diff --git a/.github/workflows/AutoLabelAssign.yml b/.github/workflows/AutoLabelAssign.yml
new file mode 100644
index 00000000000..bd1887dd446
--- /dev/null
+++ b/.github/workflows/AutoLabelAssign.yml
@@ -0,0 +1,35 @@
+name: Assign and label PR
+ pull-requests: write
+ contents: read
+ actions: read
+ workflow_run:
+ workflows: [Background tasks]
+ types:
+ - completed
+ download-payload:
+ name: Download and extract payload artifact
+ uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod
+ with:
+ WorkflowId: ${{ github.event.workflow_run.id }}
+ OrgRepo: ${{ github.repository }}
+ secrets:
+ AccessToken: ${{ secrets.GITHUB_TOKEN }}
+ label-assign:
+ name: Run assign and label
+ needs: [download-payload]
+ uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelAssign.yml@workflows-prod
+ with:
+ PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
+ AutoAssignUsers: 0
+ AutoLabel: 0
+ ExcludedUserList: '["user1", "user2"]'
+ ExcludedBranchList: '["branch1", "branch2"]'
+ secrets:
+ AccessToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/AutoLabelMsftContributor.yml b/.github/workflows/AutoLabelMsftContributor.yml
new file mode 100644
index 00000000000..7058a420cf0
--- /dev/null
+++ b/.github/workflows/AutoLabelMsftContributor.yml
@@ -0,0 +1,34 @@
+name: Auto label Microsoft contributors
+ pull-requests: write
+ contents: read
+ actions: read
+ workflow_run:
+ workflows: [Background tasks]
+ types:
+ - completed
+ download-payload:
+ if: github.repository_visibility == 'public'
+ name: Download and extract payload artifact
+ uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod
+ with:
+ WorkflowId: ${{ github.event.workflow_run.id }}
+ OrgRepo: ${{ github.repository }}
+ secrets:
+ AccessToken: ${{ secrets.GITHUB_TOKEN }}
+ label-msft:
+ name: Label Microsoft contributors
+ if: github.repository_visibility == 'public'
+ needs: [download-payload]
+ uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelMsftContributor.yml@workflows-prod
+ with:
+ PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
+ secrets:
+ AccessToken: ${{ secrets.GITHUB_TOKEN }}
+ TeamReadAccessToken: ${{ secrets.ORG_READTEAMS_TOKEN }}
diff --git a/.github/workflows/BackgroundTasks.yml b/.github/workflows/BackgroundTasks.yml
new file mode 100644
index 00000000000..c0389bb252f
--- /dev/null
+++ b/.github/workflows/BackgroundTasks.yml
@@ -0,0 +1,26 @@
+name: Background tasks
+ pull-requests: write
+ contents: read
+ pull_request_target:
+ upload:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Save payload data
+ env:
+ PayloadJson: ${{ toJSON(github) }}
+ AccessToken: ${{ github.token }}
+ run: |
+ mkdir -p ./pr
+ echo $PayloadJson > ./pr/PayloadJson.json
+ sed -i -e "s/$AccessToken/XYZ/g" ./pr/PayloadJson.json
+ - uses: actions/upload-artifact@v4
+ with:
+ name: PayloadJson
+ path: pr/
diff --git a/.github/workflows/LiveMergeCheck.yml b/.github/workflows/LiveMergeCheck.yml
new file mode 100644
index 00000000000..56b79b48139
--- /dev/null
+++ b/.github/workflows/LiveMergeCheck.yml
@@ -0,0 +1,19 @@
+name: PR can merge into branch
+ pull-requests: write
+ statuses: write
+ contents: read
+ pull_request_target:
+ types: [opened, reopened, synchronize, edited]
+ live-merge:
+ uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-LiveMergeCheck.yml@workflows-prod
+ with:
+ PayloadJson: ${{ toJSON(github) }}
+ secrets:
+ AccessToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/PrFileCount.yml b/.github/workflows/PrFileCount.yml
new file mode 100644
index 00000000000..95fcf5e1ede
--- /dev/null
+++ b/.github/workflows/PrFileCount.yml
@@ -0,0 +1,19 @@
+name: PR file count less than limit
+ pull-requests: write
+ statuses: write
+ contents: read
+ pull_request_target:
+ types: [opened, reopened, synchronize, labeled, unlabeled, edited]
+ file-count:
+ uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-PrFileCount.yml@workflows-prod
+ with:
+ PayloadJson: ${{ toJSON(github) }}
+ secrets:
+ AccessToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/ProtectedFiles.yml b/.github/workflows/ProtectedFiles.yml
new file mode 100644
index 00000000000..769cd0aa146
--- /dev/null
+++ b/.github/workflows/ProtectedFiles.yml
@@ -0,0 +1,17 @@
+name: PR has no protected files
+ pull-requests: write
+ statuses: write
+ contents: read
+on: [pull_request_target]
+ protected-files:
+ uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ProtectedFiles.yml@workflows-prod
+ with:
+ PayloadJson: ${{ toJSON(github) }}
+ secrets:
+ AccessToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 9a0facd629a..5ceee9a62a5 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,5 +1,30 @@
"redirections": [
+ {
+ "source_path": "memdocs/intune/remote-actions/organizational-messages-reporting.md",
+ "redirect_url": "/microsoft-365/admin/misc/organizational-messages-microsoft-365",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "memdocs/intune/remote-actions/organizational-messages-prerequisites.md",
+ "redirect_url": "/microsoft-365/admin/misc/organizational-messages-microsoft-365",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "memdocs/intune/remote-actions/organizational-messages-overview.md",
+ "redirect_url": "/microsoft-365/admin/misc/organizational-messages-microsoft-365",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "memdocs/intune/remote-actions/organizational-messages-create.md",
+ "redirect_url": "/microsoft-365/admin/misc/organizational-messages-microsoft-365",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "memdocs/intune/remote-actions/organizational-messages-cancel.md",
+ "redirect_url": "/microsoft-365/admin/misc/organizational-messages-microsoft-365",
+ "redirect_document_id": false
+ },
"source_path": "memdocs/intune/user-help/you-need-to-enable-uac-windows.md",
"redirect_url": "/mem/intune/user-help/update-device-settings-windows",
@@ -2689,6 +2714,11 @@
"source_path": "autopilot/autopilot-faq.yml",
"redirect_url": "/autopilot/faq",
"redirect_document_id": false
+ },
+ {
+ "source_path": "memdocs/intune/protect/endpoint-security-firewall-rule-tool.md",
+ "redirect_url": "/mem/intune/protect/endpoint-security-firewall-policy",
+ "redirect_document_id": false
\ No newline at end of file
diff --git a/autopilot/add-devices.md b/autopilot/add-devices.md
index 6179845d4ec..6f5fbdb68cd 100644
--- a/autopilot/add-devices.md
+++ b/autopilot/add-devices.md
@@ -2,7 +2,7 @@
title: Manually register devices with Windows Autopilot
description: Learn how to manually add devices to Windows Autopilot.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/automatic-registration.md b/autopilot/automatic-registration.md
index bc6ccee44d6..90027c2463d 100644
--- a/autopilot/automatic-registration.md
+++ b/autopilot/automatic-registration.md
@@ -2,7 +2,7 @@
title: Automatic registration of existing devices
description: Automatically add devices to Windows Autopilot.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/autopilot-device-guidelines.md b/autopilot/autopilot-device-guidelines.md
index 59caae3011a..92d06b40cdc 100644
--- a/autopilot/autopilot-device-guidelines.md
+++ b/autopilot/autopilot-device-guidelines.md
@@ -2,7 +2,7 @@
title: Windows Autopilot device guidelines
description: Learn all about hardware, firmware, and software best practices for Windows Autopilot deployment.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/autopilot-motherboard-replacement.md b/autopilot/autopilot-motherboard-replacement.md
index d7b28e613aa..8995779f4f9 100644
--- a/autopilot/autopilot-motherboard-replacement.md
+++ b/autopilot/autopilot-motherboard-replacement.md
@@ -2,7 +2,7 @@
title: Windows Autopilot motherboard replacement
description: Understand how Windows Autopilot deployments function when the motherboard is replaced on a device.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/autopilot-support.md b/autopilot/autopilot-support.md
index b0bc21ab726..2c5d85558eb 100644
--- a/autopilot/autopilot-support.md
+++ b/autopilot/autopilot-support.md
@@ -2,7 +2,7 @@
title: Windows Autopilot support
description: Find out who to contact for help with Windows Autopilot installation.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/bitlocker.md b/autopilot/bitlocker.md
index 6f8bdb639ca..4fd13bd310f 100644
--- a/autopilot/bitlocker.md
+++ b/autopilot/bitlocker.md
@@ -2,7 +2,7 @@
title: Setting the BitLocker encryption algorithm for Autopilot devices
description: Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows devices.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/deployment-process.md b/autopilot/deployment-process.md
index c842b7e8923..989c9c373a0 100644
--- a/autopilot/deployment-process.md
+++ b/autopilot/deployment-process.md
@@ -2,7 +2,7 @@
title: Windows deployment process posters
description: View and download Windows deployment process flows for Microsoft Configuration Manager and Windows Autopilot.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/device-preparation/compare.md b/autopilot/device-preparation/compare.md
index 732636949d3..0286395fab6 100644
--- a/autopilot/device-preparation/compare.md
+++ b/autopilot/device-preparation/compare.md
@@ -2,7 +2,7 @@
title: Compare Windows Autopilot device preparation and Windows Autopilot
description: Compare Windows Autopilot device preparation and Windows Autopilot features and when to use each.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/device-preparation/faq.yml b/autopilot/device-preparation/faq.yml
index 6f3b2642602..2fa2b7d4887 100644
--- a/autopilot/device-preparation/faq.yml
+++ b/autopilot/device-preparation/faq.yml
@@ -3,7 +3,7 @@ metadata:
title: Windows Autopilot device preparation FAQ
description: This article provides OEMs, partners, administrators, and users with answers to some frequently asked questions about deploying Windows with Windows Autopilot device preparation.
ms.service: windows-client
- ms.subservice: itpro-deploy
+ ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/device-preparation/known-issues.md b/autopilot/device-preparation/known-issues.md
index 0f515a960fc..d34731b0cce 100644
--- a/autopilot/device-preparation/known-issues.md
+++ b/autopilot/device-preparation/known-issues.md
@@ -2,7 +2,7 @@
title: Windows Autopilot device preparation known issues
description: Information regarding known issues that might occur during a Windows Autopilot device preparation deployment. # RSS subscription is based on this description so don't change. If the description needs to change, update RSS URL in the Tip in the article.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/device-preparation/overview.md b/autopilot/device-preparation/overview.md
index 99a86d08846..387220a75ff 100644
--- a/autopilot/device-preparation/overview.md
+++ b/autopilot/device-preparation/overview.md
@@ -2,7 +2,7 @@
title: Overview of Windows Autopilot device preparation
description: Windows Autopilot device preparation is used to set up and configure new devices, getting them ready for productive use.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/device-preparation/reporting-monitoring.md b/autopilot/device-preparation/reporting-monitoring.md
index 8d51f0fb497..0fbe68d4005 100644
--- a/autopilot/device-preparation/reporting-monitoring.md
+++ b/autopilot/device-preparation/reporting-monitoring.md
@@ -2,7 +2,7 @@
title: Windows Autopilot device preparation reporting and monitoring
description: Reporting and monitoring in Windows Autopilot device preparation.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/device-preparation/requirements.md b/autopilot/device-preparation/requirements.md
index 50493515c25..fdcf9c0277b 100644
--- a/autopilot/device-preparation/requirements.md
+++ b/autopilot/device-preparation/requirements.md
@@ -2,7 +2,7 @@
title: Windows Autopilot device preparation requirements
description: Software, Networking, Licensing, Configuration, and RBAC requirements for Windows Autopilot device preparation. # RSS subscription is based on this description so don't change. If the description needs to change, update RSS URL in the Tip in the article.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/device-preparation/troubleshooting-faq.yml b/autopilot/device-preparation/troubleshooting-faq.yml
index aa293f70eda..44f3f4e87ce 100644
--- a/autopilot/device-preparation/troubleshooting-faq.yml
+++ b/autopilot/device-preparation/troubleshooting-faq.yml
@@ -3,7 +3,7 @@ metadata:
title: Windows Autopilot device preparation troubleshooting FAQ
description: Troubleshooting of common Windows Autopilot device preparation issues
ms.service: windows-client
- ms.subservice: itpro-deploy
+ ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/device-preparation/tutorial/scenarios.md b/autopilot/device-preparation/tutorial/scenarios.md
index 908572b7f23..d499cb2d86f 100644
--- a/autopilot/device-preparation/tutorial/scenarios.md
+++ b/autopilot/device-preparation/tutorial/scenarios.md
@@ -13,7 +13,7 @@ ms.collection:
- tier1
- highpri
- essentials-get-started
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
diff --git a/autopilot/device-preparation/tutorial/user-driven/entra-join-allow-users-to-join.md b/autopilot/device-preparation/tutorial/user-driven/entra-join-allow-users-to-join.md
index ea4a0a609e4..05b23e1c343 100644
--- a/autopilot/device-preparation/tutorial/user-driven/entra-join-allow-users-to-join.md
+++ b/autopilot/device-preparation/tutorial/user-driven/entra-join-allow-users-to-join.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
diff --git a/autopilot/device-preparation/tutorial/user-driven/entra-join-assign-apps-scripts.md b/autopilot/device-preparation/tutorial/user-driven/entra-join-assign-apps-scripts.md
index f5d14eebaee..311d3de1724 100644
--- a/autopilot/device-preparation/tutorial/user-driven/entra-join-assign-apps-scripts.md
+++ b/autopilot/device-preparation/tutorial/user-driven/entra-join-assign-apps-scripts.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
diff --git a/autopilot/device-preparation/tutorial/user-driven/entra-join-automatic-enrollment.md b/autopilot/device-preparation/tutorial/user-driven/entra-join-automatic-enrollment.md
index f29a39485ff..25c5aaa1004 100644
--- a/autopilot/device-preparation/tutorial/user-driven/entra-join-automatic-enrollment.md
+++ b/autopilot/device-preparation/tutorial/user-driven/entra-join-automatic-enrollment.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
diff --git a/autopilot/device-preparation/tutorial/user-driven/entra-join-autopilot-policy.md b/autopilot/device-preparation/tutorial/user-driven/entra-join-autopilot-policy.md
index 4ee1a059037..8f6d1e4393f 100644
--- a/autopilot/device-preparation/tutorial/user-driven/entra-join-autopilot-policy.md
+++ b/autopilot/device-preparation/tutorial/user-driven/entra-join-autopilot-policy.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
diff --git a/autopilot/device-preparation/tutorial/user-driven/entra-join-corporate-identifier.md b/autopilot/device-preparation/tutorial/user-driven/entra-join-corporate-identifier.md
index 542056ae5f3..de805257695 100644
--- a/autopilot/device-preparation/tutorial/user-driven/entra-join-corporate-identifier.md
+++ b/autopilot/device-preparation/tutorial/user-driven/entra-join-corporate-identifier.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
diff --git a/autopilot/device-preparation/tutorial/user-driven/entra-join-device-group.md b/autopilot/device-preparation/tutorial/user-driven/entra-join-device-group.md
index 46472776a2d..11a8c61fa98 100644
--- a/autopilot/device-preparation/tutorial/user-driven/entra-join-device-group.md
+++ b/autopilot/device-preparation/tutorial/user-driven/entra-join-device-group.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
diff --git a/autopilot/device-preparation/tutorial/user-driven/entra-join-user-group.md b/autopilot/device-preparation/tutorial/user-driven/entra-join-user-group.md
index 02af86b522a..8471217c2d7 100644
--- a/autopilot/device-preparation/tutorial/user-driven/entra-join-user-group.md
+++ b/autopilot/device-preparation/tutorial/user-driven/entra-join-user-group.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
diff --git a/autopilot/device-preparation/tutorial/user-driven/entra-join-workflow.md b/autopilot/device-preparation/tutorial/user-driven/entra-join-workflow.md
index b479118df64..101329db4d6 100644
--- a/autopilot/device-preparation/tutorial/user-driven/entra-join-workflow.md
+++ b/autopilot/device-preparation/tutorial/user-driven/entra-join-workflow.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
diff --git a/autopilot/device-preparation/whats-new.md b/autopilot/device-preparation/whats-new.md
index e45983e3794..ba8714bec7d 100644
--- a/autopilot/device-preparation/whats-new.md
+++ b/autopilot/device-preparation/whats-new.md
@@ -2,13 +2,13 @@
title: What's new in Windows Autopilot device preparation
description: News and resources about the latest updates of Windows Autopilot device preparation. # RSS subscription is based on this description so don't change. If the description needs to change, update RSS URL in the Tip in the article.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.reviewer: jubaptis
-ms.date: 06/26/2024
+ms.date: 08/21/2024
- M365-modern-desktop
- tier2
@@ -31,6 +31,18 @@ appliesto:
> For more information on using RSS for notifications, see [How to use the docs](/mem/use-docs#notifications) in the Intune documentation.
+## Windows Autopilot device preparation deployment status report available in the Monitor tab under Enrollment
+Date added: *August 21, 2024*
+In addition to the [Devices | Monitor](reporting-monitoring.md#accessing-reports-and-near-real-time-monitoring) page, admins can now easily access the **Windows Autopilot device preparation deployment status** report from the **Monitor** tab in the **Devices | Enrollment** page. The report can be found using the following steps:
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Home** > **Devices** > **Device onboarding | Enrollment**.
+1. Select the **Monitor** tab in the **Devices | Enrollment** page.
## Corporate identifiers can now be used with Windows Autopilot device preparation
Date added: *July 8, 2024*
diff --git a/autopilot/dfci-management.md b/autopilot/dfci-management.md
index 3029fb06767..7df516a9369 100644
--- a/autopilot/dfci-management.md
+++ b/autopilot/dfci-management.md
@@ -1,7 +1,7 @@
title: DFCI Management
description: With Windows Autopilot Deployment and Intune, Unified Extensible Firmware Interface (UEFI) settings can be managed after the device is enrolled. UEFI settings can be managed by using the Device Firmware Configuration Interface (DFCI).
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
diff --git a/autopilot/enrollment-autopilot.md b/autopilot/enrollment-autopilot.md
index b8cbbb7bbbf..fb809bf38ad 100644
--- a/autopilot/enrollment-autopilot.md
+++ b/autopilot/enrollment-autopilot.md
@@ -9,7 +9,7 @@ ms.date: 06/28/2024
ms.topic: how-to
ms.localizationpriority: high
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.suite: ems
search.appverid: MET150
diff --git a/autopilot/enrollment-status.md b/autopilot/enrollment-status.md
index 611c5252a37..15012e20f0b 100644
--- a/autopilot/enrollment-status.md
+++ b/autopilot/enrollment-status.md
@@ -1,7 +1,7 @@
title: Windows Autopilot Enrollment Status Page
description: Gives an overview of the Enrollment Status Page capabilities, configuration.
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
diff --git a/autopilot/existing-devices.md b/autopilot/existing-devices.md
index 3cc9aaae6e1..681d63e2d80 100644
--- a/autopilot/existing-devices.md
+++ b/autopilot/existing-devices.md
@@ -2,7 +2,7 @@
title: Windows Autopilot for existing devices
description: Modern desktop deployment with Windows Autopilot enables easily deploying the latest version of Windows to existing devices.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/faq.yml b/autopilot/faq.yml
index b5506775517..d7b36e5e8dd 100644
--- a/autopilot/faq.yml
+++ b/autopilot/faq.yml
@@ -3,7 +3,7 @@ metadata:
title: Windows Autopilot FAQ
description: This article provides OEMs, partners, administrators, and end users with answers to some frequently asked questions about deploying Windows with Autopilot.
