Merge branch 'main' into patch-1

.github/workflows/Stale.yml

@@ -0,0 +1,19 @@
+name: (Scheduled) Mark stale pull requests
+
+permissions:
+  issues: write
+  pull-requests: write
+
+on:
+  schedule:
+  - cron: "0 */6 * * *"
+  workflow_dispatch:
+
+jobs:
+  stale:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-Stale.yml@workflows-prod
+    with:
+      RunDebug: false
+      RepoVisibility: ${{ github.repository_visibility }}
+    secrets:
+      AccessToken: ${{ secrets.GITHUB_TOKEN }}

autopilot/device-preparation/known-issues.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 08/07/2024
+ms.date: 09/27/2024
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -40,6 +40,35 @@ This article describes known issues that can often be resolved with:
 
 ## Known issues
 
+## Security group membership update failures might lead to non-compliant devices
+
+Date added: *September 27, 2024*
+
+If security groups aren't properly configured in Microsoft Intune, devices might lose compliance and be left in an unsecured state. The following are potential reasons for security group membership failures:
+
+- **Retry failures**: Security group membership updates might not succeed during retry windows, leading to delays in group updates.
+
+- **Static to dynamic group changes**: After the Windows Autopilot device preparation profiles are configured, changing a security group from static to dynamic could cause failures.
+
+- **Owner removal**: If the **Intune Provisioning Client** service principal is removed as an owner of a configured security group, updates might fail.
+
+- **Group deletion**: If a configured security group is deleted and devices are deployed before Microsoft Intune detects the deletion, security configurations might fail to apply.
+
+To mitigate the issue, follow these steps:
+
+1. **Validate security group configuration before provisioning**:
+
+   - Ensure the correct security group is selected within the Microsoft Intune admin center or the Microsoft Entra admin center.
+   - The security group should be configured within the Windows Autopilot device preparation profile.
+   - The group shouldn't be assignable to other groups.
+   - The **Intune Provisioning Client** service principal should be an owner of the group.
+
+1. **Manually fix the provisioned devices**:
+
+   - If devices are already deployed or the security group isn't applicable, manually add the affected devices to the correct security group.
+
+By following these steps, you can prevent security group membership failures and ensure devices remain compliant and secure.
+
 ## Deployment fails for devices not in the Coordinated Universal Time (UTC) time zone
 
 Date added: *July 8, 2024* <br>
@@ -92,9 +121,7 @@ The issue is being investigated. As a workaround, add the following additional r
 For more information, see [Required RBAC permissions](requirements.md?tabs=rbac#required-rbac-permissions).
 
 > [!NOTE]
->
 > The [Required RBAC permissions](requirements.md?tabs=rbac#required-rbac-permissions) article doesn't list the **Device configurations** - **Assign** permission. This permission requirement is only temporary until the issue is resolved. However, the article can be used as a guide on how to properly add this permission.
-
 **This issue was resolved in July 2024.**
 
 ### Device is stuck at 100% during the out-of-box experience (OOBE)

autopilot/device-preparation/requirements.md

@@ -200,7 +200,7 @@ To provide needed Microsoft Entra ID and MDM functionality, including automatic
 
 > [!NOTE]
 >
-> When a Microsoft 365 subscription is used, licenses still need to be assigned to users so they can enroll device in Intune. For more information, see [assign licenses to users so they can enroll devices in Intune](/intune/fundamentals/licenses-assign).
+> When a Microsoft 365 subscription is used, licenses still need to be assigned to users so they can enroll device in Intune. For more information, see [assign licenses to users so they can enroll devices in Intune](/mem/intune/fundamentals/licenses-assign).
 
