which they need to become compliant and the instructions for how to become compliant. If users don't update their device by the given date, their device status changes to noncompliant. For more information about setting grace periods, see [Configure compliance policies with actions for noncompliance](../protect/actions-for-noncompliance.md#available-actions-for-noncompliance) and [Check access from Device details page](../user-help/check-device-access-windows-cpapp.md).
 
 #### Linux device management available in Microsoft Intune<!-- 14616038 -->  
 Microsoft Intune now supports Linux device management for devices running Ubuntu Desktop 22.04 or 20.04 LTS. Intune admins don't need to do anything to enable Linux enrollment in the Microsoft Intune admin center.  Linux users can [enroll supported Linux devices](../user-help/enroll-device-linux.md) on their own and use the Microsoft Edge browser to access corporate resources online.

memdocs/intune/fundamentals/whats-new.md

@@ -105,7 +105,7 @@ For more information, see:
 
 - [What's new for the certificate connector](../protect/certificate-connector-overview.md#september-19-2024)
 
-- [Apply PFX changes to certificate](../protect/certificates-pfx-configure.md#update-certificate-connector-for-kb5014754-requirements)
+- [Apply PFX changes to certificate](../protect/certificates-pfx-configure.md)  
 
 ## Week of September 23, 2024 (Service release 2409)
 

memdocs/intune/includes/android-supported-os.md

@@ -4,11 +4,11 @@ ms.author: erikje
 ms.service: microsoft-intune
 ms.subservice: fundamentals
 ms.topic: include
-ms.date: 02/01/2022
+ms.date: 10/10/2024
 ms.localizationpriority: high
 ---
 
 > [!NOTE]
-> Intune requires Android 8.x or higher for device enrollment scenarios and app configuration delivered through Managed devices app configuration policies. This requirement does not apply to [Microsoft Teams Android devices](https://www.microsoft.com/microsoft-teams/across-devices/devices?rtc=2) as these devices will continue to be supported.
+> This requirement does not apply to [Microsoft Teams Android devices](https://www.microsoft.com/microsoft-teams/across-devices/devices?rtc=2) as these devices will continue to be supported.
 >
 > For Intune app protection policies and app configuration delivered through Managed apps app configuration policies, Intune requires Android 9.0 or higher.

memdocs/intune/includes/mdm-supported-devices.md

@@ -4,7 +4,7 @@ ms.author: erikje
 ms.service: microsoft-intune
 ms.subservice: fundamentals
 ms.topic: include
-ms.date: 09/06/2024
+ms.date: 10/10/2024
 ms.localizationpriority: high
 ---
 
@@ -30,8 +30,9 @@ ms.localizationpriority: high
 
 ### Android
 
-- Android 8.0 and later (including Samsung KNOX Standard 3.0 and higher: [requirements](https://www.samsungknox.com/en/knox-platform/supported-devices/2.4+))
-- Android enterprise: [requirements](https://support.google.com/work/android/topic/9428066)
+- For user-based management methods: Android 10.0 and later
+- For userless management methods: Android 8.0 and later (including Samsung KNOX Standard 3.0 and higher: [requirements](https://www.samsungknox.com/en/knox-platform/supported-devices/2.4+))
+- Android enterprise
 - Android open source project device: [See here for the list of supported devices](../fundamentals/android-os-project-supported-devices.md)
 [!INCLUDE [android-supported-os](android-supported-os.md)]