ms.service: windows-client
- ms.subservice: itpro-deploy
+ ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/images/aad-lic1.png b/autopilot/images/aad-lic1.png
deleted file mode 100644
index 569d601066d..00000000000
Binary files a/autopilot/images/aad-lic1.png and /dev/null differ
diff --git a/autopilot/images/all-groups.png b/autopilot/images/all-groups.png
deleted file mode 100644
index 6ae904ed620..00000000000
Binary files a/autopilot/images/all-groups.png and /dev/null differ
diff --git a/autopilot/images/allow-white-glove-oobe.png b/autopilot/images/allow-white-glove-oobe.png
deleted file mode 100644
index fe22aa3afd8..00000000000
Binary files a/autopilot/images/allow-white-glove-oobe.png and /dev/null differ
diff --git a/autopilot/images/ap-devices.png b/autopilot/images/ap-devices.png
deleted file mode 100644
index 97737fbcf87..00000000000
Binary files a/autopilot/images/ap-devices.png and /dev/null differ
diff --git a/autopilot/images/ap-ts-1.png b/autopilot/images/ap-ts-1.png
deleted file mode 100644
index 5f4c33fd51f..00000000000
Binary files a/autopilot/images/ap-ts-1.png and /dev/null differ
diff --git a/autopilot/images/ap-ts.png b/autopilot/images/ap-ts.png
deleted file mode 100644
index 7c343176d01..00000000000
Binary files a/autopilot/images/ap-ts.png and /dev/null differ
diff --git a/autopilot/images/app01.png b/autopilot/images/app01.png
deleted file mode 100644
index f551c5ca68a..00000000000
Binary files a/autopilot/images/app01.png and /dev/null differ
diff --git a/autopilot/images/app02.png b/autopilot/images/app02.png
deleted file mode 100644
index e5036043cc7..00000000000
Binary files a/autopilot/images/app02.png and /dev/null differ
diff --git a/autopilot/images/app03.png b/autopilot/images/app03.png
deleted file mode 100644
index 63ef76b3f8a..00000000000
Binary files a/autopilot/images/app03.png and /dev/null differ
diff --git a/autopilot/images/app04.png b/autopilot/images/app04.png
deleted file mode 100644
index bd307c4a464..00000000000
Binary files a/autopilot/images/app04.png and /dev/null differ
diff --git a/autopilot/images/app05.png b/autopilot/images/app05.png
deleted file mode 100644
index 83861dcd51d..00000000000
Binary files a/autopilot/images/app05.png and /dev/null differ
diff --git a/autopilot/images/app06.png b/autopilot/images/app06.png
deleted file mode 100644
index 9563e0514c7..00000000000
Binary files a/autopilot/images/app06.png and /dev/null differ
diff --git a/autopilot/images/app07.png b/autopilot/images/app07.png
deleted file mode 100644
index 59025e69fa7..00000000000
Binary files a/autopilot/images/app07.png and /dev/null differ
diff --git a/autopilot/images/app08.png b/autopilot/images/app08.png
deleted file mode 100644
index cea5edfc57a..00000000000
Binary files a/autopilot/images/app08.png and /dev/null differ
diff --git a/autopilot/images/app09.png b/autopilot/images/app09.png
deleted file mode 100644
index 250c85dd8ac..00000000000
Binary files a/autopilot/images/app09.png and /dev/null differ
diff --git a/autopilot/images/app10.png b/autopilot/images/app10.png
deleted file mode 100644
index 8d5af2ece12..00000000000
Binary files a/autopilot/images/app10.png and /dev/null differ
diff --git a/autopilot/images/app11.png b/autopilot/images/app11.png
deleted file mode 100644
index 9ca5bc10eb3..00000000000
Binary files a/autopilot/images/app11.png and /dev/null differ
diff --git a/autopilot/images/app12.png b/autopilot/images/app12.png
deleted file mode 100644
index 3f82bf78a96..00000000000
Binary files a/autopilot/images/app12.png and /dev/null differ
diff --git a/autopilot/images/app13.png b/autopilot/images/app13.png
deleted file mode 100644
index 2b499f4ec20..00000000000
Binary files a/autopilot/images/app13.png and /dev/null differ
diff --git a/autopilot/images/app14.png b/autopilot/images/app14.png
deleted file mode 100644
index e809db61347..00000000000
Binary files a/autopilot/images/app14.png and /dev/null differ
diff --git a/autopilot/images/app15.png b/autopilot/images/app15.png
deleted file mode 100644
index b85a96bf9eb..00000000000
Binary files a/autopilot/images/app15.png and /dev/null differ
diff --git a/autopilot/images/app16.png b/autopilot/images/app16.png
deleted file mode 100644
index f22f74a091d..00000000000
Binary files a/autopilot/images/app16.png and /dev/null differ
diff --git a/autopilot/images/app17.png b/autopilot/images/app17.png
deleted file mode 100644
index 5adfc9218f6..00000000000
Binary files a/autopilot/images/app17.png and /dev/null differ
diff --git a/autopilot/images/app18.png b/autopilot/images/app18.png
deleted file mode 100644
index 24c4b9f3316..00000000000
Binary files a/autopilot/images/app18.png and /dev/null differ
diff --git a/autopilot/images/app19.png b/autopilot/images/app19.png
deleted file mode 100644
index 281ba9fb404..00000000000
Binary files a/autopilot/images/app19.png and /dev/null differ
diff --git a/autopilot/images/app20.png b/autopilot/images/app20.png
deleted file mode 100644
index a5a066b45e7..00000000000
Binary files a/autopilot/images/app20.png and /dev/null differ
diff --git a/autopilot/images/app21.png b/autopilot/images/app21.png
deleted file mode 100644
index d2e23f2db43..00000000000
Binary files a/autopilot/images/app21.png and /dev/null differ
diff --git a/autopilot/images/app22.png b/autopilot/images/app22.png
deleted file mode 100644
index 4541a692045..00000000000
Binary files a/autopilot/images/app22.png and /dev/null differ
diff --git a/autopilot/images/app23.png b/autopilot/images/app23.png
deleted file mode 100644
index 19b951c653f..00000000000
Binary files a/autopilot/images/app23.png and /dev/null differ
diff --git a/autopilot/images/app24.png b/autopilot/images/app24.png
deleted file mode 100644
index aa77e4083f8..00000000000
Binary files a/autopilot/images/app24.png and /dev/null differ
diff --git a/autopilot/images/app25.png b/autopilot/images/app25.png
deleted file mode 100644
index 544d1ae37a5..00000000000
Binary files a/autopilot/images/app25.png and /dev/null differ
diff --git a/autopilot/images/app26.png b/autopilot/images/app26.png
deleted file mode 100644
index e210faa31ba..00000000000
Binary files a/autopilot/images/app26.png and /dev/null differ
diff --git a/autopilot/images/autopilot-aad-configure.jpg b/autopilot/images/autopilot-aad-configure.jpg
deleted file mode 100644
index 3a16c0f219c..00000000000
Binary files a/autopilot/images/autopilot-aad-configure.jpg and /dev/null differ
diff --git a/autopilot/images/autopilot-aad-mdm.jpg b/autopilot/images/autopilot-aad-mdm.jpg
deleted file mode 100644
index 3a8f1578cbf..00000000000
Binary files a/autopilot/images/autopilot-aad-mdm.jpg and /dev/null differ
diff --git a/autopilot/images/autopilot-aad-mdm.png b/autopilot/images/autopilot-aad-mdm.png
deleted file mode 100644
index 1533f68c7c3..00000000000
Binary files a/autopilot/images/autopilot-aad-mdm.png and /dev/null differ
diff --git a/autopilot/images/autopilot-devices-add.jpg b/autopilot/images/autopilot-devices-add.jpg
deleted file mode 100644
index 137b6ca431f..00000000000
Binary files a/autopilot/images/autopilot-devices-add.jpg and /dev/null differ
diff --git a/autopilot/images/autopilot-intune-profile-add.jpg b/autopilot/images/autopilot-intune-profile-add.jpg
deleted file mode 100644
index bc4bed89201..00000000000
Binary files a/autopilot/images/autopilot-intune-profile-add.jpg and /dev/null differ
diff --git a/autopilot/images/autopilot-intune-profile-assign.jpg b/autopilot/images/autopilot-intune-profile-assign.jpg
deleted file mode 100644
index 76043821137..00000000000
Binary files a/autopilot/images/autopilot-intune-profile-assign.jpg and /dev/null differ
diff --git a/autopilot/images/autopilot-intune-profile-configure.jpg b/autopilot/images/autopilot-intune-profile-configure.jpg
deleted file mode 100644
index c3c5307ce45..00000000000
Binary files a/autopilot/images/autopilot-intune-profile-configure.jpg and /dev/null differ
diff --git a/autopilot/images/autopilot-intune-sync.jpg b/autopilot/images/autopilot-intune-sync.jpg
deleted file mode 100644
index a2717c68bee..00000000000
Binary files a/autopilot/images/autopilot-intune-sync.jpg and /dev/null differ
diff --git a/autopilot/images/autopilot-oobe.jpg b/autopilot/images/autopilot-oobe.jpg
deleted file mode 100644
index bb2d641155b..00000000000
Binary files a/autopilot/images/autopilot-oobe.jpg and /dev/null differ
diff --git a/autopilot/images/autopilot-reset-customlogin.png b/autopilot/images/autopilot-reset-customlogin.png
deleted file mode 100644
index d86cb578950..00000000000
Binary files a/autopilot/images/autopilot-reset-customlogin.png and /dev/null differ
diff --git a/autopilot/images/autopilot-reset-lockscreen.png b/autopilot/images/autopilot-reset-lockscreen.png
deleted file mode 100644
index f6fa6d34676..00000000000
Binary files a/autopilot/images/autopilot-reset-lockscreen.png and /dev/null differ
diff --git a/autopilot/images/autopilot-reset-progress.jpg b/autopilot/images/autopilot-reset-progress.jpg
deleted file mode 100644
index dbf0e3b3ae0..00000000000
Binary files a/autopilot/images/autopilot-reset-progress.jpg and /dev/null differ
diff --git a/autopilot/images/autopilot-reset-prompt.jpg b/autopilot/images/autopilot-reset-prompt.jpg
deleted file mode 100644
index 9ed75a9db99..00000000000
Binary files a/autopilot/images/autopilot-reset-prompt.jpg and /dev/null differ
diff --git a/autopilot/images/bitlocker-encryption.png b/autopilot/images/bitlocker-encryption.png
deleted file mode 100644
index 96e2d94fb39..00000000000
Binary files a/autopilot/images/bitlocker-encryption.png and /dev/null differ
diff --git a/autopilot/images/branding.png b/autopilot/images/branding.png
deleted file mode 100644
index 46dd37bc4a9..00000000000
Binary files a/autopilot/images/branding.png and /dev/null differ
diff --git a/autopilot/images/choice.png b/autopilot/images/choice.png
deleted file mode 100644
index 881744eec5d..00000000000
Binary files a/autopilot/images/choice.png and /dev/null differ
diff --git a/autopilot/images/connector-fail.png b/autopilot/images/connector-fail.png
deleted file mode 100644
index 2d8abb57853..00000000000
Binary files a/autopilot/images/connector-fail.png and /dev/null differ
diff --git a/autopilot/images/csp3.png b/autopilot/images/csp3.png
deleted file mode 100644
index 8b0647e4b40..00000000000
Binary files a/autopilot/images/csp3.png and /dev/null differ
diff --git a/autopilot/images/delete-device1.png b/autopilot/images/delete-device1.png
deleted file mode 100644
index e73f929fbd9..00000000000
Binary files a/autopilot/images/delete-device1.png and /dev/null differ
diff --git a/autopilot/images/delete-device2.png b/autopilot/images/delete-device2.png
deleted file mode 100644
index ed764ac1ede..00000000000
Binary files a/autopilot/images/delete-device2.png and /dev/null differ
diff --git a/autopilot/images/delete-device3.png b/autopilot/images/delete-device3.png
deleted file mode 100644
index a2daa1c39aa..00000000000
Binary files a/autopilot/images/delete-device3.png and /dev/null differ
diff --git a/autopilot/images/delete-device4.png b/autopilot/images/delete-device4.png
deleted file mode 100644
index c0119fbc39e..00000000000
Binary files a/autopilot/images/delete-device4.png and /dev/null differ
diff --git a/autopilot/images/delete-device5.png b/autopilot/images/delete-device5.png
deleted file mode 100644
index 33b539d33c0..00000000000
Binary files a/autopilot/images/delete-device5.png and /dev/null differ
diff --git a/autopilot/images/delete-device6.png b/autopilot/images/delete-device6.png
deleted file mode 100644
index 23cbcb7c441..00000000000
Binary files a/autopilot/images/delete-device6.png and /dev/null differ
diff --git a/autopilot/images/delete-device7.png b/autopilot/images/delete-device7.png
deleted file mode 100644
index dcdeee52051..00000000000
Binary files a/autopilot/images/delete-device7.png and /dev/null differ
diff --git a/autopilot/images/deployment-profiles.png b/autopilot/images/deployment-profiles.png
deleted file mode 100644
index 7888da55d1e..00000000000
Binary files a/autopilot/images/deployment-profiles.png and /dev/null differ
diff --git a/autopilot/images/deployment-profiles2.png b/autopilot/images/deployment-profiles2.png
deleted file mode 100644
index 6ff9fbb89e9..00000000000
Binary files a/autopilot/images/deployment-profiles2.png and /dev/null differ
diff --git a/autopilot/images/device-import.png b/autopilot/images/device-import.png
deleted file mode 100644
index 3be4cff9968..00000000000
Binary files a/autopilot/images/device-import.png and /dev/null differ
diff --git a/autopilot/images/device2.png b/autopilot/images/device2.png
deleted file mode 100644
index 6f7d1a5df0c..00000000000
Binary files a/autopilot/images/device2.png and /dev/null differ
diff --git a/autopilot/images/device3.png b/autopilot/images/device3.png
deleted file mode 100644
index adf9c7a875a..00000000000
Binary files a/autopilot/images/device3.png and /dev/null differ
diff --git a/autopilot/images/enabled-device.png b/autopilot/images/enabled-device.png
deleted file mode 100644
index 96dc9353094..00000000000
Binary files a/autopilot/images/enabled-device.png and /dev/null differ
diff --git a/autopilot/images/esp-config.png b/autopilot/images/esp-config.png
deleted file mode 100644
index 61e11d6e613..00000000000
Binary files a/autopilot/images/esp-config.png and /dev/null differ
diff --git a/autopilot/images/esp-settings.png b/autopilot/images/esp-settings.png
deleted file mode 100644
index df0fe655e96..00000000000
Binary files a/autopilot/images/esp-settings.png and /dev/null differ
diff --git a/autopilot/images/hwid-csv.png b/autopilot/images/hwid-csv.png
deleted file mode 100644
index ac177e0b5ac..00000000000
Binary files a/autopilot/images/hwid-csv.png and /dev/null differ
diff --git a/autopilot/images/hwid.png b/autopilot/images/hwid.png
deleted file mode 100644
index fcc73fa0b07..00000000000
Binary files a/autopilot/images/hwid.png and /dev/null differ
diff --git a/autopilot/images/hyper-v-feature.png b/autopilot/images/hyper-v-feature.png
deleted file mode 100644
index d7293d808e9..00000000000
Binary files a/autopilot/images/hyper-v-feature.png and /dev/null differ
diff --git a/autopilot/images/icons/ethernet-18.svg b/autopilot/images/icons/ethernet-18.svg
deleted file mode 100644
index 8224d2e857f..00000000000
--- a/autopilot/images/icons/ethernet-18.svg
+++ /dev/null
@@ -1,3 +0,0 @@
\ No newline at end of file
diff --git a/autopilot/images/import-vm.png b/autopilot/images/import-vm.png
deleted file mode 100644
index 5fb97cda5d1..00000000000
Binary files a/autopilot/images/import-vm.png and /dev/null differ
diff --git a/autopilot/images/include-group.png b/autopilot/images/include-group.png
deleted file mode 100644
index fb7bca7efad..00000000000
Binary files a/autopilot/images/include-group.png and /dev/null differ
diff --git a/autopilot/images/include-group2.png b/autopilot/images/include-group2.png
deleted file mode 100644
index 585d006bac4..00000000000
Binary files a/autopilot/images/include-group2.png and /dev/null differ
diff --git a/autopilot/images/intune-devices.png b/autopilot/images/intune-devices.png
deleted file mode 100644
index bc29c765119..00000000000
Binary files a/autopilot/images/intune-devices.png and /dev/null differ
diff --git a/autopilot/images/landing.png b/autopilot/images/landing.png
deleted file mode 100644
index 13dea20b075..00000000000
Binary files a/autopilot/images/landing.png and /dev/null differ
diff --git a/autopilot/images/mdm-config.png b/autopilot/images/mdm-config.png
deleted file mode 100644
index 9a794e74dce..00000000000
Binary files a/autopilot/images/mdm-config.png and /dev/null differ
diff --git a/autopilot/images/mdm-intune.png b/autopilot/images/mdm-intune.png
deleted file mode 100644
index db9b144fad3..00000000000
Binary files a/autopilot/images/mdm-intune.png and /dev/null differ
diff --git a/autopilot/images/mdm-intune2.png b/autopilot/images/mdm-intune2.png
deleted file mode 100644
index d464863f379..00000000000
Binary files a/autopilot/images/mdm-intune2.png and /dev/null differ
diff --git a/autopilot/images/msfb-assign1.png b/autopilot/images/msfb-assign1.png
deleted file mode 100644
index c1e8e27e210..00000000000
Binary files a/autopilot/images/msfb-assign1.png and /dev/null differ
diff --git a/autopilot/images/msfb-assign2.png b/autopilot/images/msfb-assign2.png
deleted file mode 100644
index fd3be16853e..00000000000
Binary files a/autopilot/images/msfb-assign2.png and /dev/null differ
diff --git a/autopilot/images/msfb-create1.png b/autopilot/images/msfb-create1.png
deleted file mode 100644
index f76aa829916..00000000000
Binary files a/autopilot/images/msfb-create1.png and /dev/null differ
diff --git a/autopilot/images/msfb-create2.png b/autopilot/images/msfb-create2.png
deleted file mode 100644
index ec6c260fcdc..00000000000
Binary files a/autopilot/images/msfb-create2.png and /dev/null differ
diff --git a/autopilot/images/msfb-create3.png b/autopilot/images/msfb-create3.png
deleted file mode 100644
index a6241fb5ea6..00000000000
Binary files a/autopilot/images/msfb-create3.png and /dev/null differ
diff --git a/autopilot/images/msfb-device.png b/autopilot/images/msfb-device.png
deleted file mode 100644
index d338056013a..00000000000
Binary files a/autopilot/images/msfb-device.png and /dev/null differ
diff --git a/autopilot/images/msfb-manage.png b/autopilot/images/msfb-manage.png
deleted file mode 100644
index 9bf684d8443..00000000000
Binary files a/autopilot/images/msfb-manage.png and /dev/null differ
diff --git a/autopilot/images/msfb-manage2.png b/autopilot/images/msfb-manage2.png
deleted file mode 100644
index 406aaf59486..00000000000
Binary files a/autopilot/images/msfb-manage2.png and /dev/null differ
diff --git a/autopilot/images/msfb-manage3.png b/autopilot/images/msfb-manage3.png
deleted file mode 100644
index bf5fb1ccf9a..00000000000
Binary files a/autopilot/images/msfb-manage3.png and /dev/null differ
diff --git a/autopilot/images/msfb.png b/autopilot/images/msfb.png
deleted file mode 100644
index af937c2c5f0..00000000000
Binary files a/autopilot/images/msfb.png and /dev/null differ
diff --git a/autopilot/images/new-group.png b/autopilot/images/new-group.png
deleted file mode 100644
index c18c1865f6f..00000000000
Binary files a/autopilot/images/new-group.png and /dev/null differ
diff --git a/autopilot/images/pc-01a.png b/autopilot/images/pc-01a.png
deleted file mode 100644
index a3d0f4cdeae..00000000000
Binary files a/autopilot/images/pc-01a.png and /dev/null differ
diff --git a/autopilot/images/pc-01b.png b/autopilot/images/pc-01b.png
deleted file mode 100644
index 07eda6e4bb1..00000000000
Binary files a/autopilot/images/pc-01b.png and /dev/null differ
diff --git a/autopilot/images/profile.png b/autopilot/images/profile.png
deleted file mode 100644
index 40cf26bee20..00000000000
Binary files a/autopilot/images/profile.png and /dev/null differ
diff --git a/autopilot/images/reset.png b/autopilot/images/reset.png
deleted file mode 100644
index 0619b7fa03b..00000000000
Binary files a/autopilot/images/reset.png and /dev/null differ
diff --git a/autopilot/images/sc.png b/autopilot/images/sc.png
deleted file mode 100644
index bb326e64063..00000000000
Binary files a/autopilot/images/sc.png and /dev/null differ
diff --git a/autopilot/images/sc1.png b/autopilot/images/sc1.png
deleted file mode 100644
index 380887a45c1..00000000000
Binary files a/autopilot/images/sc1.png and /dev/null differ
diff --git a/autopilot/images/self-deploy-welcome.png b/autopilot/images/self-deploy-welcome.png
deleted file mode 100644
index 3ab1e4b3049..00000000000
Binary files a/autopilot/images/self-deploy-welcome.png and /dev/null differ
diff --git a/autopilot/images/svr_mgr2.png b/autopilot/images/svr_mgr2.png
deleted file mode 100644
index dd2e6737c65..00000000000
Binary files a/autopilot/images/svr_mgr2.png and /dev/null differ
diff --git a/autopilot/images/troubleshoot-device-enrollment/0x80180014-error-code-enrollment-status-page.png b/autopilot/images/troubleshoot-device-enrollment/0x80180014-error-code-enrollment-status-page.png
deleted file mode 100644
index 2061a39f299..00000000000
Binary files a/autopilot/images/troubleshoot-device-enrollment/0x80180014-error-code-enrollment-status-page.png and /dev/null differ
diff --git a/autopilot/images/troubleshoot-device-enrollment/0x80180014-error-code-pre-provisioning-page.png b/autopilot/images/troubleshoot-device-enrollment/0x80180014-error-code-pre-provisioning-page.png
deleted file mode 100644
index 13de9295cbf..00000000000
Binary files a/autopilot/images/troubleshoot-device-enrollment/0x80180014-error-code-pre-provisioning-page.png and /dev/null differ
diff --git a/autopilot/images/update-flow.png b/autopilot/images/update-flow.png
deleted file mode 100644
index c90f54e96c3..00000000000
Binary files a/autopilot/images/update-flow.png and /dev/null differ
diff --git a/autopilot/images/update1.png b/autopilot/images/update1.png
deleted file mode 100644
index 83d98a29b5b..00000000000
Binary files a/autopilot/images/update1.png and /dev/null differ
diff --git a/autopilot/images/update2.png b/autopilot/images/update2.png
deleted file mode 100644
index 04dbcaddc18..00000000000
Binary files a/autopilot/images/update2.png and /dev/null differ
diff --git a/autopilot/images/update3.png b/autopilot/images/update3.png
deleted file mode 100644
index 851adb58ec2..00000000000
Binary files a/autopilot/images/update3.png and /dev/null differ
diff --git a/autopilot/images/wg03.png b/autopilot/images/wg03.png
deleted file mode 100644
index 89ac12747c8..00000000000
Binary files a/autopilot/images/wg03.png and /dev/null differ
diff --git a/autopilot/images/wg04.png b/autopilot/images/wg04.png
deleted file mode 100644
index a59ea766b78..00000000000
Binary files a/autopilot/images/wg04.png and /dev/null differ
diff --git a/autopilot/images/wg05.png b/autopilot/images/wg05.png
deleted file mode 100644
index cea36fb6bd9..00000000000
Binary files a/autopilot/images/wg05.png and /dev/null differ
diff --git a/autopilot/images/wg06.png b/autopilot/images/wg06.png
deleted file mode 100644
index 68cd29c24dd..00000000000
Binary files a/autopilot/images/wg06.png and /dev/null differ
diff --git a/autopilot/images/wg07.png b/autopilot/images/wg07.png
deleted file mode 100644
index bc5a81bb3fb..00000000000
Binary files a/autopilot/images/wg07.png and /dev/null differ
diff --git a/autopilot/images/white-glove-result.png b/autopilot/images/white-glove-result.png
deleted file mode 100644
index de3701e76de..00000000000
Binary files a/autopilot/images/white-glove-result.png and /dev/null differ
diff --git a/autopilot/images/windows_glyph.png b/autopilot/images/windows_glyph.png
deleted file mode 100644
index 3a41d4dfb15..00000000000
Binary files a/autopilot/images/windows_glyph.png and /dev/null differ
diff --git a/autopilot/images/winsetup1.png b/autopilot/images/winsetup1.png
deleted file mode 100644
index c8048256c4f..00000000000
Binary files a/autopilot/images/winsetup1.png and /dev/null differ
diff --git a/autopilot/images/winsetup2.png b/autopilot/images/winsetup2.png
deleted file mode 100644
index 43db8443345..00000000000
Binary files a/autopilot/images/winsetup2.png and /dev/null differ
diff --git a/autopilot/images/winsetup3.png b/autopilot/images/winsetup3.png
deleted file mode 100644
index dbea3969def..00000000000
Binary files a/autopilot/images/winsetup3.png and /dev/null differ
diff --git a/autopilot/images/winsetup4.png b/autopilot/images/winsetup4.png
deleted file mode 100644
index 1121b1dff50..00000000000
Binary files a/autopilot/images/winsetup4.png and /dev/null differ
diff --git a/autopilot/images/winsetup5.png b/autopilot/images/winsetup5.png
deleted file mode 100644
index 2757253097b..00000000000
Binary files a/autopilot/images/winsetup5.png and /dev/null differ
diff --git a/autopilot/images/winsetup6.png b/autopilot/images/winsetup6.png
deleted file mode 100644
index e91843e1ff0..00000000000
Binary files a/autopilot/images/winsetup6.png and /dev/null differ
diff --git a/autopilot/images/winsetup7.png b/autopilot/images/winsetup7.png
deleted file mode 100644
index dadf85485e4..00000000000
Binary files a/autopilot/images/winsetup7.png and /dev/null differ
diff --git a/autopilot/images/winsetup8.png b/autopilot/images/winsetup8.png
deleted file mode 100644
index 9d7a499db07..00000000000
Binary files a/autopilot/images/winsetup8.png and /dev/null differ
diff --git a/autopilot/includes/allow-users-to-join.md b/autopilot/includes/allow-users-to-join.md
index b6d04467e5c..b0f079c4345 100644
--- a/autopilot/includes/allow-users-to-join.md
+++ b/autopilot/includes/allow-users-to-join.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/includes/automatic-intune-enrollment.md b/autopilot/includes/automatic-intune-enrollment.md
index b7cfd1ab669..bd24c22ba01 100644
--- a/autopilot/includes/automatic-intune-enrollment.md
+++ b/autopilot/includes/automatic-intune-enrollment.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/includes/create-assigned-device-group.md b/autopilot/includes/create-assigned-device-group.md
index 9c48c1c8e4c..2b4edc32041 100644
--- a/autopilot/includes/create-assigned-device-group.md
+++ b/autopilot/includes/create-assigned-device-group.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/27/2024
diff --git a/autopilot/includes/create-dynamic-device-group.md b/autopilot/includes/create-dynamic-device-group.md
index 301d2eb5232..936dbaa235b 100644
--- a/autopilot/includes/create-dynamic-device-group.md
+++ b/autopilot/includes/create-dynamic-device-group.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/includes/create-user-group.md b/autopilot/includes/create-user-group.md
index 54ae9a42d41..04955fadd18 100644
--- a/autopilot/includes/create-user-group.md
+++ b/autopilot/includes/create-user-group.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/03/2024
diff --git a/autopilot/includes/deregister-autopilot-device.md b/autopilot/includes/deregister-autopilot-device.md
index 12e56de47b6..08b16043753 100644
--- a/autopilot/includes/deregister-autopilot-device.md
+++ b/autopilot/includes/deregister-autopilot-device.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/28/2024
diff --git a/autopilot/includes/more-info-allow-users-to-join.md b/autopilot/includes/more-info-allow-users-to-join.md
index 932c20c8e7f..01b09b75642 100644
--- a/autopilot/includes/more-info-allow-users-to-join.md
+++ b/autopilot/includes/more-info-allow-users-to-join.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/03/2024
diff --git a/autopilot/includes/more-info-automatic-enrollment.md b/autopilot/includes/more-info-automatic-enrollment.md
index ce8eb5cb030..ea5dd570f8f 100644
--- a/autopilot/includes/more-info-automatic-enrollment.md
+++ b/autopilot/includes/more-info-automatic-enrollment.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/03/2024
diff --git a/autopilot/includes/more-info-groups.md b/autopilot/includes/more-info-groups.md
index a62645c8b71..bcba396dbdd 100644
--- a/autopilot/includes/more-info-groups.md
+++ b/autopilot/includes/more-info-groups.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/11/2024
diff --git a/autopilot/includes/registered-vs-joined.md b/autopilot/includes/registered-vs-joined.md
index d36a8c63cd5..fd750712ac4 100644
--- a/autopilot/includes/registered-vs-joined.md
+++ b/autopilot/includes/registered-vs-joined.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/index.yml b/autopilot/index.yml
index 6802e2060e2..bd70f300a18 100644
--- a/autopilot/index.yml
+++ b/autopilot/index.yml
@@ -6,7 +6,7 @@ metadata:
title: Windows Autopilot and Windows Autopilot device preparation documentation
description: Windows Autopilot and Windows Autopilot device preparation is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use.
ms.service: windows-client
- ms.subservice: itpro-deploy
+ ms.subservice: autopilot
ms.topic: landing-page
- tier1
diff --git a/autopilot/known-issues.md b/autopilot/known-issues.md
index 230819d408a..96ad2954807 100644
--- a/autopilot/known-issues.md
+++ b/autopilot/known-issues.md
@@ -2,13 +2,13 @@
title: Windows Autopilot known issues
description: Be informed about known issues that might occur during Windows Autopilot deployment. # RSS subscription is based on this description so don't change. If the description needs to change, update RSS URL in the Tip in the article.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
ms.reviewer: jubaptis
manager: aaroncz
-ms.date: 08/08/2024
+ms.date: 08/21/2024
- M365-modern-desktop
- highpri
@@ -41,6 +41,34 @@ This article describes known issues that can often be resolved with configuratio
## Known issues
+### Auto logon for Kiosk device profile only partially fixed
+Date added: *August 21, 2024*
+The know issue of [Kiosk device profiles not auto logging in when auto logon was enabled](#kiosk-device-profile-not-auto-logging-in) was previously reported as fixed. However, there are scenarios where the issue might still occur when using autologon with Kiosks and [Assigned Access](/windows/configuration/assigned-access/overview). If multiple reboots or unexpected reboots occur during the Windows out-of-box experience (OOBE) when initially configuring the Kiosk, the autologon entries in the registry might be deleted. The issue is being investigated.
+The following workarounds are available until the issue is resolved:
+1. Apply or reapply the kiosk profile after Windows Autopilot completes.
+1. Apply the autologon registry entries either manually or via a script. For example:
+ ```cmd
+ reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoAdminLogon" /t REG_DWORD /d 1 /f
+ reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "DefaultDomainName" /t REG_SZ /d "." /f
+ reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "DefaultUserName" /t REG_SZ /d "kioskUser0" /f
+ ```
+1. Exclude items the required reboots during OOBE from Windows Autopilot.
+1. Manually enter the kiosk user credentials.
+For more information, see [Assigned Access recommendations - Automatic sign-in](/windows/configuration/assigned-access/recommendations#automatic-sign-in). For additional assistance, contact support.