 Additionally, the following are also recommended, but not required:
 

autopilot/dfci-management.md

@@ -55,12 +55,12 @@ See the following figure:
 
 - A currently supported version of Windows and a supported UEFI is required.
 - The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or as a firmware update that can be installed. Work with the device vendors to determine the [manufacturers that support DFCI](#oems-that-support-dfci), or the firmware version needed to use DFCI.
-- The device must be managed with Microsoft Intune. For more information, see [Enroll Windows devices in Intune using Windows Autopilot](/intune/enrollment/enrollment-autopilot).
+- The device must be managed with Microsoft Intune. For more information, see [Enroll Windows devices in Intune using Windows Autopilot](/mem/intune/enrollment/enrollment-autopilot).
 - The device must be registered for Windows Autopilot by a [Microsoft Cloud Solution Provider (CSP) partner](https://partner.microsoft.com/membership/cloud-solution-provider), or registered directly by the OEM. For Surface devices, Microsoft registration support is available at [Microsoft Devices Autopilot Support](https://prod.support.services.microsoft.com/supportrequestform/0d8bf192-cab7-6d39-143d-5a17840b9f5f).
 
 > [!IMPORTANT]
 >
-> Devices manually registered for Autopilot (such as by [importing from a CSV file](/intune/enrollment/enrollment-autopilot#add-devices)) aren't allowed to use DFCI. By design, DFCI management requires external attestation of the device's commercial acquisition through an OEM or a Microsoft CSP partner registration to Windows Autopilot. When the device is registered, its serial number is displayed in the list of Windows Autopilot devices.
+> Devices manually registered for Autopilot (such as by [importing from a CSV file](/mem/intune/enrollment/enrollment-autopilot#add-devices)) aren't allowed to use DFCI. By design, DFCI management requires external attestation of the device's commercial acquisition through an OEM or a Microsoft CSP partner registration to Windows Autopilot. When the device is registered, its serial number is displayed in the list of Windows Autopilot devices.
 
 ## Managing DFCI profile with Windows Autopilot
 
@@ -71,9 +71,9 @@ There are four basic steps in managing DFCI profile with Windows Autopilot:
 1. Create a DFCI profile
 1. Assign the profiles
 
-See [Create the profiles](/intune/configuration/device-firmware-configuration-interface-windows#create-the-profiles) and [Assign the profiles, and reboot](/intune/configuration/device-firmware-configuration-interface-windows#assign-the-profiles-and-reboot) for details.
+See [Create the profiles](/mem/intune/configuration/device-firmware-configuration-interface-windows#create-the-profiles) and [Assign the profiles, and reboot](/mem/intune/configuration/device-firmware-configuration-interface-windows#assign-the-profiles-and-reboot) for details.
 
-The existing [DFCI settings](/intune/configuration/device-firmware-configuration-interface-windows#update-existing-dfci-settings) can also be changed on devices that are in use. In the existing DFCI profile, change the settings and save the changes. Since the profile is already assigned, the new DFCI settings take effect when next time the device syncs or the device reboots.
+The existing [DFCI settings](/mem/intune/configuration/device-firmware-configuration-interface-windows#update-existing-dfci-settings) can also be changed on devices that are in use. In the existing DFCI profile, change the settings and save the changes. Since the profile is already assigned, the new DFCI settings take effect when next time the device syncs or the device reboots.
 
 To identify whether a device is DFCI ready, the following Intune Graph API call can be used:
 

autopilot/enrollment-status.md

@@ -33,7 +33,7 @@ An administrator can deploy ESP profiles to a licensed Intune user and configure
 - Allow users to collect troubleshooting logs.
 - Specify what a user can do if device setup fails.
 
-For more information, see [Set up the Enrollment Status Page](/intune/windows-enrollment-status).
+For more information, see [Set up the Enrollment Status Page](/mem/intune/enrollment/windows-enrollment-status).
 
 :::image type="content" source="images/enrollment-status-page.png" alt-text="Screenshot that shows Enrollment Status Page":::
 

autopilot/overview.md

@@ -84,5 +84,5 @@ For a tutorial with detailed instructions on configuring Windows Autopilot, see
 
 ## Related content
 
-- [Enroll Windows devices in Intune by using Windows Autopilot](/intune/enrollment-autopilot).
+- [Enroll Windows devices in Intune by using Windows Autopilot](enrollment-autopilot.md).
 - [Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md).

autopilot/requirements.md

@@ -239,7 +239,7 @@ To provide needed Microsoft Entra ID and MDM functionality, including automatic
 
 > [!NOTE]
 >
-> When a Microsoft 365 subscription is used, licenses still need to be assigned to users so they can enroll device in Intune. For more information, see [assign licenses to users so they can enroll devices in Intune](/intune/fundamentals/licenses-assign).
+> When a Microsoft 365 subscription is used, licenses still need to be assigned to users so they can enroll device in Intune. For more information, see [assign licenses to users so they can enroll devices in Intune](/mem/intune/fundamentals/licenses-assign).
 