## BitLocker encryption defaults to 128-bit when 256-bit encryption is configured
Date added: *July 8, 2024*
@@ -81,7 +109,8 @@ Platforms with the Infineon SLB9672 TPM with firmware release 15.22 with EK cert
### Kiosk device profile not auto logging in
-Date added: *January 30, 2023*
+Date added: *January 30, 2023*
+Date updated: *August 21, 2024*
There's currently a known issue in the following Windows Updates released in January 2023:
@@ -89,12 +118,16 @@ There's currently a known issue in the following Windows Updates released in Jan
- Windows 11, version 21H2: [KB5022287](https://support.microsoft.com/topic/january-10-2023-kb5022287-os-build-22000-1455-951898ec-2628-4d25-850e-9a44207bc139)
- Windows 10, version 22H2: [KB5022282](https://support.microsoft.com/topic/january-10-2023-kb5022282-os-builds-19042-2486-19044-2486-and-19045-2486-9587e4e3-c2d7-48a6-86e2-8cd9146b47fd)
-If these updates are installed on a device, Kiosk device profiles that have auto sign-in enabled won't auto sign in. After Autopilot completes provisioning, the device stays on the sign-in screen prompting for credentials. To work around this known issue, manually enter the kiosk user credentials with the username `kioskUser0` and no password. After the username is entered with no password, it should go to the desktop. This issue should be resolved in cumulative updates released for Windows 11 in April 2023 and Windows 10 in March 2023:
+If these updates are installed on a device, Kiosk device profiles that have auto logon enabled won't auto log on. After Autopilot completes provisioning, the device stays on the sign-in screen prompting for credentials. To work around this known issue, manually enter the kiosk user credentials with the username `kioskUser0` and no password. After the username is entered with no password, it should go to the desktop. This issue should be resolved in cumulative updates released for Windows 11 in April 2023 and Windows 10 in March 2023:
- Windows 11, version 22H2: [KB5025239](https://support.microsoft.com/topic/april-11-2023-kb5025239-os-build-22621-1555-5eaaaf42-bc4d-4881-8d38-97e0082a6982) or later.
- Windows 11, version 21H2: [KB5025224](https://support.microsoft.com/topic/april-11-2023-kb5025224-os-build-22000-1817-ebc75372-608d-4a77-a6e0-cb1e15f117fc) or later.
- Windows 10, version 22H2: [KB5023773](https://support.microsoft.com/topic/march-21-2023-kb5023773-os-builds-19042-2788-19044-2788-and-19045-2788-preview-5850ac11-dd43-4550-89ec-9e63353fef23) or later.
+> [!NOTE]
+> This issue was only partially fixed and can still occur under certain conditions. For more information, see [Auto logon for Kiosk device profile only partially fixed](#auto-logon-for-kiosk-device-profile-only-partially-fixed).
### TPM attestation isn't working on AMD platforms with ASP fTPM
Date added: *December 1, 2022*
diff --git a/autopilot/manual-registration.md b/autopilot/manual-registration.md
index 101ad806931..f9548ad43db 100644
--- a/autopilot/manual-registration.md
+++ b/autopilot/manual-registration.md
@@ -2,7 +2,7 @@
title: Manual registration of devices for Windows Autopilot
description: Manual registration overview.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/media/bitlocker/endpoint-security-disk-encryption-policy.png b/autopilot/media/bitlocker/endpoint-security-disk-encryption-policy.png
deleted file mode 100644
index c12bb7e68da..00000000000
Binary files a/autopilot/media/bitlocker/endpoint-security-disk-encryption-policy.png and /dev/null differ
diff --git a/autopilot/media/bitlocker/settings-catalog-drive-type.png b/autopilot/media/bitlocker/settings-catalog-drive-type.png
deleted file mode 100644
index f4aca2987cc..00000000000
Binary files a/autopilot/media/bitlocker/settings-catalog-drive-type.png and /dev/null differ
diff --git a/autopilot/media/enrollment-autopilot/assign-user.png b/autopilot/media/enrollment-autopilot/assign-user.png
deleted file mode 100644
index 0af8572b57d..00000000000
Binary files a/autopilot/media/enrollment-autopilot/assign-user.png and /dev/null differ
diff --git a/autopilot/media/enrollment-autopilot/autopilot-import-device-2.png b/autopilot/media/enrollment-autopilot/autopilot-import-device-2.png
deleted file mode 100644
index e6f9600bc6d..00000000000
Binary files a/autopilot/media/enrollment-autopilot/autopilot-import-device-2.png and /dev/null differ
diff --git a/autopilot/media/enrollment-autopilot/create-profile-basics.png b/autopilot/media/enrollment-autopilot/create-profile-basics.png
deleted file mode 100644
index 5fe045a663b..00000000000
Binary files a/autopilot/media/enrollment-autopilot/create-profile-basics.png and /dev/null differ
diff --git a/autopilot/media/enrollment-autopilot/friendly-name.png b/autopilot/media/enrollment-autopilot/friendly-name.png
deleted file mode 100644
index 5c4e2a6ae55..00000000000
Binary files a/autopilot/media/enrollment-autopilot/friendly-name.png and /dev/null differ
diff --git a/autopilot/media/enrollment-autopilot/select-user.png b/autopilot/media/enrollment-autopilot/select-user.png
deleted file mode 100644
index 79e2d457ea2..00000000000
Binary files a/autopilot/media/enrollment-autopilot/select-user.png and /dev/null differ
diff --git a/autopilot/media/windows-autopilot-hybrid/auto-enroll-azure-main.png b/autopilot/media/windows-autopilot-hybrid/auto-enroll-azure-main.png
deleted file mode 100644
index 39e850c55ed..00000000000
Binary files a/autopilot/media/windows-autopilot-hybrid/auto-enroll-azure-main.png and /dev/null differ
diff --git a/autopilot/media/windows-autopilot-hybrid/auto-enroll-mdm.png b/autopilot/media/windows-autopilot-hybrid/auto-enroll-mdm.png
deleted file mode 100644
index 33f9f208804..00000000000
Binary files a/autopilot/media/windows-autopilot-hybrid/auto-enroll-mdm.png and /dev/null differ
diff --git a/autopilot/media/windows10-autopilot-flowchart.png b/autopilot/media/windows10-autopilot-flowchart.png
deleted file mode 100644
index 878c9d483d4..00000000000
Binary files a/autopilot/media/windows10-autopilot-flowchart.png and /dev/null differ
diff --git a/autopilot/media/windows10-deployment-config-manager.png b/autopilot/media/windows10-deployment-config-manager.png
deleted file mode 100644
index 509e0417411..00000000000
Binary files a/autopilot/media/windows10-deployment-config-manager.png and /dev/null differ
diff --git a/autopilot/oem-registration.md b/autopilot/oem-registration.md
index ccf3fa55156..8f0f92b8b3e 100644
--- a/autopilot/oem-registration.md
+++ b/autopilot/oem-registration.md
@@ -2,7 +2,7 @@
title: Windows Autopilot OEM registration process
description: How OEMs add devices to Windows Autopilot.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/overview.md b/autopilot/overview.md
index b40ae2ef3c8..d32eecce349 100644
--- a/autopilot/overview.md
+++ b/autopilot/overview.md
@@ -2,7 +2,7 @@
title: Overview of Windows Autopilot
description: Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/partner-registration.md b/autopilot/partner-registration.md
index 39519890168..7ac754a7251 100644
--- a/autopilot/partner-registration.md
+++ b/autopilot/partner-registration.md
@@ -2,7 +2,7 @@
title: Reseller, distributor, or partner registration of Windows Autopilot devices
description: How partners add devices to Windows Autopilot.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/pre-provision.md b/autopilot/pre-provision.md
index 3755f3df748..67958993f67 100644
--- a/autopilot/pre-provision.md
+++ b/autopilot/pre-provision.md
@@ -2,7 +2,7 @@
title: Windows Autopilot for pre-provisioned deployment
description: Windows Autopilot for pre-provisioned deployment.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
ms.reviewer: jubaptis
manager: aaroncz
diff --git a/autopilot/profiles.md b/autopilot/profiles.md
index 2477654964c..944fbc34c41 100644
--- a/autopilot/profiles.md
+++ b/autopilot/profiles.md
@@ -1,7 +1,7 @@
title: Configure Autopilot profiles
description: Learn how to configure device profiles for Windows Autopilot deployment.
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
diff --git a/autopilot/registration-auth.md b/autopilot/registration-auth.md
index b3a04bedcf0..6c8e1c61263 100644
--- a/autopilot/registration-auth.md
+++ b/autopilot/registration-auth.md
@@ -1,7 +1,7 @@
title: Windows Autopilot customer consent
description: Learn how a cloud service provider (CSP) partner or an OEM can get customer authorization to register Windows Autopilot devices on the customer's behalf.
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
diff --git a/autopilot/registration-overview.md b/autopilot/registration-overview.md
index 15722176c7e..382a55ce285 100644
--- a/autopilot/registration-overview.md
+++ b/autopilot/registration-overview.md
@@ -2,7 +2,7 @@
title: Windows Autopilot registration overview
description: Overview of Windows Autopilot device registration.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/requirements.md b/autopilot/requirements.md
index 019899b45e2..7fbe6cdec2d 100644
--- a/autopilot/requirements.md
+++ b/autopilot/requirements.md
@@ -2,7 +2,7 @@
title: Windows Autopilot requirements
description: Software, Networking, Licensing, and Configuration requirements for Windows Autopilot.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/self-deploying.md b/autopilot/self-deploying.md
index affa15222e1..a3cc171e358 100644
--- a/autopilot/self-deploying.md
+++ b/autopilot/self-deploying.md
@@ -1,7 +1,7 @@
title: Windows Autopilot self-deploying mode
description: Self-deploying mode allows a device to be deployed with little to no user interaction. This mode is designed to deploy Windows as a kiosk, digital signage device, or a shared device.
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
diff --git a/autopilot/troubleshooting-faq.yml b/autopilot/troubleshooting-faq.yml
index 763b30ba8cd..4498640d149 100644
--- a/autopilot/troubleshooting-faq.yml
+++ b/autopilot/troubleshooting-faq.yml
@@ -3,7 +3,7 @@ metadata:
title: Windows Autopilot troubleshooting FAQ
description: Troubleshooting of common Windows Autopilot issues
ms.service: windows-client
- ms.subservice: itpro-deploy
+ ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/tutorial/autopilot-scenarios.md b/autopilot/tutorial/autopilot-scenarios.md
index c1d9bd273b1..da3f50674ff 100644
--- a/autopilot/tutorial/autopilot-scenarios.md
+++ b/autopilot/tutorial/autopilot-scenarios.md
@@ -13,7 +13,7 @@ ms.collection:
- tier1
- highpri
- essentials-get-started
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/existing-devices/create-autopilot-task-sequence.md b/autopilot/tutorial/existing-devices/create-autopilot-task-sequence.md
index 76502d96d77..d8f0c625fa6 100644
--- a/autopilot/tutorial/existing-devices/create-autopilot-task-sequence.md
+++ b/autopilot/tutorial/existing-devices/create-autopilot-task-sequence.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/existing-devices/create-collection.md b/autopilot/tutorial/existing-devices/create-collection.md
index 0e54bd6dbd2..f7189bff124 100644
--- a/autopilot/tutorial/existing-devices/create-collection.md
+++ b/autopilot/tutorial/existing-devices/create-collection.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/existing-devices/create-json-file.md b/autopilot/tutorial/existing-devices/create-json-file.md
index 5ee57b1ab99..f96ebae258c 100644
--- a/autopilot/tutorial/existing-devices/create-json-file.md
+++ b/autopilot/tutorial/existing-devices/create-json-file.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/existing-devices/create-json-package.md b/autopilot/tutorial/existing-devices/create-json-package.md
index cf6e134bf04..a6d7703f263 100644
--- a/autopilot/tutorial/existing-devices/create-json-package.md
+++ b/autopilot/tutorial/existing-devices/create-json-package.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/existing-devices/deploy-autopilot-task-sequence.md b/autopilot/tutorial/existing-devices/deploy-autopilot-task-sequence.md
index 0f73c3fc894..f2c0ef008d9 100644
--- a/autopilot/tutorial/existing-devices/deploy-autopilot-task-sequence.md
+++ b/autopilot/tutorial/existing-devices/deploy-autopilot-task-sequence.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/existing-devices/existing-devices-workflow.md b/autopilot/tutorial/existing-devices/existing-devices-workflow.md
index fd80be62cf6..327d2dd0f83 100644
--- a/autopilot/tutorial/existing-devices/existing-devices-workflow.md
+++ b/autopilot/tutorial/existing-devices/existing-devices-workflow.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/existing-devices/install-modules.md b/autopilot/tutorial/existing-devices/install-modules.md
index c2f3b9372ab..620bb88447f 100644
--- a/autopilot/tutorial/existing-devices/install-modules.md
+++ b/autopilot/tutorial/existing-devices/install-modules.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/existing-devices/register-device.md b/autopilot/tutorial/existing-devices/register-device.md
index d143ff69129..b19f9e64262 100644
--- a/autopilot/tutorial/existing-devices/register-device.md
+++ b/autopilot/tutorial/existing-devices/register-device.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/existing-devices/run-autopilot-task-sequence.md b/autopilot/tutorial/existing-devices/run-autopilot-task-sequence.md
index b78b0203c09..00b8dc49434 100644
--- a/autopilot/tutorial/existing-devices/run-autopilot-task-sequence.md
+++ b/autopilot/tutorial/existing-devices/run-autopilot-task-sequence.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/existing-devices/setup-autopilot-profile.md b/autopilot/tutorial/existing-devices/setup-autopilot-profile.md
index 9b595f13d51..72965295914 100644
--- a/autopilot/tutorial/existing-devices/setup-autopilot-profile.md
+++ b/autopilot/tutorial/existing-devices/setup-autopilot-profile.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/existing-devices/speed-up-deployment.md b/autopilot/tutorial/existing-devices/speed-up-deployment.md
index f931978af3f..b5e7cfbc33b 100644
--- a/autopilot/tutorial/existing-devices/speed-up-deployment.md
+++ b/autopilot/tutorial/existing-devices/speed-up-deployment.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/includes/assign-autopilot-device-to-user-via-csv.md b/autopilot/tutorial/includes/assign-autopilot-device-to-user-via-csv.md
index e5fef781e43..353d71b85c7 100644
--- a/autopilot/tutorial/includes/assign-autopilot-device-to-user-via-csv.md
+++ b/autopilot/tutorial/includes/assign-autopilot-device-to-user-via-csv.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/assign-autopilot-device-to-user.md b/autopilot/tutorial/includes/assign-autopilot-device-to-user.md
index 3ed580eb432..846a5a18ec6 100644
--- a/autopilot/tutorial/includes/assign-autopilot-device-to-user.md
+++ b/autopilot/tutorial/includes/assign-autopilot-device-to-user.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/28/2024
diff --git a/autopilot/tutorial/includes/autopilot-profile-steps-after.md b/autopilot/tutorial/includes/autopilot-profile-steps-after.md
index b2617d22bba..18e9a914dd0 100644
--- a/autopilot/tutorial/includes/autopilot-profile-steps-after.md
+++ b/autopilot/tutorial/includes/autopilot-profile-steps-after.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/autopilot-profile-steps-before.md b/autopilot/tutorial/includes/autopilot-profile-steps-before.md
index f4725e771fd..2fc9ac44429 100644
--- a/autopilot/tutorial/includes/autopilot-profile-steps-before.md
+++ b/autopilot/tutorial/includes/autopilot-profile-steps-before.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/28/2024
diff --git a/autopilot/tutorial/includes/computer-account-limit.md b/autopilot/tutorial/includes/computer-account-limit.md
index ce89e9f9ab1..1a38e4ce74a 100644
--- a/autopilot/tutorial/includes/computer-account-limit.md
+++ b/autopilot/tutorial/includes/computer-account-limit.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/configure-and-assign-esp.md b/autopilot/tutorial/includes/configure-and-assign-esp.md
index a43bf9ba760..a3d827fb0d8 100644
--- a/autopilot/tutorial/includes/configure-and-assign-esp.md
+++ b/autopilot/tutorial/includes/configure-and-assign-esp.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/28/2024
diff --git a/autopilot/tutorial/includes/device-group-description.md b/autopilot/tutorial/includes/device-group-description.md
index 0e9a4dd89dc..790472c1996 100644
--- a/autopilot/tutorial/includes/device-group-description.md
+++ b/autopilot/tutorial/includes/device-group-description.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/domain-join-profile.md b/autopilot/tutorial/includes/domain-join-profile.md
index 70452a2e05a..67d21b3a657 100644
--- a/autopilot/tutorial/includes/domain-join-profile.md
+++ b/autopilot/tutorial/includes/domain-join-profile.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/import-hardware-hash.md b/autopilot/tutorial/includes/import-hardware-hash.md
index f791769d2e8..06d6707a23b 100644
--- a/autopilot/tutorial/includes/import-hardware-hash.md
+++ b/autopilot/tutorial/includes/import-hardware-hash.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/28/2024
diff --git a/autopilot/tutorial/includes/intune-connector.md b/autopilot/tutorial/includes/intune-connector.md
index a0acba2c5d3..c6c5e04f3e2 100644
--- a/autopilot/tutorial/includes/intune-connector.md
+++ b/autopilot/tutorial/includes/intune-connector.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/28/2024
diff --git a/autopilot/tutorial/includes/more-info-autopilot-profile.md b/autopilot/tutorial/includes/more-info-autopilot-profile.md
index 7f027c20cb6..558b969523d 100644
--- a/autopilot/tutorial/includes/more-info-autopilot-profile.md
+++ b/autopilot/tutorial/includes/more-info-autopilot-profile.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/more-info-computer-account-limit.md b/autopilot/tutorial/includes/more-info-computer-account-limit.md
index d60aec8ee09..b0016a1f17a 100644
--- a/autopilot/tutorial/includes/more-info-computer-account-limit.md
+++ b/autopilot/tutorial/includes/more-info-computer-account-limit.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/more-info-esp.md b/autopilot/tutorial/includes/more-info-esp.md
index 68686d52c42..48fcae2f1a8 100644
--- a/autopilot/tutorial/includes/more-info-esp.md
+++ b/autopilot/tutorial/includes/more-info-esp.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/more-info-register-device.md b/autopilot/tutorial/includes/more-info-register-device.md
index 41ff6dabde7..2eabbff384d 100644
--- a/autopilot/tutorial/includes/more-info-register-device.md
+++ b/autopilot/tutorial/includes/more-info-register-device.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/more-info-technician-flow.md b/autopilot/tutorial/includes/more-info-technician-flow.md
index 6f87c17fa31..5a9efc39447 100644
--- a/autopilot/tutorial/includes/more-info-technician-flow.md
+++ b/autopilot/tutorial/includes/more-info-technician-flow.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/more-info-user-flow.md b/autopilot/tutorial/includes/more-info-user-flow.md
index 3d6bb3c87e0..487e970d1db 100644
--- a/autopilot/tutorial/includes/more-info-user-flow.md
+++ b/autopilot/tutorial/includes/more-info-user-flow.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/network-connectivity.md b/autopilot/tutorial/includes/network-connectivity.md
index 38cb833299e..cd222bcf815 100644
--- a/autopilot/tutorial/includes/network-connectivity.md
+++ b/autopilot/tutorial/includes/network-connectivity.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/register-autopilot-device.md b/autopilot/tutorial/includes/register-autopilot-device.md
index 273dbc15c57..98e3b5312ee 100644
--- a/autopilot/tutorial/includes/register-autopilot-device.md
+++ b/autopilot/tutorial/includes/register-autopilot-device.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/28/2024
diff --git a/autopilot/tutorial/includes/technician-flow.md b/autopilot/tutorial/includes/technician-flow.md
index 8b7501cd9b6..8202c707c5e 100644
--- a/autopilot/tutorial/includes/technician-flow.md
+++ b/autopilot/tutorial/includes/technician-flow.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/tips-aadj-screens.md b/autopilot/tutorial/includes/tips-aadj-screens.md
index 3704a72a0f7..7ff86f503cf 100644
--- a/autopilot/tutorial/includes/tips-aadj-screens.md
+++ b/autopilot/tutorial/includes/tips-aadj-screens.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/tips-assignments.md b/autopilot/tutorial/includes/tips-assignments.md
index f60444bd65b..e2b0dfb10f6 100644
--- a/autopilot/tutorial/includes/tips-assignments.md
+++ b/autopilot/tutorial/includes/tips-assignments.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/tips-esp-progress.md b/autopilot/tutorial/includes/tips-esp-progress.md
index abd1ad1e2f5..4229e2e0c61 100644
--- a/autopilot/tutorial/includes/tips-esp-progress.md
+++ b/autopilot/tutorial/includes/tips-esp-progress.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/tips-haadj-lock.md b/autopilot/tutorial/includes/tips-haadj-lock.md
index 872a0f423fb..a9295c6af9d 100644
--- a/autopilot/tutorial/includes/tips-haadj-lock.md
+++ b/autopilot/tutorial/includes/tips-haadj-lock.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/tips-haadj-screens.md b/autopilot/tutorial/includes/tips-haadj-screens.md
index 4e4452226d8..7ed03f5d6b2 100644
--- a/autopilot/tutorial/includes/tips-haadj-screens.md
+++ b/autopilot/tutorial/includes/tips-haadj-screens.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/tips-pre-provision-compliance-user-flow.md b/autopilot/tutorial/includes/tips-pre-provision-compliance-user-flow.md
index 5509bac0568..e9e56ebca23 100644
--- a/autopilot/tutorial/includes/tips-pre-provision-compliance-user-flow.md
+++ b/autopilot/tutorial/includes/tips-pre-provision-compliance-user-flow.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/tips-pre-provision-wait-user-flow.md b/autopilot/tutorial/includes/tips-pre-provision-wait-user-flow.md
index 522bd32fb6e..9eccefa932a 100644
--- a/autopilot/tutorial/includes/tips-pre-provision-wait-user-flow.md
+++ b/autopilot/tutorial/includes/tips-pre-provision-wait-user-flow.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 07/23/2024
diff --git a/autopilot/tutorial/includes/tips-qr-codes.md b/autopilot/tutorial/includes/tips-qr-codes.md
index a421ca4e046..6f8b5db58d3 100644
--- a/autopilot/tutorial/includes/tips-qr-codes.md
+++ b/autopilot/tutorial/includes/tips-qr-codes.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/tips-technician-flow-inherit.md b/autopilot/tutorial/includes/tips-technician-flow-inherit.md
index 77089c338d8..b0939eab5ab 100644
--- a/autopilot/tutorial/includes/tips-technician-flow-inherit.md
+++ b/autopilot/tutorial/includes/tips-technician-flow-inherit.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/tips-technician-flow-screens.md b/autopilot/tutorial/includes/tips-technician-flow-screens.md
index f664ea1df16..1edec497528 100644
--- a/autopilot/tutorial/includes/tips-technician-flow-screens.md
+++ b/autopilot/tutorial/includes/tips-technician-flow-screens.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/19/2024
diff --git a/autopilot/tutorial/includes/verify-autopilot-profile-assignment.md b/autopilot/tutorial/includes/verify-autopilot-profile-assignment.md
index ba5366d92c2..234f294c110 100644
--- a/autopilot/tutorial/includes/verify-autopilot-profile-assignment.md
+++ b/autopilot/tutorial/includes/verify-autopilot-profile-assignment.md
@@ -2,7 +2,7 @@
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.topic: include
ms.date: 06/28/2024
diff --git a/autopilot/tutorial/pre-provisioning/azure-ad-join-allow-users-to-join.md b/autopilot/tutorial/pre-provisioning/azure-ad-join-allow-users-to-join.md
index 50351eec132..914ad4d33a7 100644
--- a/autopilot/tutorial/pre-provisioning/azure-ad-join-allow-users-to-join.md
+++ b/autopilot/tutorial/pre-provisioning/azure-ad-join-allow-users-to-join.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/azure-ad-join-assign-device-to-user.md b/autopilot/tutorial/pre-provisioning/azure-ad-join-assign-device-to-user.md
index 9dec27ad867..cb791d8abd5 100644
--- a/autopilot/tutorial/pre-provisioning/azure-ad-join-assign-device-to-user.md
+++ b/autopilot/tutorial/pre-provisioning/azure-ad-join-assign-device-to-user.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/azure-ad-join-automatic-enrollment.md b/autopilot/tutorial/pre-provisioning/azure-ad-join-automatic-enrollment.md
index 547d63c28e3..98040abf649 100644
--- a/autopilot/tutorial/pre-provisioning/azure-ad-join-automatic-enrollment.md
+++ b/autopilot/tutorial/pre-provisioning/azure-ad-join-automatic-enrollment.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/azure-ad-join-autopilot-profile.md b/autopilot/tutorial/pre-provisioning/azure-ad-join-autopilot-profile.md
index 6bc8a209233..c7ac55d8f6d 100644
--- a/autopilot/tutorial/pre-provisioning/azure-ad-join-autopilot-profile.md
+++ b/autopilot/tutorial/pre-provisioning/azure-ad-join-autopilot-profile.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/azure-ad-join-device-group.md b/autopilot/tutorial/pre-provisioning/azure-ad-join-device-group.md
index dabd1e08a78..033931c5409 100644
--- a/autopilot/tutorial/pre-provisioning/azure-ad-join-device-group.md
+++ b/autopilot/tutorial/pre-provisioning/azure-ad-join-device-group.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/azure-ad-join-esp.md b/autopilot/tutorial/pre-provisioning/azure-ad-join-esp.md
index 9b893e6f4be..fd121b9cf1d 100644
--- a/autopilot/tutorial/pre-provisioning/azure-ad-join-esp.md
+++ b/autopilot/tutorial/pre-provisioning/azure-ad-join-esp.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/azure-ad-join-register-device.md b/autopilot/tutorial/pre-provisioning/azure-ad-join-register-device.md
index 28005a24780..073272d3573 100644
--- a/autopilot/tutorial/pre-provisioning/azure-ad-join-register-device.md
+++ b/autopilot/tutorial/pre-provisioning/azure-ad-join-register-device.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/azure-ad-join-technician-flow.md b/autopilot/tutorial/pre-provisioning/azure-ad-join-technician-flow.md
index 8ec1098fa0c..d28b74f7f0f 100644
--- a/autopilot/tutorial/pre-provisioning/azure-ad-join-technician-flow.md
+++ b/autopilot/tutorial/pre-provisioning/azure-ad-join-technician-flow.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
@@ -57,7 +57,7 @@ For an overview of the Windows Autopilot for pre-provisioned deployment Microsof
## Next step: User flow
> [!div class="nextstepaction"]
-> [Step 8: User flow](azure-ad-join-user-flow.md)
+> [Step 9: User flow](azure-ad-join-user-flow.md)
## Related content
diff --git a/autopilot/tutorial/pre-provisioning/azure-ad-join-user-flow.md b/autopilot/tutorial/pre-provisioning/azure-ad-join-user-flow.md
index 762ff80a68c..8ee5af36cee 100644
--- a/autopilot/tutorial/pre-provisioning/azure-ad-join-user-flow.md
+++ b/autopilot/tutorial/pre-provisioning/azure-ad-join-user-flow.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/azure-ad-join-workflow.md b/autopilot/tutorial/pre-provisioning/azure-ad-join-workflow.md
index e480ef3b8d4..f7c88ea8768 100644
--- a/autopilot/tutorial/pre-provisioning/azure-ad-join-workflow.md
+++ b/autopilot/tutorial/pre-provisioning/azure-ad-join-workflow.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-assign-device-to-user.md b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-assign-device-to-user.md
index 1565c2501e7..e1ca668aac6 100644
--- a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-assign-device-to-user.md
+++ b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-assign-device-to-user.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-automatic-enrollment.md b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-automatic-enrollment.md
index 2afe5eee7a5..6b8bd3d8d29 100644
--- a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-automatic-enrollment.md
+++ b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-automatic-enrollment.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-autopilot-profile.md b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-autopilot-profile.md
index 9ef8cd9e01b..27bdc807fed 100644
--- a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-autopilot-profile.md
+++ b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-autopilot-profile.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-computer-account-limit.md b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-computer-account-limit.md
index 3caeee7356f..43581884b84 100644
--- a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-computer-account-limit.md
+++ b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-computer-account-limit.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-device-group.md b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-device-group.md
index 715b8426da0..4c43a0e0dca 100644
--- a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-device-group.md
+++ b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-device-group.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-domain-join-profile.md b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-domain-join-profile.md
index c7d934a9999..a1be397537e 100644
--- a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-domain-join-profile.md
+++ b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-domain-join-profile.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-esp.md b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-esp.md
index d289ed93382..b3a434baf9a 100644
--- a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-esp.md
+++ b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-esp.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-intune-connector.md b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-intune-connector.md
index 47e217f7eac..67e4a27c904 100644
--- a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-intune-connector.md
+++ b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-intune-connector.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-register-device.md b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-register-device.md
index 5c326d9341b..b5da52db97c 100644
--- a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-register-device.md
+++ b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-register-device.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-technician-flow.md b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-technician-flow.md
index c71060cf31a..8320e82e9d1 100644
--- a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-technician-flow.md
+++ b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-technician-flow.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-user-flow.md b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-user-flow.md
index 8b59922948f..97a1695b593 100644
--- a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-user-flow.md
+++ b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-user-flow.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-workflow.md b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-workflow.md
index c92da5ee749..6d9b1140576 100644
--- a/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-workflow.md
+++ b/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-workflow.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/reset/autopilot-reset-overview.md b/autopilot/tutorial/reset/autopilot-reset-overview.md
index c226ccb39d5..6fdd9904fe6 100644
--- a/autopilot/tutorial/reset/autopilot-reset-overview.md
+++ b/autopilot/tutorial/reset/autopilot-reset-overview.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/reset/local-autopilot-reset.md b/autopilot/tutorial/reset/local-autopilot-reset.md
index 1d79f109399..037396dae36 100644
--- a/autopilot/tutorial/reset/local-autopilot-reset.md
+++ b/autopilot/tutorial/reset/local-autopilot-reset.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/reset/remote-autopilot-reset.md b/autopilot/tutorial/reset/remote-autopilot-reset.md
index 662a642f7dc..48cc5240107 100644
--- a/autopilot/tutorial/reset/remote-autopilot-reset.md
+++ b/autopilot/tutorial/reset/remote-autopilot-reset.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/self-deploying/self-deploying-automatic-enrollment.md b/autopilot/tutorial/self-deploying/self-deploying-automatic-enrollment.md
index 704b1bcda2c..6fdb1085fb1 100644
--- a/autopilot/tutorial/self-deploying/self-deploying-automatic-enrollment.md
+++ b/autopilot/tutorial/self-deploying/self-deploying-automatic-enrollment.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/self-deploying/self-deploying-autopilot-profile.md b/autopilot/tutorial/self-deploying/self-deploying-autopilot-profile.md
index 8c3150563c7..b036e3f6905 100644
--- a/autopilot/tutorial/self-deploying/self-deploying-autopilot-profile.md
+++ b/autopilot/tutorial/self-deploying/self-deploying-autopilot-profile.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/self-deploying/self-deploying-deploy-device.md b/autopilot/tutorial/self-deploying/self-deploying-deploy-device.md
index 120ab0d9524..eeea52bf88d 100644
--- a/autopilot/tutorial/self-deploying/self-deploying-deploy-device.md
+++ b/autopilot/tutorial/self-deploying/self-deploying-deploy-device.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/self-deploying/self-deploying-device-group.md b/autopilot/tutorial/self-deploying/self-deploying-device-group.md
index 49daf27b367..cc27c806558 100644
--- a/autopilot/tutorial/self-deploying/self-deploying-device-group.md
+++ b/autopilot/tutorial/self-deploying/self-deploying-device-group.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/self-deploying/self-deploying-esp.md b/autopilot/tutorial/self-deploying/self-deploying-esp.md
index 0bc8d3d9206..2eee8d4e2f8 100644
--- a/autopilot/tutorial/self-deploying/self-deploying-esp.md
+++ b/autopilot/tutorial/self-deploying/self-deploying-esp.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/self-deploying/self-deploying-register-device.md b/autopilot/tutorial/self-deploying/self-deploying-register-device.md
index 6f99db720e3..8e6b4e59b63 100644
--- a/autopilot/tutorial/self-deploying/self-deploying-register-device.md
+++ b/autopilot/tutorial/self-deploying/self-deploying-register-device.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/self-deploying/self-deploying-workflow.md b/autopilot/tutorial/self-deploying/self-deploying-workflow.md
index 3efe4e12a9e..bc658e23b6c 100644
--- a/autopilot/tutorial/self-deploying/self-deploying-workflow.md
+++ b/autopilot/tutorial/self-deploying/self-deploying-workflow.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/azure-ad-join-allow-users-to-join.md b/autopilot/tutorial/user-driven/azure-ad-join-allow-users-to-join.md
index de2e5c2b693..81b8312809f 100644
--- a/autopilot/tutorial/user-driven/azure-ad-join-allow-users-to-join.md
+++ b/autopilot/tutorial/user-driven/azure-ad-join-allow-users-to-join.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/azure-ad-join-assign-device-to-user.md b/autopilot/tutorial/user-driven/azure-ad-join-assign-device-to-user.md
index 48055e2ff4f..607e2ddd533 100644
--- a/autopilot/tutorial/user-driven/azure-ad-join-assign-device-to-user.md
+++ b/autopilot/tutorial/user-driven/azure-ad-join-assign-device-to-user.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/azure-ad-join-automatic-enrollment.md b/autopilot/tutorial/user-driven/azure-ad-join-automatic-enrollment.md
index 88ee263759b..5c6c0cdceab 100644
--- a/autopilot/tutorial/user-driven/azure-ad-join-automatic-enrollment.md
+++ b/autopilot/tutorial/user-driven/azure-ad-join-automatic-enrollment.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/azure-ad-join-autopilot-profile.md b/autopilot/tutorial/user-driven/azure-ad-join-autopilot-profile.md
index 01553712f5d..416c6bc3c13 100644
--- a/autopilot/tutorial/user-driven/azure-ad-join-autopilot-profile.md
+++ b/autopilot/tutorial/user-driven/azure-ad-join-autopilot-profile.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/azure-ad-join-deploy-device.md b/autopilot/tutorial/user-driven/azure-ad-join-deploy-device.md
index ae10af97155..ea26a9706bf 100644
--- a/autopilot/tutorial/user-driven/azure-ad-join-deploy-device.md
+++ b/autopilot/tutorial/user-driven/azure-ad-join-deploy-device.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/azure-ad-join-device-group.md b/autopilot/tutorial/user-driven/azure-ad-join-device-group.md
index 6ea0130c8ce..f14db15b644 100644
--- a/autopilot/tutorial/user-driven/azure-ad-join-device-group.md
+++ b/autopilot/tutorial/user-driven/azure-ad-join-device-group.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/azure-ad-join-esp.md b/autopilot/tutorial/user-driven/azure-ad-join-esp.md
index 026bbbacfa1..9fc9ebe144e 100644
--- a/autopilot/tutorial/user-driven/azure-ad-join-esp.md
+++ b/autopilot/tutorial/user-driven/azure-ad-join-esp.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/azure-ad-join-register-device.md b/autopilot/tutorial/user-driven/azure-ad-join-register-device.md
index f49cef7b84f..f86017e6af8 100644
--- a/autopilot/tutorial/user-driven/azure-ad-join-register-device.md
+++ b/autopilot/tutorial/user-driven/azure-ad-join-register-device.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/azure-ad-join-workflow.md b/autopilot/tutorial/user-driven/azure-ad-join-workflow.md
index b506eabdd71..68731176313 100644
--- a/autopilot/tutorial/user-driven/azure-ad-join-workflow.md
+++ b/autopilot/tutorial/user-driven/azure-ad-join-workflow.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-assign-device-to-user.md b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-assign-device-to-user.md
index 6701bfe9b51..80e8026852e 100644
--- a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-assign-device-to-user.md
+++ b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-assign-device-to-user.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-automatic-enrollment.md b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-automatic-enrollment.md
index 003b3ebf2cc..e540987de83 100644
--- a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-automatic-enrollment.md
+++ b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-automatic-enrollment.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-autopilot-profile.md b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-autopilot-profile.md
index 297df952a7f..f13778c7514 100644
--- a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-autopilot-profile.md
+++ b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-autopilot-profile.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-computer-account-limit.md b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-computer-account-limit.md
index c1384ef2de9..440f49fa5cb 100644
--- a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-computer-account-limit.md
+++ b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-computer-account-limit.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-deploy-device.md b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-deploy-device.md
index 341335f9484..d094b88c0c1 100644
--- a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-deploy-device.md
+++ b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-deploy-device.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-device-group.md b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-device-group.md
index 9a27ec76ad9..824be5a3d94 100644
--- a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-device-group.md
+++ b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-device-group.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-domain-join-profile.md b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-domain-join-profile.md
index d443dbfa1ce..5be10d3e76a 100644
--- a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-domain-join-profile.md
+++ b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-domain-join-profile.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-esp.md b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-esp.md
index daf6dd6b1bd..e65593d2ea1 100644
--- a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-esp.md
+++ b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-esp.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-intune-connector.md b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-intune-connector.md
index fbab12c98a8..007a097530c 100644
--- a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-intune-connector.md
+++ b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-intune-connector.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-register-device.md b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-register-device.md
index c545fea91fc..3a38510987f 100644
--- a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-register-device.md
+++ b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-register-device.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-workflow.md b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-workflow.md
index 54754a54a6e..62dbc18b1bd 100644
--- a/autopilot/tutorial/user-driven/hybrid-azure-ad-join-workflow.md
+++ b/autopilot/tutorial/user-driven/hybrid-azure-ad-join-workflow.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
- tier1
- highpri
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
- ✅ Windows 11
- ✅ Windows 10
diff --git a/autopilot/user-driven.md b/autopilot/user-driven.md
index a0d7751407d..3c96ea6a7d5 100644
--- a/autopilot/user-driven.md
+++ b/autopilot/user-driven.md
@@ -2,7 +2,7 @@
title: Windows Autopilot User-Driven Mode
description: With Windows Autopilot user-driven mode, devices can be configured to deploy to a ready-to-use state without requiring help from IT personnel.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/whats-new.md b/autopilot/whats-new.md
index f67f1099ee7..ca690e1231a 100644
--- a/autopilot/whats-new.md
+++ b/autopilot/whats-new.md
@@ -2,7 +2,7 @@
title: What's new in Windows Autopilot
description: News and resources about the latest updates and past versions of Windows Autopilot. # RSS subscription is based on this description so don't change. If the description needs to change, update RSS URL in the Tip in the article.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/autopilot/windows-autopilot-hybrid.md b/autopilot/windows-autopilot-hybrid.md
index 5f8579f5747..73ada90527f 100644
--- a/autopilot/windows-autopilot-hybrid.md
+++ b/autopilot/windows-autopilot-hybrid.md
@@ -6,10 +6,10 @@ author: frankroj
ms.author: frankroj
manager: aaroncz
ms.reviewer: jubaptis
-ms.date: 06/28/2024
+ms.date: 08/22/2024
ms.topic: how-to
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
- M365-identity-device-management
@@ -140,7 +140,7 @@ Before beginning the installation, make sure that all of the [Intune connector s
### Install steps
-1. By default Windows Server has Internet Explorer Enhanced Security Configuration turned on. Internet Explorer Enhanced Security Configuration might cause problems singing into the Intune Connector for Active Directory. Since Internet Explorer is deprecated and in most instances, not even installed on Windows Server, Microsoft recommends to turn off Internet Explorer Enhanced Security Configuration. To turn off Internet Explorer Enhanced Security Configuration:
+1. By default Windows Server has Internet Explorer Enhanced Security Configuration turned on. Internet Explorer Enhanced Security Configuration might cause problems signing into the Intune Connector for Active Directory. Since Internet Explorer is deprecated and in most instances, not even installed on Windows Server, Microsoft recommends to turn off Internet Explorer Enhanced Security Configuration. To turn off Internet Explorer Enhanced Security Configuration:
1. On the server where the Intune Connector is being installed, open **Server Manager**.
diff --git a/autopilot/windows-autopilot-reset.md b/autopilot/windows-autopilot-reset.md
index 86c52cbe3aa..a4c332f4405 100644
--- a/autopilot/windows-autopilot-reset.md
+++ b/autopilot/windows-autopilot-reset.md
@@ -1,14 +1,14 @@
title: Windows Autopilot Reset
description: Windows Autopilot Reset takes the device back to a business-ready state, allowing the next user to sign in and get productive quickly and easily.
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
ms.reviewer: jubaptis
manager: aaroncz
-ms.date: 06/11/2024
+ms.date: 08/22/2024
- M365-modern-desktop
- highpri
@@ -36,7 +36,7 @@ The Windows Autopilot Reset process automatically keeps information from the exi
- Provisioning packages previously applied to the device.
- A provisioning package present on a USB drive when the reset process is started.
- Microsoft Entra device membership and mobile device management (MDM) enrollment information.
-- System Center Endpoint Protection (SCEP) certificates.
+- Simple Certificate Enrollment Protocol (SCEP) certificates.
Windows Autopilot Reset blocks the user from accessing the desktop until this information is restored, including reapplying any provisioning packages. For devices enrolled in an MDM service, Windows Autopilot Reset also blocks until an MDM sync is completed. When Autopilot reset is used on a device, the device's primary user is removed. The next user who signs in after the reset will be set as the primary user.
diff --git a/autopilot/windows-autopilot-scenarios.md b/autopilot/windows-autopilot-scenarios.md
index bc6700e0deb..6846ae50ec3 100644
--- a/autopilot/windows-autopilot-scenarios.md
+++ b/autopilot/windows-autopilot-scenarios.md
@@ -2,7 +2,7 @@
title: Windows Autopilot scenarios and capabilities
description: Follow along with several typical Windows Autopilot deployment scenarios, such as redeploying a device in a business-ready state.
ms.service: windows-client
-ms.subservice: itpro-deploy
+ms.subservice: autopilot
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/memdocs/analytics/advanced-endpoint-analytics.md b/memdocs/analytics/advanced-endpoint-analytics.md
index 1e1ebbb4848..9f308a406b1 100644
--- a/memdocs/analytics/advanced-endpoint-analytics.md
+++ b/memdocs/analytics/advanced-endpoint-analytics.md
@@ -80,4 +80,5 @@ For more information, go to:
- [Device scopes](device-scopes.md)
- [Enhanced device timeline](enhanced-device-timeline.md)
- [Battery health](battery-health.md)
-- [Device query](device-query.md)
\ No newline at end of file
+- [Device query](device-query.md)
+- [Resource Performance report](resource-performance-report.md)
\ No newline at end of file
diff --git a/memdocs/analytics/device-scopes.md b/memdocs/analytics/device-scopes.md
index f77f6f0ca07..ceb0b8b2029 100644
--- a/memdocs/analytics/device-scopes.md
+++ b/memdocs/analytics/device-scopes.md
@@ -102,4 +102,5 @@ For more information, go to:
- [Enhanced device timeline](enhanced-device-timeline.md)
- [Anomaly detection](anomaly-detection.md)
- [What is Intune Advanced Analytics](advanced-endpoint-analytics.md)
-- [Battery health](battery-health.md)
\ No newline at end of file
+- [Battery health](battery-health.md)
+- [Resource Performance report](resource-performance-report.md)
\ No newline at end of file
diff --git a/memdocs/analytics/media/anomaly-detection/device-timeline.png b/memdocs/analytics/media/anomaly-detection/device-timeline.png
deleted file mode 100644
index 9711f845267..00000000000
Binary files a/memdocs/analytics/media/anomaly-detection/device-timeline.png and /dev/null differ
diff --git a/memdocs/analytics/media/resource-perf-report/report-home.png b/memdocs/analytics/media/resource-perf-report/report-home.png
new file mode 100644
index 00000000000..79000958952
Binary files /dev/null and b/memdocs/analytics/media/resource-perf-report/report-home.png differ
diff --git a/memdocs/analytics/media/resource-perf-report/rp-report.png b/memdocs/analytics/media/resource-perf-report/rp-report.png
new file mode 100644
index 00000000000..74f035b20ba
Binary files /dev/null and b/memdocs/analytics/media/resource-perf-report/rp-report.png differ
diff --git a/memdocs/analytics/media/resource-perf-report/select-device.png b/memdocs/analytics/media/resource-perf-report/select-device.png
new file mode 100644
index 00000000000..545415a2b51
Binary files /dev/null and b/memdocs/analytics/media/resource-perf-report/select-device.png differ
diff --git a/memdocs/analytics/resource-performance-report.md b/memdocs/analytics/resource-performance-report.md
new file mode 100644
index 00000000000..d6b4af225b1
--- /dev/null
+++ b/memdocs/analytics/resource-performance-report.md
@@ -0,0 +1,171 @@
+title: Resource Performance report in Microsoft Intune Advanced Analytics
+titleSuffix: Microsoft Intune
+description: This article provides an overview of the resource performance report for cloud-managed Windows devices
+ms.date: 08/19/2024
+ms.service: microsoft-intune
+ms.subservice: endpoint-analytics
+ms.topic: conceptual
+author: Smritib17
+ms.author: smbhardwaj
+manager: dougeby
+ms.localizationpriority: high
+# Resource Performance report in Microsoft Intune Advanced Analytics
+The resource performance report provides visibility into the performance of processors and RAM in cloud-managed Windows devices and its influence on user experience.
+The score helps you identify emerging hardware issues that might be impacting user productivity so you can proactively make improvements before users generate support tickets.
+The insights show not only how much your score can improve by upgrading the CPU or RAM in affected devices, but also help you identify resources for replacement before warranties expire.
+## License requirements
+With a Windows 365 license, you get access to this report for the Cloud PCs in your organization.
+However, the report for physical devices is part of Intune Advanced Analytics and is included as an Intune-add on under [Microsoft Intune Suite](../intune/fundamentals/intune-add-ons.md) and requires an extra cost to the licensing options that include Microsoft Intune.
+## Prerequisites
+For Advanced Analytics capabilities, including resource performance, devices should be cloud-managed; either Intune-only managed or Co-managed.
+After [enrollment](enroll-intune.md), client devices require a restart to fully enable all analytics.
+> [!NOTE]
+> It may take up to 48 hours after you buy licenses or start a trial to see Resource performance data in your tenant.
+> [!NOTE]
+> Resource performance report is currently not supported in US Government Community Cloud (GCC) High or U.S. Department of Defense (DoD) environments.
+## Resource performance report
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Report** > **Endpoint analytics** > **Resource performance**.
+3. The Resource performance report page shows a **Resource performance score** tab, **Device performance** tab, and a **Model performance** tab. For more information on each of the tabs, see [Reporting Tabs](#reporting-tabs).
+:::image type="content" source="media/resource-perf-report/report-home.png" lightbox="media/resource-perf-report/report-home.png" alt-text="This is a screenshot of the Resource performance report page":::
+## Resource performance score
+The Resource performance score provides an overall performance rating (from 0 to 100) of CPU and RAM for your organization’s Windows physical devices and Cloud PCs.
+This score is a weighted average of CPU spike time score and RAM Spike time score.
+This score helps identify device resources that need to be replaced to improve user experience and boost productivity.
+#### CPU spike time score
+The CPU spike time score (from 0 to 100) is assigned based on the device’s usage duration and the CPU spike time %, which is the percentage of the usage duration in which the device experiences CPU spikes. High usage and spikes indicate a poor experience with the device and result in low scores. Conversely, low spikes indicate a good experience with the device and result in high scores.
+**CPU spike time %**: The daily metric trends graph plots the ratio of CPU spike times to total usage time. This CPU spike % data is averaged over a 14-day period ending on the date at the bottom of the graph.
+Usage over 50% is considered a spike.
+- To improve the performance of CPU in Windows physical devices, you could upgrade the processors by increasing the number of cores or the clock speed, optimize the operating system or adjust power settings.
+- To improve the performance of CPU in Cloud PCs, you could upgrade to a higher configuration of Cloud PCs.
+#### RAM spike time score
+The RAM spike time score (from 0 to 100) is assigned based on the device’s usage duration and the RAM spike time %, which is the percentage of the usage duration in which the device experiences RAM spikes. High usage and spikes indicate a poor experience with the device and result in low scores. Conversely, low spikes indicate a good experience with the device and result in high scores.
+**RAM spike time %**: The daily metric trends graph plots the ratio of RAM spike times to total usage time. This RAM spike % data is averaged over a 14-day period ending on the date at the bottom of the graph. Usage over 50% is considered a spike.
+ - To improve the performance of RAM in Windows physical devices, you could add more RAM, upgrade to higher-speed RAM, or modify UEFI/BIOS settings to optimize utilization.
+ - To improve the performance of RAM in Cloud PCs, you could upgrade to a higher configuration of Cloud PCs.
+**Baseline** helps you see if you're meeting goals. You can set the baseline to the organizational median or a custom value.
+**Insights and recommendations** suggest actions that you can take to improve your scores.
+## Insights and recommendations
+The Resource performance page provides a prioritized list of insights and recommendations, described in this section:
+#### High CPU usage in physical devices
+These Windows physical devices experience higher CPU spike % than the rest of the devices in your organization, resulting in poor user experience and lower productivity.
+This category has two sub-categories:
+1. Physical devices that experience high CPU spike %.
+2. Physical device models that experience high CPU spike %.
+Besides giving visibility into devices that aren’t supporting your user’s goals, these insights also allow you to identify devices with underperforming CPUs that are within warranty and eligible for replacement.
+#### High RAM usage in physical devices
+These Windows physical devices experience higher RAM spike % than the rest of the devices in your organization, resulting in poor user experience and lower productivity.
+This category has two sub-categories: (1) physical devices that experience high RAM spike % and (2) physical device models that experience high RAM spike %.
+Besides giving visibility into devices that aren’t supporting your user’s goals, these insights also allow you to identify devices with underperforming RAM that are within warranty and eligible for replacement.
+#### Cloud PCs
+These Windows 365 Cloud PCs experience higher CPU or RAM spike % than the rest of the devices in your organization, resulting in poor user experience and lower productivity.
+These insights provide visibility into Cloud PCs that aren’t supporting your user’s goals. Upgrading these devices to a higher configuration of Cloud PCs will improve the user experience.
+## Reporting tabs
+The Resource performance page has reporting tabs that provide support for insights.
+The tabs are:
+- Device performance
+- Model performance
+#### Device performance tab
+This tab provides CPU and RAM performance metrics and scores for all your Windows physical and Cloud PC devices. You can sort by a particular metric (for example, CPU spike time %) to see which devices have the worst scores for that metric to help with troubleshooting. You can filter the list of devices based on a range of a particular metric (for example, devices with RAM spike time score between 0 and 40). You can also search for a device by name.
+#### Model performance tab
+This tab lets you see the CPU and RAM performance metrics and scores by device model, which can help you identify whether problems are isolated to particular models.
+## Device-level details
+To get details on a specific Windows device in your organization, you can select a device’s name in the **Device performance** tab. You can also use the filters or search for a device to view the row corresponding to the device you're interested in learning more about.
+:::image type="content" source="media/resource-perf-report/select-device.png" lightbox="media/resource-perf-report/select-device.png" alt-text="In the Device Performance tab, use filters or search for a device to view the device details":::
+The device-level details page includes the CPU and RAM spike-time history over the last 14 days for which this data is available. The page also includes device details such as model, manufacturer, processor name, number of processor cores, the processor base speed, RAM, and disk type.