 Additionally, the following are also recommended (but not required):
 

autopilot/windows-autopilot-reset.md

@@ -123,7 +123,7 @@ On the device where the local Windows Autopilot reset is being performed:
 
 An MDM service such a Microsoft Intune can be used to start the remote Windows Autopilot reset process. Resetting in this way avoids the need for IT staff to visit each machine to start the process.
 
-To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed and joined to Microsoft Entra ID. Additionally, for Intune, the Intune Service Administrator role is required for remote Windows Autopilot Reset. For more information, see [Add users and grant administrative permission to Intune](/intune/users-add).
+To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed and joined to Microsoft Entra ID. Additionally, for Intune, the Intune Service Administrator role is required for remote Windows Autopilot Reset. For more information, see [Add users and grant administrative permission to Intune](/mem/intune/fundamentals/users-add).
 
 ### Triggering a remote Windows Autopilot Reset
 

memdocs/analytics/overview.md

@@ -45,7 +45,7 @@ You can enroll devices via Configuration Manager or Microsoft Intune.
   - Pro, Pro Education, Enterprise, or Education. Home and long-term servicing channel (LTSC) aren't supported.
 - Windows devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workplace joined or Microsoft Entra registered devices aren't supported.
 - Network connectivity from devices to the Microsoft public cloud. For more information, see [endpoints](troubleshoot.md#bkmk_endpoints).
-- The [Intune Service Administrator role](/intune/fundamentals/role-based-access-control) is required to [start gathering data](enroll-intune.md#bkmk_onboard).
+- The [Intune Service Administrator role](/mem/intune/fundamentals/role-based-access-control) is required to [start gathering data](enroll-intune.md#bkmk_onboard).
   - After the administrator selects **Start** for gathering data, other read-only roles can view the data.
 
 ### <a name="bkmk_cm_prereq"></a> How to enroll devices via Configuration Manager

memdocs/configmgr/apps/deploy-use/link-users-and-devices-with-user-device-affinity.md

@@ -140,4 +140,4 @@ When you disable the client setting to **Automatically configure user device aff
 
 ## Next steps
 
-You can also use Microsoft Intune to find the primary use of an enrolled device. For more information, see [Find the primary user of an Intune device](/intune/find-primary-user) in the Intune documentation.
+You can also use Microsoft Intune to find the primary use of an enrolled device. For more information, see [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user) in the Intune documentation.

memdocs/configmgr/comanage/how-to-monitor.md

@@ -93,8 +93,8 @@ There are hundreds of possible errors. The following table lists the most common
 
 | Error | Description |
 |---------|---------|
-| 2147549183 (0x8000FFFF) | MDM enrollment hasn't been configured yet on Microsoft Entra ID, or the enrollment URL isn't expected.<br><br>[Enable automatic enrollment](/intune/windows-enroll#enable-windows-automatic-enrollment) |
-| 2149056536 (0x80180018)<br>MENROLL_E_USERLICENSE | License of user is in bad state blocking enrollment<br><br>[Assign licenses to users](/intune/licenses-assign) |
+| 2147549183 (0x8000FFFF) | MDM enrollment hasn't been configured yet on Microsoft Entra ID, or the enrollment URL isn't expected.<br><br>[Enable automatic enrollment](/mem/intune/enrollment/windows-enroll#enable-windows-automatic-enrollment) |
+| 2149056536 (0x80180018)<br>MENROLL_E_USERLICENSE | License of user is in bad state blocking enrollment<br><br>[Assign licenses to users](/mem/intune/fundamentals/licenses-assign) |
 | 2149056555 (0x8018002B)<br>MENROLL_E_MDM_NOT_CONFIGURED | When trying to automatically enroll to Intune, but the Microsoft Entra configuration isn't fully applied. This issue should be transient, as the device retries after a short time. |
 | 2149056554 (0x‭8018002A‬)<br>&nbsp; | The user canceled the operation<br><br>If MDM enrollment requires multi-factor authentication, and the user hasn't signed in with a supported second factor, Windows displays a toast notification to the user to enroll. If the user doesn't respond to toast notification, this error occurs. This issue should be transient, as Configuration Manager will retry and prompt the user. Users should use multi-factor authentication when they sign in to Windows. Also educate them to expect this behavior, and if prompted, take action. |
 | 2149056532 (0x80180014)<br>MENROLL_E_DEVICENOTSUPPORTED | Mobile device management isn't supported. Check device restrictions. |