+:::image type="content" source="media/resource-perf-report/rp-report.png" lightbox="media/resource-perf-report/rp-report.png" alt-text="This is a screenshot of device levels details":::
+## Limitations
+- Some data points in the report might show **--** when not available. When you export the report, data points that aren't available appear as **-1** in the generated .csv file.
+- Health status appears differently in the report and the exported .csv
+ - **HealthStatus .csv value**:
+ - `0`: Unknown
+ - `1`: Insufficient data
+ - `2`: Needs attention
+ - `3`: Meeting goals
+- Some columns such as ResourcePerfScore and TotalRamInMB in the generated .csv file have data type double whereas the corresponding columns Resource performance score and RAM in the report have data type int.
+- Column MachineType in the generated .csv file can take values Physical, CPC, and Others whereas the corresponding column Device Type in the report takes values physical, virtual, and unknown respectively.
+## Next steps
+For more information, go to:
+- [What is Intune Advanced Analytics](advanced-endpoint-analytics.md)
+- [Use Intune Suite add-on capabilities](../intune/fundamentals/intune-add-ons.md)
+- [Device scopes](device-scopes.md)
+- [Device query](device-query.md)
+- [Battery health](battery-health.md)
diff --git a/memdocs/analytics/toc.yml b/memdocs/analytics/toc.yml
index 2260f9341b1..682e35732ed 100644
--- a/memdocs/analytics/toc.yml
+++ b/memdocs/analytics/toc.yml
@@ -22,7 +22,9 @@ items:
- name: Data platform schema
href: data-platform-schema.md
- name: Battery health
- href: battery-health.md
+ href: battery-health.md
+ - name: Resource Performance
+ href: resource-performance-report.md
- name: Quickstarts
- name: Enroll Intune devices
diff --git a/memdocs/configmgr/comanage/media/properties-workloads.png b/memdocs/configmgr/comanage/media/properties-workloads.png
deleted file mode 100644
index 23f6e5b85d2..00000000000
Binary files a/memdocs/configmgr/comanage/media/properties-workloads.png and /dev/null differ
diff --git a/memdocs/configmgr/core/get-started/2019/includes/1911/4960084.md b/memdocs/configmgr/core/get-started/2019/includes/1911/4960084.md
index aafa83b0843..0c266983e01 100644
--- a/memdocs/configmgr/core/get-started/2019/includes/1911/4960084.md
+++ b/memdocs/configmgr/core/get-started/2019/includes/1911/4960084.md
@@ -22,7 +22,7 @@ Microsoft Intune family of products is an integrated solution for managing all o
The following Microsoft management solutions are all now part of the **Microsoft Intune** brand:
- [Configuration Manager](/configmgr)
-- [Intune](/intune)
+- [Intune](/mem/intune/fundamentals/account-sign-up)
- [Desktop Analytics](../../../../../desktop-analytics/overview.md)
- [Autopilot](/intune/enrollment/enrollment-autopilot)
- Other features in the [Device Management Admin Console](https://techcommunity.microsoft.com/t5/enterprise-mobility-security/microsoft-intune-rolls-out-an-improved-streamlined-endpoint/ba-p/937760)
diff --git a/memdocs/configmgr/core/misc/media/overview-page.png b/memdocs/configmgr/core/misc/media/overview-page.png
deleted file mode 100644
index 0243e8c6f53..00000000000
Binary files a/memdocs/configmgr/core/misc/media/overview-page.png and /dev/null differ
diff --git a/memdocs/configmgr/core/misc/media/proactive-remediations-create.png b/memdocs/configmgr/core/misc/media/proactive-remediations-create.png
deleted file mode 100644
index e181cfe36c8..00000000000
Binary files a/memdocs/configmgr/core/misc/media/proactive-remediations-create.png and /dev/null differ
diff --git a/memdocs/configmgr/core/misc/media/proactive-remediations-device-status.png b/memdocs/configmgr/core/misc/media/proactive-remediations-device-status.png
deleted file mode 100644
index 4ffe66a3986..00000000000
Binary files a/memdocs/configmgr/core/misc/media/proactive-remediations-device-status.png and /dev/null differ
diff --git a/memdocs/configmgr/core/misc/media/proactive-remediations-report-overview.png b/memdocs/configmgr/core/misc/media/proactive-remediations-report-overview.png
deleted file mode 100644
index 38e02a8faba..00000000000
Binary files a/memdocs/configmgr/core/misc/media/proactive-remediations-report-overview.png and /dev/null differ
diff --git a/memdocs/configmgr/core/misc/media/proactive-remediations-script-settings.png b/memdocs/configmgr/core/misc/media/proactive-remediations-script-settings.png
deleted file mode 100644
index 0dc7612ae9a..00000000000
Binary files a/memdocs/configmgr/core/misc/media/proactive-remediations-script-settings.png and /dev/null differ
diff --git a/memdocs/configmgr/core/misc/media/recommended-software.png b/memdocs/configmgr/core/misc/media/recommended-software.png
deleted file mode 100644
index dea56fd79f5..00000000000
Binary files a/memdocs/configmgr/core/misc/media/recommended-software.png and /dev/null differ
diff --git a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1910.md b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1910.md
index 3d9cec79770..a19c65d8522 100644
--- a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1910.md
+++ b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1910.md
@@ -38,7 +38,7 @@ The Microsoft Intune family of products is an integrated solution for managing a
The following Microsoft management solutions are all now part of the Microsoft Intune family of products:
- [Configuration Manager](/configmgr)
-- [Intune](/intune)
+- [Intune](/mem/intune/fundamentals/account-sign-up)
- [Desktop Analytics](../../../desktop-analytics/overview.md)
- [Autopilot](/intune/enrollment/enrollment-autopilot)
- Other features in the [Device Management Admin Console](https://techcommunity.microsoft.com/t5/enterprise-mobility-security/microsoft-intune-rolls-out-an-improved-streamlined-endpoint/ba-p/937760)
diff --git a/memdocs/configmgr/core/plan-design/hierarchy/media/ports.png b/memdocs/configmgr/core/plan-design/hierarchy/media/ports.png
deleted file mode 100644
index a842720c901..00000000000
Binary files a/memdocs/configmgr/core/plan-design/hierarchy/media/ports.png and /dev/null differ
diff --git a/memdocs/configmgr/core/servers/manage/powerbi-report-server.md b/memdocs/configmgr/core/servers/manage/powerbi-report-server.md
index df5f1b0acbb..4b562ad8ae9 100644
--- a/memdocs/configmgr/core/servers/manage/powerbi-report-server.md
+++ b/memdocs/configmgr/core/servers/manage/powerbi-report-server.md
@@ -42,7 +42,7 @@ Save Power BI Desktop report files (.PBIX) and deploy them to the Power BI Repor
> When using Configuration Manager version 2111 or earlier with Power BI Desktop (Optimized for Power BI Report Server - May 2021) or later, you may notice the following behavior:
> - You might experience delays updating the data source on newly updated reports.
> - You may receive `The remote server returned an error; (400) Bad Request.` errors in the **SRSRP.log**.
- > For more information about the relevant change to Power BI Desktop (optimized for Power BI Report Server) May 2021, see [Change data source connection strings in Power BI reports](/power-bi/report-server/connect-data-source-apis). The version before the connection change ocurred is [January 2021](https://www.microsoft.com/download/details.aspx?id=55330).
+ > For more information about the relevant change to Power BI Desktop (optimized for Power BI Report Server) May 2021, see [Change data source connection strings in Power BI reports](/power-bi/report-server/connect-data-source-apis). The version before the connection change ocurred is January 2021.
- Power BI integration uses the same role-based administration for reporting.
- Power BI Report Server doesn't support reports that are enabled for role-based access. All report viewers will see the same results, whatever their assigned scope.
diff --git a/memdocs/configmgr/core/servers/manage/powerbi-sample-reports.md b/memdocs/configmgr/core/servers/manage/powerbi-sample-reports.md
index bb266095bb3..6e6afaad898 100644
--- a/memdocs/configmgr/core/servers/manage/powerbi-sample-reports.md
+++ b/memdocs/configmgr/core/servers/manage/powerbi-sample-reports.md
@@ -24,13 +24,13 @@ You can integrate [Power BI Report Server](/power-bi/report-server/get-started)
- Configuration Manager reporting services point with [Power BI Report Server integrated](powerbi-report-server.md)
-- Microsoft Power BI Desktop (Optimized for Power BI Report Server). Use a version released between September 2019 and [January 2021](https://www.microsoft.com/download/details.aspx?id=55330). For versioning information, see the [Change log for Power BI Report Server](/power-bi/report-server/changelog).
+- Microsoft Power BI Desktop (Optimized for Power BI Report Server). Use a version released between September 2019 and January 2021. For versioning information, see the [Change log for Power BI Report Server](/power-bi/report-server/changelog).
> Use versions of Power BI Desktop:
> - That are from the [Microsoft Download Center](https://www.microsoft.com/download/). Don't use a version from the Microsoft Store
> - [That states they're **Optimized for Power BI Report Server**](/power-bi/report-server/install-powerbi-desktop). Don't use versions that aren't **Optimized for Power BI Report Server**.
- > - That were released no earlier than September 2019 and no later than January 2021. [Microsoft Power BI Desktop (Optimized for Power BI Report Server - January 2021)](https://www.microsoft.com/download/details.aspx?id=55330) is recommended.
+ > - That were released no earlier than September 2019 and no later than January 2021. Microsoft Power BI Desktop (Optimized for Power BI Report Server - January 2021) is recommended.
## Download the sample reports
diff --git a/memdocs/configmgr/develop/core/understand/media/powershellv5window.png b/memdocs/configmgr/develop/core/understand/media/powershellv5window.png
deleted file mode 100644
index f6edfd4c628..00000000000
Binary files a/memdocs/configmgr/develop/core/understand/media/powershellv5window.png and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference1.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference1.jpg
deleted file mode 100644
index 73afb00c1c0..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference1.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference10.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference10.jpg
deleted file mode 100644
index 8d208386f8b..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference10.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference11.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference11.jpg
deleted file mode 100644
index 66b0ac08090..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference11.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference12.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference12.jpg
deleted file mode 100644
index 53487a8ec11..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference12.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference13.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference13.jpg
deleted file mode 100644
index 79a470bffe1..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference13.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference14.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference14.jpg
deleted file mode 100644
index 5d66e26cca7..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference14.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference15.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference15.jpg
deleted file mode 100644
index 5ed4b06fcbf..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference15.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference16.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference16.jpg
deleted file mode 100644
index 03eaad77813..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference16.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference17.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference17.jpg
deleted file mode 100644
index fb81c768d51..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference17.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference18.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference18.jpg
deleted file mode 100644
index 58191fe5058..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference18.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference19.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference19.jpg
deleted file mode 100644
index 32ba99add2b..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference19.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference2.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference2.jpg
deleted file mode 100644
index aeee0aff5da..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference2.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference20.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference20.jpg
deleted file mode 100644
index c39493a659f..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference20.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference21.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference21.jpg
deleted file mode 100644
index f6cd08e16f7..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference21.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference22.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference22.jpg
deleted file mode 100644
index 7b4d2bd0584..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference22.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference23.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference23.jpg
deleted file mode 100644
index 0f26b641832..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference23.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference24.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference24.jpg
deleted file mode 100644
index a922b783786..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference24.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference25.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference25.jpg
deleted file mode 100644
index 22a359c0489..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference25.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference3.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference3.jpg
deleted file mode 100644
index 0b525090c5c..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference3.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference4.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference4.jpg
deleted file mode 100644
index 77c0af7ebd5..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference4.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference5.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference5.jpg
deleted file mode 100644
index 71b695e8b05..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference5.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference6.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference6.jpg
deleted file mode 100644
index 4e33ea1ece2..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference6.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference7.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference7.jpg
deleted file mode 100644
index ccbf7a3324c..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference7.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference8.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference8.jpg
deleted file mode 100644
index 657aed3a2c7..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference8.jpg and /dev/null differ
diff --git a/memdocs/configmgr/mdt/media/TroubleshootingReference9.jpg b/memdocs/configmgr/mdt/media/TroubleshootingReference9.jpg
deleted file mode 100644
index 0ddf5bb91b4..00000000000
Binary files a/memdocs/configmgr/mdt/media/TroubleshootingReference9.jpg and /dev/null differ
diff --git a/memdocs/configmgr/sum/deploy-use/media/13507410-sum-adrfolder.png b/memdocs/configmgr/sum/deploy-use/media/13507410-sum-adrfolder.png
deleted file mode 100644
index 4d5b07163ab..00000000000
Binary files a/memdocs/configmgr/sum/deploy-use/media/13507410-sum-adrfolder.png and /dev/null differ
diff --git a/memdocs/configmgr/sum/get-started/media/import-catalog-update-into-wsus.png b/memdocs/configmgr/sum/get-started/media/import-catalog-update-into-wsus.png
deleted file mode 100644
index b1c19c30900..00000000000
Binary files a/memdocs/configmgr/sum/get-started/media/import-catalog-update-into-wsus.png and /dev/null differ
diff --git a/memdocs/configmgr/sum/get-started/media/wsus-console-import-updates.png b/memdocs/configmgr/sum/get-started/media/wsus-console-import-updates.png
deleted file mode 100644
index 436348f9fed..00000000000
Binary files a/memdocs/configmgr/sum/get-started/media/wsus-console-import-updates.png and /dev/null differ
diff --git a/memdocs/endpoint-manager-overview.md b/memdocs/endpoint-manager-overview.md
index ef76cb7a34c..2d6686dd13f 100644
--- a/memdocs/endpoint-manager-overview.md
+++ b/memdocs/endpoint-manager-overview.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 11/03/2023
+ms.date: 08/20/2024
ms.topic: overview
ms.service: microsoft-intune
@@ -34,7 +34,7 @@ ms.collection:
This article provides an overview of endpoint management solutions at Microsoft.
-:::image type="content" source="./media/endpoint-management-microsoft.png" alt-text="Endpoint management for Microsoft includes Microsoft Intune, Windows Autopilot and Endpoint analytics. It also integrates with Microsoft Entra ID, on-premises Configuration Manager, mobile threat defense partners, Security Copilot, Microsoft 365 apps and more." lightbox="./media/endpoint-management-microsoft.png":::
+:::image type="content" source="./media/endpoint-management-microsoft.png" alt-text="Endpoint management for Microsoft includes Microsoft Intune, Windows Autopilot, and Endpoint analytics. It integrates with Microsoft Entra ID, on-premises Configuration Manager, mobile threat defense partners, Security Copilot, and Microsoft 365 apps." lightbox="./media/endpoint-management-microsoft.png":::
## Microsoft Intune
@@ -48,13 +48,14 @@ Microsoft Intune is a family of products and services. The Intune family include
These products and services offer a **cloud-based unified endpoint management** solution. It simplifies management across multiple operating systems, cloud, on-premises, mobile, desktop, and virtualized endpoints. It also:
-- **Supports data protection on company-owned and bring your own devices** through non-intrusive mobile application management.
+- Uses the Intune service for **cloud-native mobile device management (MDM) and mobile application management (MAM)**. End users and devices only need internet access; no need for on-premises infrastructure.
+- **Supports data protection on company-owned and bring your own devices** through nonintrusive mobile application management.
- Empowers organizations to **provide data protection and endpoint compliance** that support a Zero Trust security model.
- Brings together **device visibility, endpoint security, and data-driven insights** to increase IT efficiency. In hybrid work environments, admin tasks and end user experiences are improved.
-Intune integrates with other services, including Azure Active Directory (AD), on-premises Configuration Manager, mobile threat defense (MTD) apps & services, Win32 & custom LOB apps, and more.
+Intune integrates with other services, including Microsoft Entra, on-premises Configuration Manager, mobile threat defense (MTD) apps & services, Win32 & custom LOB apps, and more.
-If you're moving to the cloud or are adopting more cloud-based services, Intune is a great place to start.
+If you're moving to the cloud or are adopting more cloud-based services, then use Intune.
For more information, go to:
@@ -63,11 +64,11 @@ For more information, go to:
## Configuration Manager and co-management
-Configuration Manager is an on-premises management solution that can **manage desktops, Windows servers, and laptops** that are on your network or are internet-based. You can use Configuration Manager to manage data centers, apps, software updates, and operating systems.
+Configuration Manager is an on-premises management solution that uses Active Directory and Group Policy Objects (GPOs). It can **manage desktops, Windows servers, and laptops** that are on your network or are internet-based. You can use Configuration Manager to manage data centers, apps, software updates, and operating systems.
-To benefit from all that's happening in Microsoft Intune, connect to the cloud with co-management. Co-management combines your existing on-premises Configuration Manager investment with some of the cloud-based features in Intune, including using the web-based Microsoft Intune admin center.
+To benefit from everything that's happening in Microsoft Intune, connect your Configuration Manager to the cloud with co-management. Co-management combines your existing on-premises Configuration Manager investment with some of the cloud-based features in Intune, including using the web-based Microsoft Intune admin center.
-Co-management is a great way to get started with Intune and to start moving some workloads to the cloud.
+Co-management is a great way to get started with cloud-based device management, and to start moving some workloads to the cloud.
For more information, go to:
@@ -81,9 +82,8 @@ The Intune Suite is a collection of add-on features that are available in Intune
- Remote help for secure help desk connections
- Microsoft Tunnel VPN for mobile application management of devices that aren't enrolled in Intune
-- Endpoint Privilege Management (EPM) so standard non-admin users can complete tasks that require elevated privileges
-- Manage specialty devices, like AR/VR headsets, large smart-screen devices, and select conference room meeting devices
-- And more
+- Endpoint Privilege Management (EPM) so standard nonadmin users can complete tasks that require elevated privileges
+- Support for specialty devices, like AR/VR headsets, large smart-screen devices, and select conference room meeting devices
The suite and its individual features are available as add-ons to your existing licenses and are also licensed individually.
@@ -99,7 +99,7 @@ The [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) is a
The admin center also plugs-in other key device management services, including:
-- [**Azure AD Privileged Identity Management** to monitor access to important resources](/azure/active-directory/privileged-identity-management/pim-configure)
+- [**Microsoft Entra Privileged Identity Management** to monitor access to important resources](/azure/active-directory/privileged-identity-management/pim-configure)
- [**Microsoft Tunnel** VPN gateway solution that runs on Linux](./intune/protect/microsoft-tunnel-overview.md)
- [**Mobile threat defense** partners](./intune/protect/mobile-threat-defense.md)
- [**Remote Help** for remote assistance](/mem/intune/fundamentals/remote-help)
@@ -109,29 +109,40 @@ The admin center also plugs-in other key device management services, including:
## Microsoft Entra ID
-Microsoft Entra ID, previously known as Azure Active Directory (Azure AD), is a cloud-native service that's used by Intune to **manage the identities of users, devices, and groups**. The Intune policies you create are assigned to these users, devices, and groups. When devices are enrolled in Intune, your users sign in to their devices with their Azure AD accounts (`user@contoso.com`).
+Microsoft Entra ID, previously known as Azure Active Directory (Azure AD), is a cloud-native service that's used by Intune to **manage the identities of users, devices, and groups**. The Intune policies you create are assigned to these users, devices, and groups. When devices are enrolled in Intune, your users sign in to their devices with their Microsoft Entra accounts (`user@contoso.com`).
-**Azure AD Premium**, which may be an extra cost, has [more features](https://azure.microsoft.com/pricing/details/active-directory/) to help protect devices, apps, and data, including dynamic groups, automatic enrollment in Intune, and conditional access.
+**Microsoft Entra** has [different license plans that include more features](https://www.microsoft.com/security/business/microsoft-entra-pricing) to help protect devices, apps, and data, including dynamic groups, automatic enrollment in Intune, and Conditional Access.
For more information, go to:
- [Add users](./intune/fundamentals/users-add.md)
- [Set up auto enrollment](./intune/enrollment/windows-enroll.md)
-- [Learn about conditional access and Intune](./intune/protect/conditional-access.md)
+- [Learn about Conditional Access and Intune](./intune/protect/conditional-access.md)
## Windows Autopilot
-Windows Autopilot is a cloud-native service that **sets up and preconfigures devices**, getting them ready for use. It can also reset and repurpose existing devices. It's designed to simplify the lifecycle of Windows devices from initial deployment through end of life, benefitting IT and end users.
+Windows Autopilot is a cloud-native service that **sets up and preconfigures devices**, getting them ready for use. It can also reset and repurpose existing devices. Windows Autopilot is designed to simplify the lifecycle of Windows devices from initial deployment through end of life, which benefits IT and end users.
-Use Windows Autopilot to preconfigure devices, automatically join devices to Azure AD, automatically enroll the devices in Intune, customize the out of box experience (OOBE), and more. You can also integrate Windows Autopilot with Configuration Manager and co-management for more device configurations.
+Use Windows Autopilot to preconfigure devices, automatically join devices to Microsoft Entra, automatically enroll the devices in Intune, customize the out of box experience (OOBE), and more. You can also integrate Windows Autopilot with Configuration Manager and co-management for more device configurations.
If you constantly provision new devices or repurpose existing devices, then use Windows Autopilot.
For more information, go to:
-- [Windows Autopilot overview](/autopilot/overview)
+- [Get an overview of Windows Autopilot](/autopilot/overview)
- [Enroll Windows devices in Intune](/autopilot/enrollment-autopilot)
+## Microsoft Copilot in Intune
+[Microsoft Copilot in Intune](./intune/copilot/copilot-intune-overview.md) is a **cloud-native service that uses AI to get information quickly**. Intune has capabilities that are powered by [Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot). These capabilities access your Intune data, and can:
+- Help you manage your policies and settings.
+- Understand your security posture.
+- Troubleshoot device issues.
+- Create Kusto Query Language (KQL) queries.
+For more information, go to [Microsoft Copilot in Intune](./intune/copilot/copilot-intune-overview.md).
## Windows 365
Windows 365 Cloud PCs are **virtual machines that are hosted in the cloud-native Windows 365 service**. They're accessible from anywhere and from any device that has internet access. Cloud PCs include a Windows desktop experience and are associated with a user.
@@ -164,7 +175,7 @@ Endpoint analytics is a cloud-native service that provides **metrics and recomme
You can get data on:
- Startup performance
-- How frequently devices restart
+- Device restart frequencies
- A list of apps that affect end-user productivity
- Recommendations on how to improve performance
@@ -182,6 +193,6 @@ For more information, go to:
## Learn more
- [Learn more about cloud-native endpoints](./solutions/cloud-native-endpoints/cloud-native-endpoints-overview.md)
-- [Microsoft 365 Feature comparison and licensing](https://www.microsoft.com/licensing/product-licensing/microsoft-365-enterprise)
-- [Microsoft Intune licensing](./intune/fundamentals/licenses.md)
+- [Compare Microsoft 365 features and licensing](https://www.microsoft.com/licensing/product-licensing/microsoft-365-enterprise)
+- [Learn more about Microsoft Intune licensing](./intune/fundamentals/licenses.md)
- [Get started with Microsoft Intune](./intune/fundamentals/get-started-with-intune.md)
diff --git a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md
index a5d2cf28c6e..d60d1c4389c 100644
--- a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md
+++ b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md
@@ -8,7 +8,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 07/08/2024
+ms.date: 08/12/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
@@ -33,13 +33,13 @@ ms.custom: intune-azure
# Configure the Microsoft Managed Home Screen app for Android Enterprise
-The Managed Home Screen is the application used for corporate-owned Android Enterprise dedicated devices enrolled via Intune and running in multi-app kiosk mode. For these devices, the Managed Home Screen acts as the launcher for other approved apps to run on top of it. The Managed Home Screen provides IT admins the ability to customize their devices and to restrict the capabilities that the end user can access. For even more details, see [How to setup Microsoft Managed Home Screen on Dedicated devices in multi-app kiosk mode](https://techcommunity.microsoft.com/t5/intune-customer-success/how-to-setup-microsoft-managed-home-screen-on-dedicated-devices/ba-p/1388060).
+The Managed Home Screen is the application used for corporate-owned Android Enterprise dedicated devices and fully managed user affiliated devices enrolled via Intune and running in multi-app kiosk mode. For these devices, the Managed Home Screen acts as the launcher for other approved apps to run on top of it. The Managed Home Screen provides IT admins the ability to customize their devices and to restrict the capabilities that the end user can access. For even more details, see [How to setup Microsoft Managed Home Screen on Dedicated devices in multi-app kiosk mode](https://techcommunity.microsoft.com/t5/intune-customer-success/how-to-setup-microsoft-managed-home-screen-on-dedicated-devices/ba-p/1388060).
## When to configure the Microsoft Managed Home Screen app
-First, ensure that your devices are supported. Intune supports the enrollment of Android Enterprise dedicated devices for Android devices running OS version 8.0 and above that reliably connect to Google Mobile Services. Similarly, Managed Home Screen supports Android devices running OS version 8.0 and above.
+First, ensure that your devices are supported. Intune supports the enrollment of Android Enterprise dedicated devices and fully managed devices running OS version 8.0 and above that reliably connect to Google Mobile Services. Similarly, Managed Home Screen supports Android devices running OS version 8.0 and above.
-Typically, if settings are available to you through device configuration profiles (**Devices** > **Manage devices** > **Configuration**), configure the settings there. Doing so will save you time, minimize errors, and will give you a better Intune-support experience. However, some of the Managed Home Screen settings are currently only available via the **App configuration policies** pane in the Intune admin center. Use this document to learn how to configure the different settings either using the configuration designer or a JSON script. Additionally, use this document to learn what Managed Home Screen settings are available using device configuration profiles. You may also see [Dedicated device settings](../configuration/device-restrictions-android-for-work.md#device-experience) for a full list of settings available in **Devices** > **Manage devices** > **Configuration** that impact the Managed Home Screen.
+Typically, if settings are available to you through device configuration profiles (**Devices** > **Manage devices** > **Configuration**), configure the settings there. Doing so will save you time, minimize errors, and will give you a better Intune-support experience. However, some of the Managed Home Screen settings are currently only available via the **App configuration policies** pane in the Intune admin center. Use this document to learn how to configure the different settings either using the configuration designer or a JSON script. Additionally, use this document to learn what Managed Home Screen settings are available using device configuration profiles. You may also see [Device settings](../configuration/device-restrictions-android-for-work.md#device-experience) for a full list of settings available in **Devices** > **Manage devices** > **Configuration** that impact the Managed Home Screen.
If using App configuration, navigate to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Apps** > **App configuration policies**. Add a configuration policy for **Managed devices** running **Android** and choose **Managed Home Screen** as the associated app. Select **Configuration settings** to configure the different available Managed Home Screen settings.
@@ -116,7 +116,7 @@ The following table lists the Managed Home Screen available configuration keys,
> On Android devices running OS 11, when an end-user tries to connect to a network via the Managed Home Screen app, they will get prompted with a consent pop-up. This pop-up comes from the Android platform, and is not specific to the Managed Home Screen app. Additionally, when an end-user tries to connect to a password protected network via the Managed Home Screen app, they will be asked to input the password. Even if the password is correct, the network will only change if the device is not connected to a network. Devices that are already connected to a stable network will not be able connect to a password protected network via the Managed Home Screen app.
-> On Android devices running OS 10, when an end-user tries to connect to a network via the Managed Home Screen app, they will get prompted with a consent via notifications. Because of this prompt, users on OS 10 will need to have access to the status bar and notifications in order to complete the consent step. Use the [General settings for dedicated devices](../configuration/device-restrictions-android-for-work.md#dedicated-devices) to make status bar and notifications available to your end-users, if appropriate. Additionally, when an end-user tries to connect to a password protected network via the Managed Home Screen app, they will be asked to input the password. Even if the password is correct, the network will only change if the device is not already connected to a stable network.
+> On Android devices running OS 10, when an end-user tries to connect to a network via the Managed Home Screen app, they will get prompted with a consent via notifications. Because of this prompt, users on OS 10 will need to have access to the status bar and notifications in order to complete the consent step. Use the [General settings for fully managed and dedicated devices](../configuration/device-restrictions-android-for-work.md#dedicated-devices) to make status bar and notifications available to your end-users, if appropriate. Additionally, when an end-user tries to connect to a password protected network via the Managed Home Screen app, they will be asked to input the password. Even if the password is correct, the network will only change if the device is not already connected to a stable network.
> For devices running on Android 10+ and using Managed Home Screen, for Bluetooth pairing to successfully work on devices that require a pairing key, admins must enable the following Android system apps:
@@ -706,8 +706,8 @@ The following syntax is an example JSON script with all the available configurat
## Managed Home Screen debug screen
-You can access the Managed Home Screen's debug screen by selecting the **back** button until the debug screen is displayed (select the **back** button 15 times or more). From this debug screen, you can launch the Android Device Policy application, view and upload logs, or temporarily pause kiosk mode to update the device. For more information about pausing kiosk mode, see the **Leave kiosk mode** item in the Android Enterprise [dedicated device settings](../configuration/device-restrictions-android-for-work.md#device-experience). If you would like an easier way to access Managed Home Screen's debug screen, you can enable the **Quick access to debug menu** setting using device configuration policies or you can set the **Enable easy access debug menu** to `True` using application configuration policies.
+You can access the Managed Home Screen's debug screen by selecting the **back** button until the debug screen is displayed (select the **back** button 15 times or more). From this debug screen, you can launch the Android Device Policy application, view and upload logs, or temporarily pause kiosk mode to update the device. For more information about pausing kiosk mode, see the **Leave kiosk mode** item in the Android Enterprise [fully managed and dedicated devices settings](../configuration/device-restrictions-android-for-work.md#device-experience). If you would like an easier way to access Managed Home Screen's debug screen, you can enable the **Quick access to debug menu** setting using device configuration policies or you can set the **Enable easy access debug menu** to `True` using application configuration policies.
## Next steps
-- For more information about Android Enterprise dedicated devices, see [Set up Intune enrollment of Android Enterprise dedicated devices](../enrollment/android-kiosk-enroll.md).
+- For more information about Android Enterprise dedicated devices, see [Set up Intune enrollment of Android Enterprise dedicated devices](../enrollment/android-kiosk-enroll.md). For more information about Android Enterprise fully managed devices, see [Set up enrollment for Android Enterprise fully managed devices](../enrollment/android-fully-managed-enroll.md).
diff --git a/memdocs/intune/apps/app-discovered-apps.md b/memdocs/intune/apps/app-discovered-apps.md
index 6757625ec60..86474c2e248 100644
--- a/memdocs/intune/apps/app-discovered-apps.md
+++ b/memdocs/intune/apps/app-discovered-apps.md
@@ -8,7 +8,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 05/20/2024
+ms.date: 08/08/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
@@ -42,9 +42,15 @@ Intune provides an aggregated list of detected apps on the Intune enrolled devic
2. Select **Apps** > **Monitor** > **Discovered apps**.
->You can export the list of discovered apps to a .csv file by selecting **Export** from the **Discovered apps** pane.
->For discovered Win32 apps, there currently is no aggregate count. This type of data can only be viewed on a per-device basis.
+>You can export the list of discovered apps to a *.csv* file by selecting **Export** from the **Discovered apps** pane.
+The **Discovered apps** report provides the following details:
+- Application name
+- Platform
+- Application version
+- Device count
+- Application publisher
Intune also provides the list of discovered apps for the individual device in your tenant.
diff --git a/memdocs/intune/apps/app-lifecycle.md b/memdocs/intune/apps/app-lifecycle.md
index 215f0834e4e..7bfa42f10c1 100644
--- a/memdocs/intune/apps/app-lifecycle.md
+++ b/memdocs/intune/apps/app-lifecycle.md
@@ -41,7 +41,7 @@ The first step in app deployment is to add the apps, which you want to manage an
## Deploy
-After you've added the app to Intune, you can then [assign it to users and devices that you manage](apps-deploy.md). Intune makes this process easy, and after the app is deployed, you can [monitor the success](apps-monitor.md) of the deployment from the Intune within the portal. Additionally, in some app stores, such as the [Apple](vpp-apps-ios.md) and [Windows](windows-store-for-business.md) app stores, you can purchase app licenses in bulk for your company. Intune can synchronize data with these stores so that you can deploy and track license usage for these types of apps right from the Intune administration console.
+After you've added the app to Intune, you can then [assign it to users and devices that you manage](apps-deploy.md). Intune makes this process easy, and after the app is deployed, you can [monitor the success](apps-monitor.md) of the deployment from the Intune within the portal. Additionally, in some app stores, such as the [Apple](vpp-apps-ios.md) app store, you can purchase app licenses in bulk for your company. Intune can synchronize data with these stores so that you can deploy and track license usage for these types of apps right from the Intune administration console.
## Configure
diff --git a/memdocs/intune/apps/app-management.md b/memdocs/intune/apps/app-management.md
index e8a680db8c2..1131da1b39e 100644
--- a/memdocs/intune/apps/app-management.md
+++ b/memdocs/intune/apps/app-management.md
@@ -105,7 +105,7 @@ The top of the App workload navigation menu provides commonly used app details:
- **Overview**: Select this option to view the tenant name, the MDM authority, the tenant location, the account status, app installation status, and app protection policy status.
- **All apps**: Select this option to display a list of all available apps. You can add additional apps from this page. Additionally, you can see the status of each app, as well as whether each app is assigned. For more information, see [Add apps](apps-add.md) and [Assign apps](apps-deploy.md).
- **Monitor**
- - **App licenses**: View, assign, and monitor volume-purchased apps from the app stores. For more information, see [iOS volume-purchased program (VPP) apps](vpp-apps-ios.md) and [Microsoft Store for Business volume-purchased apps](windows-store-for-business.md).
+ - **App licenses**: View, assign, and monitor volume-purchased apps from the app stores. For more information, see [iOS volume-purchased program (VPP) apps](vpp-apps-ios.md).
- **Discovered apps**: View apps that were assigned by Intune or installed on a device. For more information, see [Intune discovered apps](app-discovered-apps.md).
- **App install status**: View the status of an app assignment that you created. For more information, see [Monitor app information and assignments with Microsoft Intune](apps-monitor.md#device-and-user-status-graphs).
- **App Protection status**: View the status of an app protection policy for a user that you select.
@@ -133,7 +133,6 @@ The top of the App workload navigation menu provides commonly used app details:
## Additional information
The following items within the console provide app related functionality:
-- **Microsoft Store for Business**: Set up integration to the Microsoft Store for Business. Afterward, you can synchronize purchased applications to Intune, assign them, and track your license usage. For more information, see [Microsoft Store for Business volume-purchased apps](windows-store-for-business.md).
- **Windows enterprise certificate**: Apply or view the status of a code-signing certificate that's used to distribute line-of-business apps to your managed Windows devices.
- **Windows Symantec certificate**: Apply or view the status of a Symantec code-signing certificate.
- **Windows side loading keys**: Add a Windows side-loading key that can be used to install an app directly to devices rather than publishing and downloading the app from the Windows store. For more information, see [Side-load a Windows app](app-sideload-windows.md).
diff --git a/memdocs/intune/apps/app-protection-policy.md b/memdocs/intune/apps/app-protection-policy.md
index 1dac27fd19f..523604b534d 100644
--- a/memdocs/intune/apps/app-protection-policy.md
+++ b/memdocs/intune/apps/app-protection-policy.md
@@ -84,7 +84,7 @@ The important benefits of using App protection policies are the following:
There are additional benefits to using MDM with App protection policies, and companies can use App protection policies with and without MDM at the same time. For example, consider an employee that uses both a phone issued by the company, and their own personal tablet. The company phone is enrolled in MDM and protected by App protection policies while the personal device is protected by App protection policies only.
-If you apply a MAM policy to the user without setting the device state, the user will get the MAM policy on both the BYOD device and the Intune-managed device. You can also apply a MAM policy based on the managed state. So when you create an app protection policy, next to **Target to all app types**, you'd select **No**. Then do any of the following:
+If you apply a MAM policy to the user without setting the device state, the user will get the MAM policy on both the BYOD device and the Intune-managed device. You can also apply MAM policies based on the device management state. For more information see, [Target app protection policies based on device management state](../apps/app-protection-policies.md#target-app-protection-policies-based-on-device-management-state). When you create an app protection policy, select **No** next to **Target to all app types**. Then, do any of the following:
- Apply a less strict MAM policy to Intune managed devices, and apply a more restrictive MAM policy to non MDM-enrolled devices.
- Apply a MAM policy to unenrolled devices only.
diff --git a/memdocs/intune/apps/apps-add.md b/memdocs/intune/apps/apps-add.md
index c57dfe8b9b5..93aabf04b49 100644
--- a/memdocs/intune/apps/apps-add.md
+++ b/memdocs/intune/apps/apps-add.md
@@ -159,7 +159,6 @@ In addition to understanding web apps, store apps, and LOB apps, you should also
- **Apple Volume Purchasing Program for Business (iOS)**: The iOS/iPadOS App Store lets you purchase multiple licenses for an app that you want to run in your company. Purchasing multiple copies helps you to efficiently manage apps in your company. For more information, see [Manage iOS/iPadOS volume-purchased apps](vpp-apps-ios.md).
- **Android Enterprise fully managed work profile**: How you assign apps to Android Enterprise fully managed work profile devices differs from how you assign them to standard Android devices. All apps you install for Android Enterprise fully managed work profiles come from the Managed Google Play store. You use Intune to browse for the apps you want and approve them. The app then appears in the **Licensed apps** node of the portal, and you can manage assignment of the app as you would any other app.
-- **Microsoft Store for Business (Windows 10)**: Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps in the portal. For more information, see [Manage apps from Microsoft Store for Business](windows-store-for-business.md).
> [!NOTE]
> The file extensions for Windows apps include **.msi**, **.appx**, **.appxbundle**, **.msix** and **.msixbundle**.
@@ -208,7 +207,7 @@ When you add an app to Intune, you're given the option to select the category yo
Previously, Intune contained a number of built-in apps that you could quickly assign. Based on Intune customer feedback, we removed this list, and the built-in apps are no longer displayed. However, if you have already assigned any built-in apps, the apps remain visible in the list of apps. You can continue to assign the apps as required.
> [!NOTE]
-> For the installation of a required non-Line-of-Business app, Intune will attempt to install the app by sending an install command whenever the device checks-in, given that the app is not detected and the app's install state is not *Install Pending*.
+> For the installation of a required non-Line-of-Business app, Intune will attempt to install the app by sending an install command whenever the device checks in, given that the app is not detected and the app's install state is not *Install Pending*.
## Installing, updating, or removing required apps
diff --git a/memdocs/intune/apps/apps-deploy-gcc-dod.md b/memdocs/intune/apps/apps-deploy-gcc-dod.md
index 30a6f0dc30b..c244cc4e2e1 100644
--- a/memdocs/intune/apps/apps-deploy-gcc-dod.md
+++ b/memdocs/intune/apps/apps-deploy-gcc-dod.md
@@ -24,24 +24,11 @@ ms.collection:
# Deploying apps using Intune on the GCC High and DoD Environments
-Microsoft Intune can be used by tenant administrators to distribute apps to their workforce. The workforce is the company employee, the users of the apps. There are many types of apps that can be deployed from Intune on GCC High or DoD environments. If an administrator needs to upload and distribute a Windows app intended for a GCC High or DoD audience that is custom-made, created by third-party vendors, or as an offline app downloaded from the [Microsoft Store for Business](https://businessstore.microsoft.com/store), the admin can choose to distribute it as a [line-of-business app](apps-add.md#app-types-in-microsoft-intune).
+Microsoft Intune can be used by tenant administrators to distribute apps to their workforce. The workforce is the company employee, the users of the apps. There are many types of apps that can be deployed from Intune on GCC High or DoD environments. If an administrator needs to upload and distribute a Windows app intended for a GCC High or DoD audience that is custom-made, created by third-party vendors, the admin can choose to distribute it as a [line-of-business app](apps-add.md#app-types-in-microsoft-intune).
## Add Windows apps using Intune
-To add a Windows line-of-business app or a Win32 app intended for a GCC High or DoD environment using Intune, you can follow the [Windows LOB app](lob-apps-windows.md) or [Win32 app management](apps-win32-app-management.md) instructions. You may choose to deploy the Company Portal first from the Microsoft Store for Business. If you choose to use the Company Portal, you can manually install and deploy the Company Portal. For more information, see [How to configure the Microsoft Intune Company Portal app](company-portal-app.md).
-## Distribute Offline Apps from the Store for Business using Intune
-> [!NOTE]
-> Syncronizing the Microsoft Store for Business (MSFB) with Intune is no longer possible. Admins must deploy Windows apps by uploading them directly to Intune. To get an offline version of a desired Microsoft Store app, an actual commercial account must be used to log in to MSFB to download the package.
-If you need to [download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) from the Microsoft Store for Business, follow these steps to download the application:
-1. Sign in to the [Store for Business](https://businessstore.microsoft.com/).
-2. Select **Manage** > **Settings**.
-3. Under **Shopping Experience**, set **Show offline apps** to **On**.
-When shopping for apps, if an offline version is available, you can choose to change the license type to offline. After getting the app, you can then manage it by selecting **Manage** > **Products & Services** in the [Store for Business](https://businessstore.microsoft.com/). Additionally, you can download the app and its dependencies. Then, you can deploy this downloaded app (and its dependencies) to users using Intune.
+To add a Windows line-of-business app or a Win32 app intended for a GCC High or DoD environment using Intune, you can follow the [Windows LOB app](lob-apps-windows.md) or [Win32 app management](apps-win32-app-management.md) instructions. If you choose to use the Company Portal, you can manually install and deploy the Company Portal. For more information, see [How to configure the Microsoft Intune Company Portal app](company-portal-app.md).
## Compliance
diff --git a/memdocs/intune/apps/apps-monitor.md b/memdocs/intune/apps/apps-monitor.md
index 4da5d293552..6025ed0a3f7 100644
--- a/memdocs/intune/apps/apps-monitor.md
+++ b/memdocs/intune/apps/apps-monitor.md
@@ -84,7 +84,7 @@ A device status list is shown when you select **Device install status** in the *
| **Device name** | The name of the device on platforms that allow naming a device **Note**: On other platforms, Intune creates a name from other properties. This attribute isn't available to any other device. |
| **User name** | The name of the user |
| **Platform** | The operating system of the device (Windows, iOS/iPadOS, Android, and so on) |
-| **Version** | The version number of the app **Note**: For line-of-business (LOB) apps and Microsoft Store for Business apps, the full version number of the app is shown. The full version number identifies a specific release of the app. The number appears as _Version_(_Build_). For example, 2.2(2.2.17560800). For standard Store apps, no versions are shown. |
+| **Version** | The version number of the app **Note**: For line-of-business (LOB) apps, the full version number of the app is shown. The full version number identifies a specific release of the app. The number appears as _Version_(_Build_). For example, 2.2(2.2.17560800). For standard Store apps, no versions are shown. |
| **Status** | The status of the app |
| **Status details** | The details of the status |
| **Last check-in** | The date of the device's last sync with Intune |
diff --git a/memdocs/intune/apps/apps-supported-intune-apps.md b/memdocs/intune/apps/apps-supported-intune-apps.md
index aa1bd74cd87..bda7aa933b8 100644
--- a/memdocs/intune/apps/apps-supported-intune-apps.md
+++ b/memdocs/intune/apps/apps-supported-intune-apps.md
@@ -1,7 +1,7 @@
title: Supported Microsoft Intune apps
-description: This topic provides lists of support partner and Microsoft apps that are commonly used with Microsoft Intune.
+description: This article provides lists of support partner and Microsoft apps that are commonly used with Microsoft Intune.
author: Erikre
ms.author: erikre
@@ -23,7 +23,7 @@ ms.collection:
# Microsoft Intune protected apps
-The apps listed in this topic are supported partner and Microsoft apps that are commonly used with Microsoft Intune. Intune protected apps are enabled with a rich set of mobile application protection policies.
+The apps listed in this article are supported partner and Microsoft apps that are commonly used with Microsoft Intune. Intune protected apps are enabled with a rich set of mobile application protection policies.
> [!NOTE]
> For your client line-of-business apps, you can incorporate mobile app management using the [Intune App Software Development Kit](../developer/app-sdk.md) (SDK), or the [App Wrapping Tool for iOS](../developer/app-wrapper-prepare-ios.md) and the [App Wrapping Tool for Android](../developer/app-wrapper-prepare-android.md).
@@ -47,7 +47,7 @@ The following tables provide details of supported partner and Microsoft apps tha
In addition to supporting the core App Protection Policy settings, apps are also capable of supporting **advanced App Protection Policy and App Configuration Policy** settings. These settings require app investment:
- App Configuration Policies can be used by apps to customize app behavior and/or App Protection Policy settings.
-- On enrolled devices, managed apps can leverage *org allowed accounts mode* to require sign-in with a specific identity and disable multi-identity functionality.
+- On enrolled devices, managed apps can use *org allowed accounts mode* to require sign-in with a specific identity and disable multi-identity functionality.
- The *Sync policy managed app data with native apps* App Protection Policy setting can be utilized by apps to restrict the synchronization of contact or calendar data to the native apps.
- The *Org data notifications* App Protection Policy setting can be utilized by apps to limit the exposure of sensitive data in notifications.
- The *Open data into Org documents* App Protection Policy setting can be utilized by apps to restrict importing data from unmanaged locations.
@@ -144,6 +144,7 @@ The following apps support the core Intune App Protection Policy settings. Apps
| App title | App description | App store links for supported platform(s) |
+| :::no-loc text="365Pay":::
| The 365Pay app provides a quick way to buy products across various experiences offered in your workplace. Use your unique QR code to touchlessly checkout at any 365 self-checkout experiences. You can earn loyalty points while ordering ahead from the cafeteria and scan and pay for products using the app itself. The 365Pay app also helps you stay up to date on new and exciting products and promotions being offered at your location! | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.avinside&hl=en_US),
[App Store link (iOS)](https://apps.apple.com/us/app/365pay/id1087422156) |
| :::no-loc text="Achievers":::
| The Achievers app puts the power of recognition in your hands. Achieving great things is a challenge. Recognizing someone for great achievements is easy. Engage, align, and recognize colleagues with the touch of a screen at any time and anywhere. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.achievers.client),
[App Store link (iOS)](https://apps.apple.com/app/achievers/id945779451) |
| :::no-loc text="Acronis Access":::
| Safely access your business files from anywhere and any device with Acronis Access. Easily share documents with colleagues, customers, and vendors while keeping files and data secure and private, where only you and your organization can touch them. The app is designed for extreme ease of use with unparalleled security, privacy, and management capabilities. | [App Store link (iOS)](https://apps.apple.com/us/app/acronis-access/id429704844?mt=8) |
| :::no-loc text="Adobe Acrobat Reader":::
| Open, view, and work with PDFs in a Microsoft Intune managed environment with Adobe Acrobat Reader. Available for iOS/iPadOS and Android. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.adobe.reader),
[App Store link (iOS)](https://apps.apple.com/app/adobe-acrobat-reader-for-pdf/id469337564) |
@@ -151,12 +152,12 @@ The following apps support the core Intune App Protection Policy settings. Apps
| :::no-loc text="Align for Intune":::
| Align for Intune allows you to review your legal documents, highlight documents with a touch of your finger, and markup documents with the Apple Pencil. Additionally, you can easily sync documents, making them instantly available on your laptop and to your teammates across the firm.
Align for Intune requires an Intune license. This app has been specially developed to operate with Microsoft Intune mobile application management (MAM). | [App Store link (iOS)](https://apps.apple.com/us/app/align-for-intune/id6468679454) | | :::no-loc text="Appian for Intune":::
| Appian empowers business users to monitor, collaborate, and take action on the go, enabling your mobile workforce to stay connected to key business processes and enterprise data.
Appian’s Business Process Management and Case Management Suite delivers mobile access to event notifications, forms, tasks, information, reports, content, and ad-hoc collaboration.
Appian provides the following:
| ArcGIS Indoors for Intune provides an indoor mapping experience for understanding the location of things and activities happening within your organization’s indoor environment. Use the wayfinding, location sharing, and workspace reservation capabilities to feel more connected to your workplace or campus, see increased levels of productivity and collaboration, and less time feeling the stress of being lost. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.esri.indoors.intune),
[App Store link (iOS)](https://apps.apple.com/app/arcgis-indoors-for-intune/id1613222675) |
-| :::no-loc text="ArchXtract (MDM)":::
| ArchXtract is used to decompress zip files between Microsoft Intune managed applications. The ArchXtract app is the upgraded version of the Intune managed decompression app known as ZipExtractor. ArchXtract supports a wide variety of compression methods.
Supported file types: bmp, jpeg, png, gif, PDF, txt, csv, html, xml
Supported compression methods include Deflate64, BZip2, LZMA (no password), PPMd.
Important: To use the full functionality of this application, you need a connect to a company work account and a valid subscription for Microsoft Intune. Some functions may not be available in some countries or regions. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=jp.co.cegb.archxtractforstore&hl=en_US&gl=US),
[App Store link (iOS)](https://apps.apple.com/app/archxtract-mdm-support/id1488048735) |
+| :::no-loc text="ArchXtract (MDM)":::
| ArchXtract is used to decompress zip files between Microsoft Intune managed applications. The ArchXtract app is the upgraded version of the Intune managed decompression app known as ZipExtractor. ArchXtract supports a wide variety of compression methods.
Supported file types: bmp, jpeg, png, gif, PDF, txt, csv, html, xml
Supported compression methods include Deflate64, BZip2, LZMA (no password), PPMd.
Important: To use the full functionality of this application, you need a connect to a company work account and a valid subscription for Microsoft Intune. Some functions may not be available in some countries or regions. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=jp.co.cegb.archxtractforstore&hl=en_US&gl=US),
[App Store link (iOS)](https://apps.apple.com/app/archxtract-mdm-support/id1488048735) |
| :::no-loc text="Asana: Work in one place":::
| Asana allows you to manage team projects and your individual tasks. Asana organizes work so you and your teams are clear on what to do, when to do it, and how to get it done. By using Asana, you can do the following:
| AssetScan is a proprietary application linked to the Asset Point tool suite. AssetScan supports technology inventory gathering and verification for both data centers and desktop locations. | [App Store link (iOS)](https://apps.apple.com/app/assetscan-for-intune/id1582325082) |
| :::no-loc text="Atom Edge":::
| Atom Edge provides corporate security through an integrated suite of services, designed to elevate the operational capabilities of businesses. The Atom Edge application offers a comprehensive approach to security management, blending automation, real-time analytics, and strategic planning to ensure a safe and efficient working environment. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.arlanto.atomedge),
[App Store link (iOS)](https://apps.apple.com/app/atom-edge/id6472163711) |
| :::no-loc text="AventX Mobile Work Orders":::
| AventX Mobile Work Orders allows maintenance users of Oracle eAM to view work order packets on the go with an iPhone or iPad – even offline. As with paper, users can mark-up electronic work orders with the added benefit of attaching rich media, like pictures and audio files, as context to the completed work. Adding to the efficiency of mobile, AventX allows technicians to route, close and upload completed work orders from anywhere, increasing time in the field and decreasing time spent manually entering the same information after the work is done. | [App Store link (iOS)](https://apps.apple.com/app/mobile-work-orders/id1144125126) |
-| :::no-loc text="Beakon Mobile App":::
| The Beakon Mobile App helps you reduce workplace incidents and risk, while managing compliance. Beakon’s system enables employees and contractors to report audits, incidents, hazards, and near misses. You are then able to classify and manage incidents across your entire business and apply cost-efficient strategies to manage and minimize workplace risk. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=io.beakon&pli=1),
[App Store link (iOS)](https://apps.apple.com/app/beakon-mobile-app/id1365533931) |
+| :::no-loc text="Beakon Mobile App":::
| The Beakon Mobile App helps you reduce workplace incidents and risk, while managing compliance. Beakon’s system enables employees and contractors to report audits, incidents, hazards, and near misses. You're then able to classify and manage incidents across your entire business and apply cost-efficient strategies to manage and minimize workplace risk. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=io.beakon&pli=1),
[App Store link (iOS)](https://apps.apple.com/app/beakon-mobile-app/id1365533931) |
| :::no-loc text="Board Papers":::
| Board Papers is a board portal solution that combines an iPad application with Microsoft SharePoint® integration. | [App Store link (iOS)](https://apps.apple.com/app/board-papers/id458518678) |
| :::no-loc text="Bob HR":::
| Bob HR provides a seamless HR experience on the go.