memdocs/configmgr/compliance/deploy-use/upgrade-windows-version.md

@@ -102,4 +102,4 @@ If the following error appears in **DcmWmiProvider.log** on the client, check th
 
 - [Windows 10 edition upgrade](/windows/deployment/upgrade/windows-10-edition-upgrades)
 
-- [Upgrade Windows 10 editions or switch out of S mode on devices using Microsoft Intune](/intune/edition-upgrade-configure-windows-10)
+- [Upgrade Windows 10 editions or switch out of S mode on devices using Microsoft Intune](/mem/intune/configuration/edition-upgrade-configure-windows-10)

memdocs/configmgr/core/clients/manage/upgrade-readiness.md

@@ -52,7 +52,7 @@ If you don't want your devices to continue sending diagnostic data:
 Set these values using one of the following methods:
 
 - Group policy, in **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**
-- Mobile device management (MDM), such as [Microsoft Intune](/intune/device-restrictions-windows-10#reporting-and-telemetry)
+- Mobile device management (MDM), such as [Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#reporting-and-telemetry)
 
 For more information, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
 

memdocs/configmgr/core/get-started/2019/includes/1910/3608345.md

@@ -47,7 +47,7 @@ Try to complete the tasks. Then send [Feedback](../../../../understand/product-f
 #### Prerequisites when the devices are co-managed
 
 - Make sure the [Compliance policies workload](../../../../../comanage/workloads.md#compliance-policies) is moved to either Pilot or Intune.
-- From Intune's Windows 10 compliance policy, make sure that **Require** is set for [**Configuration Manager Compliance**](/intune/protect/compliance-policy-create-windows#configuration-manager-compliance).
+- From Intune's Windows 10 compliance policy, make sure that **Require** is set for [**Configuration Manager Compliance**](/mem/intune/protect/compliance-policy-create-windows#configuration-manager-compliance).
 
 #### Create and deploy a compliance policy with a rule for baseline compliance policy assessment
 

memdocs/configmgr/core/get-started/2019/includes/1911/4960084.md

@@ -24,7 +24,7 @@ The following Microsoft management solutions are all now part of the **Microsoft
 - [Configuration Manager](/configmgr)
 - [Intune](/mem/intune/fundamentals/account-sign-up)
 - [Desktop Analytics](../../../../../desktop-analytics/overview.md)
-- [Autopilot](/intune/enrollment/enrollment-autopilot)
+- [Autopilot](/autopilot/enrollment-autopilot)
 - Other features in the [Device Management Admin Console](https://techcommunity.microsoft.com/t5/enterprise-mobility-security/microsoft-intune-rolls-out-an-improved-streamlined-endpoint/ba-p/937760)
 
 For more information, see the following posts from Brad Anderson, Microsoft corporate vice president for Microsoft 365:

memdocs/configmgr/core/get-started/2019/includes/1911/5032900.md

@@ -56,7 +56,7 @@ When you enable Microsoft Connected Cache on your Configuration Manager distribu
 
 - This feature only supports the Intune Win32 app type.
 
-  - Create and assign (deploy) a new app in Intune for this purpose. (Apps created before Intune version 1811 don't work.) For more information, see [Intune Win32 app management](/intune/apps/apps-win32-app-management).
+  - Create and assign (deploy) a new app in Intune for this purpose. (Apps created before Intune version 1811 don't work.) For more information, see [Intune Win32 app management](/mem/intune/apps/apps-win32-app-management).
 
   - The app needs to be at least 100 MB in size.