An employee can:
A manager can receive push notification and take action anytime, anywhere:
| Box helps you get work done on the go. It's fast, secure and simple to use, so you can be productive from anywhere, which is the reason 97,000 businesses, including Eli Lilly and Company, General Electric, KKR & Co., P&G and The GAP securely access and manage their critical information with Box. The Box app integrates with Intune SDK and supports a number of Intune Mobile Application Management policies without using Mobile Device Management. | [App Store link (iOS)](https://apps.apple.com/app/box-cloud-content-management/id290853822) |
@@ -202,7 +203,7 @@ The following apps support the core Intune App Protection Policy settings. Apps
| :::no-loc text="iAnnotate for Intune/O365":::
| Designed for Microsoft Intune enterprise users, iAnnotate for Intune/O365 allows you to read, annotate, and share PDFs, Microsoft 365 (Office) files, images and web pages. Seamlessly integrate with OneDrive and Outlook, while easily converting all MS documents to PDFs for quick markup. IT administrators must visit https://enterprise.iannotate.com/ to activate a 30-day free trial and to view the iAnnotate for Intune deployment guide. | [App Store link (iOS)](https://apps.apple.com/app/iannotate-for-intune-o365/id1567388828) |
| :::no-loc text="iBabs for Intune":::
| iBabs enables users to reduce the time needed to prepare for meetings and facilitates cooperation between colleagues.
This version of iBabs is intended for Enterprise users and government agencies, and it also requires a Microsoft Intune environment. | [App Store link (iOS)](https://apps.apple.com/us/app/ibabs-for-intune/id1130847428?mt=8) | | :::no-loc text="Idenprotect Go":::
| Idenprotect Go is an Identity Driven internet browser designed specifically for enterprise mobile users to access both Intranet and Internet web pages. Idenprotect Go’s unique use of PKI technology allows biometric-based password-less authentication to Mutual TLS and Kerberos secured websites and services. Integration with Microsoft’s Intune SDK provides full app protection policy control via the Microsoft Intune platform providing MAM control of the application giving the ultimate balance of usability and security. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=uk.co.applymobile.idenprotectgo),
[App Store link (iOS)](https://apps.apple.com/app/idenprotect-go/id1544060692) |
-| :::no-loc text="Island Enterprise Browser":::
| Island is the browser designed for the enterprise that makes work fluid, while keeping it fundamentally secure. With core security controls naturally embedded in the browser itself, Island enables organizations to control, see, and govern how users, apps, and underlying data interact. This is done all while delivering the same smooth Chromium-based experience users expect. | [App Store link (iOS)](https://apps.apple.com/il/app/island-enterprise-browser/id1661957370) |
+| :::no-loc text="Island Browser for Intune":::
| Island is the browser designed for the enterprise that makes work fluid, while keeping it fundamentally secure. With core security controls naturally embedded in the browser itself, Island enables organizations to control, see, and govern how users, apps, and underlying data interact. This is done all while delivering the same smooth Chromium-based experience users expect. This app version has been designed to work with Microsoft Intune MAM. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=io.island.island.intune),
[App Store link (iOS)](https://apps.apple.com/il/app/island-enterprise-browser/id1661957370) |
| :::no-loc text="iManage Work 10 For Intune":::
| Confidently and securely access content from iManage Work with Work Mobility for Intune. Empower users to find, edit, collaborate, and share documents and emails from their iOS device. iManage Mobility enables users to be productive from anywhere, with a consistent user experience and the same security protections as iManage Work 10. | [App Store link (iOS)](https://apps.apple.com/app/imanage-work-10-for-intune/id1337285529?ls=1) |
| :::no-loc text="Incorta (BestBuy)":::
| With on-the-go business intelligence using your iOS device and Incorta Mobile App, dive deep into your operational analytics and favorite dashboards anytime, anywhere.
Fuel your curiosity, explore insights, and stay current with near real-time trends that impact business success.
The Incorta Mobile App includes the following features:
| The Intapp 2.0 application provides secure mobile access to Intapp CRM (DealCloud) and Risk and Compliance (Intake and Conflicts). Intapp 2.0 iOS app provides Intune protection by integrating the Intune SDK. The CRM product helps users stay on top of their day-to-day tasks while out of office, providing access to information beyond just what's available at your desk, with dashboards, views, and template reports optimized for on-the-go consumption. The Intapp Risk and Compliance solution makes it easy to manage client requests and related workflows, review and resolve conflicts reports, initiate conflicts quick search, and access client and matter data. This app requires access to an existing cloud environment of Intapp CRM or Risk & Compliance. | [App Store link (iOS)](https://apps.apple.com/us/app/intapp-2-0/id1666527728?uo=2) |
@@ -216,7 +217,7 @@ The following apps support the core Intune App Protection Policy settings. Apps
| :::no-loc text="LiquidText":::
| LiquidText offers a fast, natural way to review, gather, and organize information across all your documents and webpages—then apply the results to writing reports, meeting prep, or simply studying. Pull out key facts and connect them together, squeeze a document to compare sections, draw a line to connect ideas in different documents, comment on multiple pages at once, build upon your thoughts, and much more.
**NOTE**: To use LiquidText with Intune, you need a LiquidText Enterprise account. Visit [LiquidText](https://liquidtext.net/enterprise) to learn more. | [App Store link (iOS)](https://apps.apple.com/us/app/liquidtext/id922765270) | | :::no-loc text="LumApps for Intune":::
| LumApps for Intune allows Intune admins to organize and protect Bring Your Own Device (BYOD) environments. From Microsoft Intune admin center, admins can create policies to protect corporate data while keeping employees connected. The LumApps platform provides corporate news, business tools, essential documents, and social communities.
LumApps for Intune includes several features:
To use LumApps for Intune, your company’s active subscription plan to LumApps must include the mobile option, with valid login credentials. Additionally, LumApps for Intune requires a Microsoft managed environment. Please contact your company’s IT administrator if you have issues or questions about using LumApps for Intune. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.lumapps.android.intune),
[App Store link (iOS)](https://apps.apple.com/gb/app/lumapps-for-intune/id1542216268) |
| :::no-loc text="M-Files for Intune":::
| M-Files® is content management (ECM) and document management solution that helps to manages, find, track, and secure information for companies of all sizes.
The M-Files mobile application lets you access your M-Files documents anytime and anywhere – even when you’re on the go or not connected to your office network. The application enables you to find documents from your M-Files Vaults via search functions and various customizable views, as well as view and approve documents and workflows.
To be able to utilize the mobile application, you need to have an M-Files system set up and to possess the required access rights. To get started, you need an M-Files server address and login credentials. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.mfiles.mfms),
[App Store link (iOS)](https://apps.apple.com/app/m-files-for-intune/id1551120145) |
-| :::no-loc text="MangoApps - Work from Anywhere":::
| MangoApps - Work from Anywhere makes teamwork, file sharing, and collaboration easy. It is a comprehensive business collaboration tool for Mobile and offers advanced team and company communication, project management, and information sharing features that help companies and their employees stay organized while working together and sharing information. Collaboration features such as chat, company intranet, and wikis, among other convenient task management tools, can all be used from your phone while you're on the go or from your desktop computer while you're in the office. It's a cross-platform social collaboration app, so no matter where you are and which device you are using, you can use MangoApps - Work from Anywhere to access work-related information and stay in touch with colleagues and clients. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.ms.engage&hl=en_IN&gl=US),
[App Store link (iOS)](https://apps.apple.com/us/app/mangoapps-work-from-anywhere/id347307528?platform=iphone) |
+| :::no-loc text="MangoApps - Work from Anywhere":::
| MangoApps - Work from Anywhere makes teamwork, file sharing, and collaboration easy. It is a comprehensive business collaboration tool for Mobile and offers advanced team and company communication, project management, and information sharing features that help companies and their employees stay organized while working together and sharing information. Collaboration features such as chat, company intranet, and wikis, among other convenient task management tools, can all be used from your phone while you're on the go or from your desktop computer while you're in the office. It's a cross-platform social collaboration app, so no matter where you are and which device you're using, you can use MangoApps - Work from Anywhere to access work-related information and stay in touch with colleagues and clients. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.ms.engage&hl=en_IN&gl=US),
[App Store link (iOS)](https://apps.apple.com/us/app/mangoapps-work-from-anywhere/id347307528?platform=iphone) |
| :::no-loc text="Meetings by Decisions":::
| Meetings by Decisions is a solution for Microsoft Teams and Microsoft 365 (Office). With Decisions, users improve collaboration, engagement, and productivity by using agenda builder, Teams in-meeting extensions, secure voting, minutes templates, task management, and more. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.meetingdecisions.androidApp),
[App Store link (iOS)](https://apps.apple.com/app/meetings-by-decisions/id1532239791) |
| :::no-loc text="Meetio Enterprise":::
| Meetio's mobile app for organizations using Meetio room management solutions. Meetio Enterprise simplifies your workday by allowing you to schedule meetings and meeting rooms - all at once, while you're on the go. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.getmeetio.personal),
[App Store link (iOS)](https://apps.apple.com/app/meetio/id1340190306) |
| :::no-loc text="Mobile Helix Link for Intune":::
| The Mobile Helix Link for Intune app uniquely integrates document management and Outlook email in a single, encrypted app. Quickly find files. Annotate, edit, compare, and email files seamlessly. Use Intune and the Microsoft Authentication Library to manage and secure the LINK app using Microsoft Intune and Entra ID. | [App Store link (iOS)](https://apps.apple.com/app/mobile-helix-link-for-intune/id6473648085) |
@@ -236,6 +237,7 @@ The following apps support the core Intune App Protection Policy settings. Apps
| :::no-loc text="PrinterOn for Microsoft":::
| PrinterOn's wireless mobile printing solutions enable users to remotely print from anywhere at any time over a secure network.| [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.printeron.droid.phone),
[App Store link (iOS)](https://apps.apple.com/us/app/printeron/id406584999) |
| :::no-loc text="Qlik Sense Mobile":::
| Qlik Sense is a market leading, next generation application for self-service oriented analytics. Qlik's patented associative technology allows people to easily combine data from many different sources and explore it freely, without the limitations of query-based tools. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.qlik.qliksense.mobile),
[App Store link (iOS)](https://apps.apple.com/app/qlik-sense-mobile/id1217049362) |
| :::no-loc text="Re:Work Enterprise":::
| Re:Work Enterprise, an email client app using ActiveSync, is a secure, safe, and convenient email client. Features include a shared mailbox and calendars for collaboration with colleagues. Re:Work Enterprise supports Microsoft Exchange Server and Microsoft 365 (Office), as well Microsoft Exchange email, calendar, contacts, tasks, and notes. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=so.rework.app.enterprise),
[App Store link (iOS)](https://apps.apple.com/us/app/re-work-enterprise/id1528303033) |
+| :::no-loc text="Recruitment.Exchange":::
| Recruitment.Exchange (REX) is a Mobile AI Copilot for exponential recruitment. It is designed to:
REX mobile app takes recruitment to the next level by making the power of domain AI directly accessible anytime and anywhere in the comfort of your palm.
In addition to being available as an integrated app interface for highly scalable enterprise applications, powerful app features can also operate in standalone mode. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.recruitment.exchange), [App Store link (iOS)](https://apps.apple.com/us/app/recruitment-exchange/id6451382847) | | :::no-loc text="RICOH Spaces V2":::
| RICOH Spaces V2 is a cloud hosted workplace enhancement platform designed to optimize your business with areas such as desk bookings, space bookings, wayfinding, workplace insights, and more. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.ricohspaces.app),
[App Store link (iOS)](https://apps.apple.com/app/ricoh-spaces-v2/id6444533360) |
| :::no-loc text="RingCentral for Intune":::
| RingCentral for Intune gives users messaging, video, and phone services in one simple app, while allowing IT admins to enforce granular security controls to protect corporate data. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.ringcentral.intune),
[App Store link (iOS)](https://apps.apple.com/us/app/ringcentral-for-intune/id1610956051) |
| :::no-loc text="Riskonnect Resilience":::
| Stay connected with your response team, your critical plans, and your resources during a disruption. Riskonnect Resilience, the mobile application for Riskonnect Business Continuity and Resilience, lets you securely access recovery plans, launch an incident, collaborate with team members, and send emergency notifications. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.avalution.catalystportalmobile),
[App Store link (iOS)](https://apps.apple.com/us/app/riskonnect-resilience/id1499503288) |
@@ -244,18 +246,23 @@ The following apps support the core Intune App Protection Policy settings. Apps
| :::no-loc text="Seismic \| Intune":::
| Seismic \| Intune is for administrators to add security and protection policies to protect corporate data while enabling employees to sell. Seismic provides the following capabilities:
Seismic solves the individual challenges of Sales, Marketing, and Sales Enablement teams by making all three teams more effective together. Your Marketing team builds useful content with brand protection and scalability, and mines data intelligence to continuously improve ROI over time. The Sales Enablement team distributes targeted sales content, news, and training in apps for mobile, CRM, email, and browsers. Sellers find, learn, connect, and close from any device, anywhere, and are more knowledgeable and productive than ever. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.seismic.doccenter),
[App Store link (iOS)](https://apps.apple.com/app/seismic-intune/id6444794878) |
| :::no-loc text="Senses":::
| Senses is a cloud sales support tool. Senses helps manage sales and customer success, and proposes best practices based on accumulated customer information. | [App Store link (iOS)](https://apps.apple.com/app/senses-%E3%82%BB%E3%83%B3%E3%82%B7%E3%83%BC%E3%82%BA/id1210014628) |
| :::no-loc text="ServiceNow Agent - Intune":::
| ServiceNow Mobile Agent app delivers out-of-the-box, mobile-first experiences for the most common service desk agent workflows, making it easy for agents to triage, act on and resolve requests on the go. The app enables service desk agents to promptly manage and resolve end user issues from their mobile devices. Agents use the app’s intuitive interface to accept and update work even without Internet connectivity. The app greatly simplifies work by leveraging native device capabilities for tasks like navigation, barcode scanning, or collecting a signature.
The app comes with out-of-the-box workflows for service desk agents in IT, Customer Service, HR, Field Services, Security Ops and IT Asset Management. Organizations can easily configure and extend the workflows to meet their own unique needs.
With Mobile Agent you can:
| Singletrack for Intune lets users access their CRM data anywhere and at any time, while supporting the Mobile Application Management (MAM) policies offered by Microsoft Intune. Users can connect with contacts and send out research. They can also log new interactions, as well as view and update existing ones.
You can choose to receive local notifications of recently finished Interactions and log draft interactions to be completed on your desktop at a later date. You can also work offline to capture data when convenient. | [App Store link (iOS)](https://apps.apple.com/us/app/singletrack-for-intune/id6502955456) | | :::no-loc text="Slack for Intune":::
| Slack for Intune is for Slack customers that have enabled Microsoft Intune Mobile Application Management (MAM). | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.Slack.intune), [App Store link (iOS)](https://apps.apple.com/app/slack-for-intune/id1558736484) |
-| :::no-loc text="PK Protect for Intune":::
| PK Protect for Intune is specifically designed for existing PKWARE customers operating in an Intune environment. PK Protect lets you get your work done on the go. It's fast, secure and simple to use so you can be productive from anywhere. If you are unsure if you have PK Protect, contact your company's IT administrator. With PK Protect, you can: Encrypt and decrypt files using Smartkeys, Decrypt archives with X.509 Digital Certificates, Create and manage Smartkeys, Perform digital signing and authentication of data with X.509 Digital Certificates, Encrypt and decrypt files with Strong Passphrase encryption, including AE2, Log in with existing Active Directory credentials, Create and view unencrypted zip archives. PK Protect armors data at its core, eliminating vulnerabilities everywhere data is used, shared or stored. For nearly three decades, PKWARE has provided encryption and compression software to more than 30,000 enterprise customers and over 200 government agencies. Available for iOS/iPadOS and Android. | [App Store link (iOS)](https://apps.apple.com/app/smartcrypt-for-intune/id1489232256) |
+| :::no-loc text="PK Protect for Intune":::
| PK Protect for Intune is specifically designed for existing PKWARE customers operating in an Intune environment. PK Protect lets you get your work done on the go. It's fast, secure and simple to use so you can be productive from anywhere. If you're unsure if you have PK Protect, contact your company's IT administrator. With PK Protect, you can: Encrypt and decrypt files using Smartkeys, Decrypt archives with X.509 Digital Certificates, Create and manage Smartkeys, Perform digital signing and authentication of data with X.509 Digital Certificates, Encrypt and decrypt files with Strong Passphrase encryption, including AE2, Log in with existing Active Directory credentials, Create and view unencrypted zip archives. PK Protect armors data at its core, eliminating vulnerabilities everywhere data is used, shared or stored. For nearly three decades, PKWARE has provided encryption and compression software to more than 30,000 enterprise customers and over 200 government agencies. Available for iOS/iPadOS and Android. | [App Store link (iOS)](https://apps.apple.com/app/smartcrypt-for-intune/id1489232256) |
+| :::no-loc text="ServiceNow Agent - Intune":::
| ServiceNow Mobile Agent app delivers out-of-the-box, mobile-first experiences for the most common service desk agent workflows, making it easy for agents to triage, act on and resolve requests on the go. The app enables service desk agents to promptly manage and resolve end user issues from their mobile devices. Agents use the app’s intuitive interface to accept and update work even without Internet connectivity. The app greatly simplifies work by using native device capabilities for tasks like navigation, barcode scanning, or collecting a signature.
The app comes with out-of-the-box workflows for service desk agents in IT, Customer Service, HR, Field Services, Security Ops and IT Asset Management. Organizations can easily configure and extend the workflows to meet their own unique needs.
With Mobile Agent you can:
| Slack for Intune is for Slack customers that have enabled Microsoft Intune Mobile Application Management (MAM). | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.Slack.intune), [App Store link (iOS)](https://apps.apple.com/app/slack-for-intune/id1558736484) |
+| :::no-loc text="PK Protect for Intune":::
| PK Protect for Intune is designed for existing PKWARE customers operating in an Intune environment. PK Protect lets you get your work done on the go. It's fast, secure and simple to use so you can be productive from anywhere. If you are unsure if you have PK Protect, contact your company's IT administrator. With PK Protect, you can: Encrypt and decrypt files using Smartkeys, Decrypt archives with X.509 Digital Certificates, Create and manage Smartkeys, Perform digital signing and authentication of data with X.509 Digital Certificates, Encrypt and decrypt files with Strong Passphrase encryption, including AE2, Log in with existing Active Directory credentials, Create and view unencrypted zip archives. PK Protect armors data at its core, eliminating vulnerabilities everywhere data is used, shared or stored. For nearly three decades, PKWARE has provided encryption and compression software to more than 30,000 enterprise customers and over 200 government agencies. Available for iOS/iPadOS and Android. | [App Store link (iOS)](https://apps.apple.com/app/smartcrypt-for-intune/id1489232256) |
| :::no-loc text="Speaking Email":::
| Get more time in your day by having your email read to you on the move. Voice commands and simple gestures designed to be safe to use while driving give you the ability to archive, flag or even reply on the move.
Smart content detection skips over disclaimers, reply headers, and email signatures to speak only the content without the clutter.
Employees can sign in via Intune to access Microsoft 365 Exchange email. | [App Store link (iOS)](https://apps.apple.com/app/apple-store/id991406423?ct=intune) | | :::no-loc text="Synchrotab for Intune":::
| Synchrotab is an iOS app that allows a presenter to broadcast PDF documents from a tablet or iPhone to a group of up to 8 viewer tablets. The devices communicate via peer-to-peer Wi-Fi, thus eliminating the need for a common network access. Time stamped records of materials displayed and active participants is supplied as required, together with embedded meeting notes. The viewer sees a synchronized version of the presenter’s screen with zoom and on-screen mark-up capability. Multiple documents may be uploaded to the primary device memory via email or external file network, allowing immediate access to an entire library of presentations or reports. Synchrotab makes its own statement of sustainability while eliminating costly printing and freight charges. The system was designed in cooperation with a major global investment bank ensuring exacting standards of security and integration with corporate devices. | [App Store link (iOS)](https://apps.apple.com/app/synchrotab-for-intune/id1626123415) |
| :::no-loc text="Synergi Life":::
| Synergi Life Mobile App, an extension of Synergi Life, lets users easily create observations and incident reports anytime and from anywhere, using their phones to take a snapshot and make a voice recording.
Synergi Life (previously named Synergi) is a complete business solution for risk and QHSE management, managing all non-conformances, incidents, risk, risk analyses, audits, assessments and improvement suggestions.
The Synergi Life Mobile App requires you to be a licensed user of the Synergi Life risk and QHSE management system, and have the necessary back-end licensed software and services. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.dnv.mobilesolutions.synergimobile.uibase), [App Store link (iOS)](https://apps.apple.com/us/app/synergi-life/id641181737) | | :::no-loc text="Tableau Mobile for Intune":::
| Tableau Mobile gives you the freedom to stay on top of your data, no matter where you are or when you need it. With a fast, intuitive, and interactive experience, explore your dashboards and find just what you’re looking for, all from the convenience of your mobile device.
The Tableau Mobile app requires a Tableau Server or Tableau Online account. Please note, it does not work with Tableau Public.
| Talent.Exchange (TALEX) is a Mobile AI Copilot for staffing and resource management professionals. It is designed to:
TALEX mobile app takes staffing and resource management to the next level by making the power of domain AI directly accessible anytime and anywhere in the comfort of your palm. In addition to being available as an integrated app interface for highly scalable enterprise applications, powerful app features can also operate in standalone mode. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.talent.exchange), [App Store link (iOS)](https://apps.apple.com/us/app/talent-exchange/id6468228155) | | :::no-loc text="Unique Moments":::
| Unlock the power of data with Unique! Record your meetings anywhere and anytime you want - thanks to the Unique app. After a meeting, you can upload the recording into the Unique platform to add it to the deal room. No information will be missed anymore.
Increase your revenue by improving client interactions and automating routine tasks. With Unique Moments you can record conversations, assign those conversations to deal/coaching rooms, and view deal/coaching rooms. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=ch.unique.moments), [App Store link (iOS)](https://apps.apple.com/ro/app/unique-moments/id1619761948) | -| :::no-loc text="Varicent":::
| Varicent helps sellers understand which activities provide the best results. Reports, dashboards, and workflows help sales to understand:
If you’re an individual seller, manager, or leader, Varicent can help you understand the right information at the right time. Full views of charts, graphs, dashboards and workflow execution (including information input) are right at your fingertips. Realize a better time-to-value for your go-to-market strategy with Varicent Sales Performance Management.
This application requires that you are a client of Varicent to utilize all features and functionalities and maximize seller performance. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.varicent), [App Store link (iOS)](https://apps.apple.com/app/varicent/id1534176581) |
+| :::no-loc text="Varicent":::
| Varicent helps sellers understand which activities provide the best results. Reports, dashboards, and workflows help sales to understand:
If you’re an individual seller, manager, or leader, Varicent can help you understand the right information at the right time. Full views of charts, graphs, dashboards and workflow execution (including information input) are right at your fingertips. Realize a better time-to-value for your go-to-market strategy with Varicent Sales Performance Management.
This application requires that you're a client of Varicent to utilize all features and functionalities and maximize seller performance. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.varicent), [App Store link (iOS)](https://apps.apple.com/app/varicent/id1534176581) |
| :::no-loc text="Vbrick Mobile":::
| Customers using Vbrick Enterprise Video Platform (EVP) can upload and view on-demand videos using the Vbrick mobile app. Customers can use Microsoft Intune to manage access to the Vbrick mobile app. The Vbrick mobile app includes the following features:
**NOTE**: The Vbrick app requires users to have an active account and email address in their company’s cloud-hosted Vbrick tenant. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.vbrick.rev), [App Store link (iOS)](https://apps.apple.com/us/app/vbrick-mobile/id1630811585) | | :::no-loc text="VerityRMS":::
| VerityRMS for iOS offers Asset Managers and Investment Professionals a full-featured and modern mobile experience. Equipped with a full suite of consumption and authoring tools, users can harness their firm’s investment process from anywhere. | [App Store link (iOS)](https://apps.apple.com/app/verityrms/id589633211) |
-| :::no-loc text="Voltage SecureMail":::
:::image type="icon" source="./media/apps-supported-intune-apps/icon-p-voltage-securemail.png"::: | Send and receive Voltage encrypted secure email and attachments in the Microsoft Intune managed environment with Voltage SecureMail Mobile. Any user can receive and read Voltage encrypted messages. However, replying to messages and composing new secure emails requires these features to be enabled by the sending organization. Users can also compose, send, reply to, forward, and print encrypted messages, according to the SecureMail Mobile policy for their organization or for the organization sending the secure message. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.voltage.mobile.securemail.ui), [App Store link (iOS)](https://apps.apple.com/us/app/voltage-mail/id516444730) | -| :::no-loc text="VPSX® Print for Intune":::
:::image type="icon" source="./media/apps-supported-intune-apps/icon-p-vpsxprint.png"::: | VPSX® Print is not a stand-alone application. It requires the use of Mobile Connector for VPSX.
VPSX Print utilizes the capabilities of LRS® output management software by providing an easy to use interface that allows users to do the following actions:
| Send and receive Voltage encrypted secure email and attachments in the Microsoft Intune managed environment with Voltage SecureMail Mobile. Any user can receive and read Voltage encrypted messages. However, replying to messages and composing new secure emails requires these features to be enabled by the sending organization. Users can also compose, send, reply to, forward, and print encrypted messages, according to the SecureMail Mobile policy for their organization or for the organization sending the secure message. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.voltage.mobile.securemail.ui), [App Store link (iOS)](https://apps.apple.com/us/app/voltage-mail/id516444730) |
+| :::no-loc text="VPSX® Print for Intune":::
| VPSX® Print is not a stand-alone application. It requires the use of Mobile Connector for VPSX.
VPSX Print utilizes the capabilities of LRS® output management software by providing an easy to use interface that allows users to do the following actions:
| The ZERØ for Intune application is specifically designed for MDM deployment via Microsoft Intune. This app allows both ZERØ and Microsoft Intune customers to take advantage of a secure Intune MDM deployment, as well as organize and protect BYOD environments with mobile application management (MAM). | [App Store link (iOS)](https://apps.apple.com/app/zero-for-intune/id1508485761) |
| :::no-loc text="Zoom for Intune":::
| Zoom is your communications hub for meetings, webinars, chat and cloud phone. Start or join meetings with flawless video, crystal clear audio and instant screen sharing from desktop, mobile or conference rooms. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=us.zoom.videomeetings4intune),
[App Store link (iOS)](https://apps.apple.com/app/zoom-for-intune/id1462818858?mt=8) |
diff --git a/memdocs/intune/apps/apps-win32-add.md b/memdocs/intune/apps/apps-win32-add.md
index 2f10fea0123..dc417c9304d 100644
--- a/memdocs/intune/apps/apps-win32-add.md
+++ b/memdocs/intune/apps/apps-win32-add.md
@@ -118,6 +118,9 @@ On the **Program** page, configure the app installation and removal commands for
`msiexec /x "{12345A67-89B0-1234-5678-000001000000}"`
+ > [!NOTE]
+ > Environment variable expansion within the **Uninstall command** is not supported. If you require the use of environment variables, use a custom wrapper script within your Win32 package to wrap the appropriate command and use this script for the **Uninstall command**.
- **Installation time required**: The number of minutes the system will wait for install program to finish. Default value is 60 minutes. If the app takes longer to install than the set installation time, the system will fail the app install. Max timeout value is 1440 minutes (1 day).
- **Allow available uninstall**: Select **Yes** to provide the uninstall option for this app for users from the Company Portal. Select **No** to prevent users from uninstalling the app from the Company Portal.
diff --git a/memdocs/intune/apps/apps-win32-s-mode.md b/memdocs/intune/apps/apps-win32-s-mode.md
index 27a43f7d8be..4912126a02a 100644
--- a/memdocs/intune/apps/apps-win32-s-mode.md
+++ b/memdocs/intune/apps/apps-win32-s-mode.md
@@ -47,8 +47,6 @@ The steps to allow Win32 apps to run on a Windows 10 device in S mode are the fo
- Intune applies the signed app catalog to install the Win32 app on the S mode device using the [Intune Management Extension](intune-management-extension.md).
> [!NOTE]
-> Line-of-business (LOB) `.appx` and `.appx` bundles on Windows 10 S mode will be supported via Microsoft Store for Business (MSFB) signing.
> **S mode supplemental policy** for apps must be delivered via Intune Management Extension.
> S mode policies are enforced at the device level. Multiple targeted policies will be merged on the device. The merged policy will be enforced on the device.
diff --git a/memdocs/intune/apps/apps-windows-10-app-deploy.md b/memdocs/intune/apps/apps-windows-10-app-deploy.md
index 44538262323..4524b3a3e93 100644
--- a/memdocs/intune/apps/apps-windows-10-app-deploy.md
+++ b/memdocs/intune/apps/apps-windows-10-app-deploy.md
@@ -37,7 +37,7 @@ ms.collection:
Microsoft Intune supports a variety of app types and deployment scenarios on Windows 10 devices. After you've added an app to Intune, you can assign the app to users and devices. This article provides more details on the supported Windows scenarios, and also covers key details to note when you're deploying apps to Windows. For information about deploying an app, also known as assigning an app, see [Assign an app](../apps/apps-deploy.md#assign-an-app) to a group.
-Line-of-business (LOB) apps and Microsoft Store for Business apps are the app types supported on Windows 10 devices. The file extensions for Windows apps include .msi, .appx, and .appxbundle.
+A Line-of-business (LOB) app is the app type supported on Windows 10 devices. The file extensions for Windows apps include .msi, .appx, and .appxbundle.
> [!NOTE]
> To deploy modern apps, you need at least:
diff --git a/memdocs/intune/apps/intune-management-extension.md b/memdocs/intune/apps/intune-management-extension.md
index 19d0f2a8343..26e0818fe4d 100644
--- a/memdocs/intune/apps/intune-management-extension.md
+++ b/memdocs/intune/apps/intune-management-extension.md
@@ -7,7 +7,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 02/14/2024
+ms.date: 08/21/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
@@ -83,19 +83,19 @@ The Intune management extension supplements the in-box Windows 10 MDM features.
The Intune management extension has the following prerequisites. Once they're met, the Intune management extension installs automatically when a PowerShell script or Win32 app is assigned to the user or device.
- Devices running Windows 10 version 1607 or later. If the device is enrolled using [bulk auto-enrollment](../enrollment/windows-bulk-enroll.md), devices must run Windows 10 version 1709 or later. The Intune management extension isn't supported on Windows 10 in S mode, as S mode doesn't allow running non-store apps.
-- Devices joined to Microsoft Entra ID, including:
+- Devices joined to Microsoft Entra ID, including:
- Microsoft Entra hybrid joined: Devices joined to Microsoft Entra ID, and also joined to on-premises Active Directory (AD). See [Plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) for guidance.
- Microsoft Entra registered/Workplace joined (WPJ): Devices [registered](/azure/active-directory/user-help/user-help-register-device-on-network) in Microsoft Entra ID, see [Workplace Join as a seamless second factor authentication](/windows-server/identity/ad-fs/operations/join-to-workplace-from-any-device-for-sso-and-seamless-second-factor-authentication-across-company-applications#BKMK_DRS) for more information. Typically these are Bring Your Own Device (BYOD) devices which have had a work or school account added via Settings>Accounts>Access work or school.
- Devices enrolled in Intune, including:
- Devices enrolled in a group policy (GPO). See [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy) for guidance.
- Devices manually enrolled in Intune, which is when:
- [Auto-enrollment to Intune](../enrollment/quickstart-setup-auto-enrollment.md) is enabled in Microsoft Entra ID. Users sign in to devices using a local user account, and manually join the device to Microsoft Entra ID. Then, they sign in to the device using their Microsoft Entra account.
@@ -204,6 +204,8 @@ Agent logs on the client machine are typically in `C:\ProgramData\Microsoft\Intu

+In addition, you can use the log file *AppWorkload.log* to help troubleshoot and analyze Win32 app management events on the client. This log file contains all logging information related to app deployment activities conducted by the IME.
## Delete a script
In **PowerShell scripts**, right-click the script, and select **Delete**.
diff --git a/memdocs/intune/apps/lob-apps-windows.md b/memdocs/intune/apps/lob-apps-windows.md
index a684e3448bd..db68631c585 100644
--- a/memdocs/intune/apps/lob-apps-windows.md
+++ b/memdocs/intune/apps/lob-apps-windows.md
@@ -121,7 +121,7 @@ Some MSI installer-based apps are automatically updated by the app developer or
This capability is useful to avoid getting into a race condition. For instance, a race condition can occur when the app is automatically updated by the app developer and is updated by Intune. Both might try to enforce a version of the app on a Windows client, which creates a conflict.
## Add store-signed LOB apps for Surface Hub devices
-You can add and deploy store-signed LOB apps (single file *.appx*, *.msix*, *.appxbundle*, and *.msixbundle*) to Surface Hub devices. The support for store-signed LOB apps enables offline store apps to be deployed to Surface Hub devices following the retirement of the Microsoft Store for Business.
+You can add and deploy store-signed LOB apps (single file *.appx*, *.msix*, *.appxbundle*, and *.msixbundle*) to Surface Hub devices. The support for store-signed LOB apps enables offline store apps to be deployed to Surface Hub devices.
## Next steps
diff --git a/memdocs/intune/apps/macos-unmanaged-pkg.md b/memdocs/intune/apps/macos-unmanaged-pkg.md
index bf534a98ce5..7a1b75251ea 100644
--- a/memdocs/intune/apps/macos-unmanaged-pkg.md
+++ b/memdocs/intune/apps/macos-unmanaged-pkg.md
@@ -102,7 +102,7 @@ You can optionally configure a preinstall script and a post-install script to cu
**Post-install script**: Provide a script that runs after the app installs successfully. If provided, the post-install script runs after a successful app installation. Irrespective of the post-install script run status, an installed app reports its installation status as "success".
> [!NOTE]
-> - Each pre-install or post-install script must be less than 5121 characters long.
+> - Each pre-install or post-install script must be less than 15360 characters long.
> - The Microsoft Intune management agent for macOS version 2309.007 or greater is required to configure pre-install and post-install scripts for macOS PKG apps.
> - For more details on configuring pre-install and post-install scripts, refer to [Prerequisites of shell scripts](../apps/macos-shell-scripts.md#prerequisites).
diff --git a/memdocs/intune/apps/manage-without-gms.md b/memdocs/intune/apps/manage-without-gms.md
index bc69b1a3506..909d0dba6fc 100644
--- a/memdocs/intune/apps/manage-without-gms.md
+++ b/memdocs/intune/apps/manage-without-gms.md
@@ -8,7 +8,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 02/23/2024
+ms.date: 08/20/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: apps
@@ -75,7 +75,10 @@ In conditions where GMS isn't available:
- If the device is enrolled with device administrator and running the Company Portal app version 5.0.5655.0 and newer, then Intune tries to check for new tasks and notifications approximately every 15 minutes.
-- If the device is enrolled with Android (AOSP) management and running the Intune app version 24.02.4 and newer, then Intune tries to check for new tasks and notifications approximately every 15 minutes.
+- If the device is enrolled with Android (AOSP) management and running the Intune app version 24.02.4 and newer, then Intune tries to check for new tasks and notifications normally every 15 minutes, however some tasks on AOSP devices may take up to 8 hours to complete.
+ > From mid-August 2024 until October 2024, some tasks on AOSP devices may take up to 8 hours to complete. Previously, it typically was 15 minutes. During this period, devices will continue to check-in every 8 hours. On AOSP devices, you may notice a decrease in the frequency of task completion. After October 2024, the sync time will return to about 15 minutes.
This frequency is also affected by the device manufacturer, device usage patterns, and whether battery optimization is enabled for the Company Portal or Intune apps.
diff --git a/memdocs/intune/apps/media/app-configuration-policies-overview/device-install-status-2.png b/memdocs/intune/apps/media/app-configuration-policies-overview/device-install-status-2.png
deleted file mode 100644
index 74e3a958efa..00000000000
Binary files a/memdocs/intune/apps/media/app-configuration-policies-overview/device-install-status-2.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/app-protection-policies-monitor/app-protection-report-csv-1.png b/memdocs/intune/apps/media/app-protection-policies-monitor/app-protection-report-csv-1.png
deleted file mode 100644
index 82e8f9442a8..00000000000
Binary files a/memdocs/intune/apps/media/app-protection-policies-monitor/app-protection-report-csv-1.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/app-protection-policies-monitor/app-protection-report-csv-2.png b/memdocs/intune/apps/media/app-protection-policies-monitor/app-protection-report-csv-2.png
deleted file mode 100644
index 0795ad25c75..00000000000
Binary files a/memdocs/intune/apps/media/app-protection-policies-monitor/app-protection-report-csv-2.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/app-protection-policies-monitor/mam-reporting-2.png b/memdocs/intune/apps/media/app-protection-policies-monitor/mam-reporting-2.png
deleted file mode 100644
index 1ca1b8d5a3e..00000000000
Binary files a/memdocs/intune/apps/media/app-protection-policies-monitor/mam-reporting-2.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/app-protection-policies-monitor/mam-reporting-4.png b/memdocs/intune/apps/media/app-protection-policies-monitor/mam-reporting-4.png
deleted file mode 100644
index 219e74ab5d6..00000000000
Binary files a/memdocs/intune/apps/media/app-protection-policies-monitor/mam-reporting-4.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/app-protection-policies-monitor/mam-reporting-6.png b/memdocs/intune/apps/media/app-protection-policies-monitor/mam-reporting-6.png
deleted file mode 100644
index df95d5e0f1a..00000000000
Binary files a/memdocs/intune/apps/media/app-protection-policies-monitor/mam-reporting-6.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/app-sideload-windows/win10cp-dependencies-save.png b/memdocs/intune/apps/media/app-sideload-windows/win10cp-dependencies-save.png
deleted file mode 100644
index 0cb2a6eaab2..00000000000
Binary files a/memdocs/intune/apps/media/app-sideload-windows/win10cp-dependencies-save.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/app-sideload-windows/win10cp-dependent-files.png b/memdocs/intune/apps/media/app-sideload-windows/win10cp-dependent-files.png
deleted file mode 100644
index 996c09a0f4b..00000000000
Binary files a/memdocs/intune/apps/media/app-sideload-windows/win10cp-dependent-files.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/app-sideload-windows/win10cp-error-message.png b/memdocs/intune/apps/media/app-sideload-windows/win10cp-error-message.png
deleted file mode 100644
index 214794892ec..00000000000
Binary files a/memdocs/intune/apps/media/app-sideload-windows/win10cp-error-message.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/apps-add-android-for-work/approve-app-permissions.png b/memdocs/intune/apps/media/apps-add-android-for-work/approve-app-permissions.png
deleted file mode 100644
index 6498e8a381e..00000000000
Binary files a/memdocs/intune/apps/media/apps-add-android-for-work/approve-app-permissions.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/apps-add-android-for-work/approve-app-settings.png b/memdocs/intune/apps/media/apps-add-android-for-work/approve-app-settings.png
deleted file mode 100644
index 21127f8948d..00000000000
Binary files a/memdocs/intune/apps/media/apps-add-android-for-work/approve-app-settings.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/apps-add-android-for-work/approve.png b/memdocs/intune/apps/media/apps-add-android-for-work/approve.png
deleted file mode 100644
index 4158b47365e..00000000000
Binary files a/memdocs/intune/apps/media/apps-add-android-for-work/approve.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/apps-inc-exl-assignments/apps-inc-exl-01.png b/memdocs/intune/apps/media/apps-inc-exl-assignments/apps-inc-exl-01.png
deleted file mode 100644
index 0b01e02c047..00000000000
Binary files a/memdocs/intune/apps/media/apps-inc-exl-assignments/apps-inc-exl-01.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/apps-inc-exl-assignments/apps-inc-exl-02.png b/memdocs/intune/apps/media/apps-inc-exl-assignments/apps-inc-exl-02.png
deleted file mode 100644
index 74987524e09..00000000000
Binary files a/memdocs/intune/apps/media/apps-inc-exl-assignments/apps-inc-exl-02.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/apps-inc-exl-assignments/apps-inc-exl-03.png b/memdocs/intune/apps/media/apps-inc-exl-assignments/apps-inc-exl-03.png
deleted file mode 100644
index ead8be1395f..00000000000
Binary files a/memdocs/intune/apps/media/apps-inc-exl-assignments/apps-inc-exl-03.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/apps-inc-exl-assignments/apps-inc-exl-04.png b/memdocs/intune/apps/media/apps-inc-exl-assignments/apps-inc-exl-04.png
deleted file mode 100644
index 6b5005b7288..00000000000
Binary files a/memdocs/intune/apps/media/apps-inc-exl-assignments/apps-inc-exl-04.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/apps-inc-exl-assignments/apps-inc-exl-05.png b/memdocs/intune/apps/media/apps-inc-exl-assignments/apps-inc-exl-05.png
deleted file mode 100644
index ae7c02e9747..00000000000
Binary files a/memdocs/intune/apps/media/apps-inc-exl-assignments/apps-inc-exl-05.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/apps-quiet-time-policies/apps-quiet-time-policies-03.png b/memdocs/intune/apps/media/apps-quiet-time-policies/apps-quiet-time-policies-03.png
deleted file mode 100644
index 04f86ab819e..00000000000
Binary files a/memdocs/intune/apps/media/apps-quiet-time-policies/apps-quiet-time-policies-03.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-365pay.png b/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-365pay.png
new file mode 100644
index 00000000000..f5d1811fb70
Binary files /dev/null and b/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-365pay.png differ
diff --git a/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-bluejeans.png b/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-bluejeans.png
deleted file mode 100644
index 2d76c34112f..00000000000
Binary files a/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-bluejeans.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-breezy.png b/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-breezy.png
deleted file mode 100644
index e23452295b7..00000000000
Binary files a/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-breezy.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-citrix-sharefile.png b/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-citrix-sharefile.png
deleted file mode 100644
index f8502eda7e7..00000000000
Binary files a/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-citrix-sharefile.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-islandbrowser.png b/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-islandbrowser.png
new file mode 100644
index 00000000000..0e00485b156
Binary files /dev/null and b/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-islandbrowser.png differ
diff --git a/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-lexmark-mobile-print.png b/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-lexmark-mobile-print.png
deleted file mode 100644
index 3e8916d9384..00000000000
Binary files a/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-lexmark-mobile-print.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-recruitment-exchange.png b/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-recruitment-exchange.png
new file mode 100644
index 00000000000..d1848f7ff35
Binary files /dev/null and b/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-recruitment-exchange.png differ
diff --git a/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-singletrack.png b/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-singletrack.png
new file mode 100644
index 00000000000..b9533375e8c
Binary files /dev/null and b/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-singletrack.png differ
diff --git a/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-talentexchange.png b/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-talentexchange.png
new file mode 100644
index 00000000000..2714056b6b2
Binary files /dev/null and b/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-talentexchange.png differ
diff --git a/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-vera.png b/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-vera.png
deleted file mode 100644
index 73803039e0c..00000000000
Binary files a/memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-vera.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/enterprise-app-catalog/apps-add-enterprise-app-03.png b/memdocs/intune/apps/media/enterprise-app-catalog/apps-add-enterprise-app-03.png
deleted file mode 100644
index da263bda7f2..00000000000
Binary files a/memdocs/intune/apps/media/enterprise-app-catalog/apps-add-enterprise-app-03.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/enterprise-app-catalog/apps-add-enterprise-app-04.png b/memdocs/intune/apps/media/enterprise-app-catalog/apps-add-enterprise-app-04.png
deleted file mode 100644
index 79bbb9893f9..00000000000
Binary files a/memdocs/intune/apps/media/enterprise-app-catalog/apps-add-enterprise-app-04.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/enterprise-app-catalog/apps-add-enterprise-app-05.png b/memdocs/intune/apps/media/enterprise-app-catalog/apps-add-enterprise-app-05.png
deleted file mode 100644
index 077a4953454..00000000000
Binary files a/memdocs/intune/apps/media/enterprise-app-catalog/apps-add-enterprise-app-05.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/enterprise-app-catalog/apps-add-enterprise-app-06.png b/memdocs/intune/apps/media/enterprise-app-catalog/apps-add-enterprise-app-06.png
deleted file mode 100644
index d7cb640f23e..00000000000
Binary files a/memdocs/intune/apps/media/enterprise-app-catalog/apps-add-enterprise-app-06.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/enterprise-app-catalog/apps-add-enterprise-app-07.png b/memdocs/intune/apps/media/enterprise-app-catalog/apps-add-enterprise-app-07.png
deleted file mode 100644
index 9e15caa9b1c..00000000000
Binary files a/memdocs/intune/apps/media/enterprise-app-catalog/apps-add-enterprise-app-07.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business-steps-01.png b/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business-steps-01.png
deleted file mode 100644
index b7ffc1d3de9..00000000000
Binary files a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business-steps-01.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business0.png b/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business0.png
deleted file mode 100644
index 0039da9578b..00000000000
Binary files a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business0.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business34.png b/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business34.png
deleted file mode 100644
index f894c4586a3..00000000000
Binary files a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business34.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business35.png b/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business35.png
deleted file mode 100644
index ecc1348adf2..00000000000
Binary files a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business35.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business40.png b/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business40.png
deleted file mode 100644
index 300b88177ef..00000000000
Binary files a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business40.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business41.png b/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business41.png
deleted file mode 100644
index 053474ed3a5..00000000000
Binary files a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business41.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business42.png b/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business42.png
deleted file mode 100644
index f4ca39aaee0..00000000000
Binary files a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business42.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business43.png b/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business43.png
deleted file mode 100644
index 53fb7dcdf10..00000000000
Binary files a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business43.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business45.png b/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business45.png
deleted file mode 100644
index 41f8966f2a5..00000000000
Binary files a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business45.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business51.png b/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business51.png
deleted file mode 100644
index 013f7163691..00000000000
Binary files a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business51.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business61.png b/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business61.png
deleted file mode 100644
index dcaed11a0ff..00000000000
Binary files a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business61.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business62.png b/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business62.png
deleted file mode 100644
index 370ea76fc4c..00000000000
Binary files a/memdocs/intune/apps/media/securing-data-edge-for-business/securing-data-edge-for-business62.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/windows-store-for-business/microsoft-store-for-business-02.png b/memdocs/intune/apps/media/windows-store-for-business/microsoft-store-for-business-02.png
deleted file mode 100644
index de663a64dd8..00000000000
Binary files a/memdocs/intune/apps/media/windows-store-for-business/microsoft-store-for-business-02.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/windows-store-for-business/microsoft-store-for-business-03.png b/memdocs/intune/apps/media/windows-store-for-business/microsoft-store-for-business-03.png
deleted file mode 100644
index c1d804c3822..00000000000
Binary files a/memdocs/intune/apps/media/windows-store-for-business/microsoft-store-for-business-03.png and /dev/null differ
diff --git a/memdocs/intune/apps/media/windows-store-for-business/microsoft-store-for-business-04.png b/memdocs/intune/apps/media/windows-store-for-business/microsoft-store-for-business-04.png
deleted file mode 100644
index 3f536833f0e..00000000000
Binary files a/memdocs/intune/apps/media/windows-store-for-business/microsoft-store-for-business-04.png and /dev/null differ
diff --git a/memdocs/intune/apps/store-apps-company-portal-app.md b/memdocs/intune/apps/store-apps-company-portal-app.md
index fb1047ad653..7a0d87ff676 100644
--- a/memdocs/intune/apps/store-apps-company-portal-app.md
+++ b/memdocs/intune/apps/store-apps-company-portal-app.md
@@ -36,7 +36,7 @@ ms.collection:
[!INCLUDE [azure_portal](../includes/azure_portal.md)]
-To manage devices and install apps, your users can install the Company Portal app themselves from the Microsoft Store or download it from the [Microsoft Intune Company Portal for Windows](../apps/store-apps-company-portal-app.md#download-the-offline-company-portal-app). If your business needs require that you assign the Company Portal app to them, however, you can assign the Windows 10 Company Portal app directly from Intune. You can do so even if you haven't integrated Intune with the Microsoft Store for Business.
+To manage devices and install apps, your users can install the Company Portal app themselves from the Microsoft Store or download it from the [Microsoft Intune Company Portal for Windows](../apps/store-apps-company-portal-app.md#download-the-offline-company-portal-app). If your business needs require that you assign the Company Portal app to them, however, you can assign the Windows 10 Company Portal app directly from Intune.
> If you download the Company Portal app, the option described in this article requires that you assign manual updates each time an app update is released. To deploy the Company Portal app for Windows 10 Autopilot provisioned devices, see [Add Windows 10 Company Portal app Autopilot devices](store-apps-company-portal-autopilot.md).
@@ -44,13 +44,6 @@ To manage devices and install apps, your users can install the Company Portal ap
> [!NOTE]
> The Company Portal supports Configuration Manager applications. This feature allows end users to see both Configuration Manager and Intune deployed applications in the Company Portal for co-managed customers. This new version of the Company Portal will display Configuration Manager deployed apps for all co-managed customers. This support will help administrators consolidate their different end user portal experiences. For more information, see [Use the Company Portal app on co-managed devices](../../configmgr/comanage/company-portal.md).
-## Configure settings to show offline apps
-1. Sign in to the [Microsoft Store for Business](https://www.microsoft.com/business-store) with your admin account. Ensure that you sign into the Microsoft Store for Business using the same tenant account you use to sign into Intune. Your Microsoft Store for Business account must be associated with Intune. For more information, see [Associate your Microsoft Store for Business account with Intune](../apps/windows-store-for-business.md#associate-your-microsoft-store-for-business-account-with-intune).
-2. Select the **Manage** tab near the top of the window.
-3. In the left pane, select **Settings**.
-4. Select the **Shop** tab. Then,under **Shopping experience**, set **Show offline apps** to **On**.
## Download the offline Company Portal app
1. Search for and then select the **Company Portal** app.
@@ -96,34 +89,6 @@ If you need to sideload the app and you assigned the Windows 8.1 Company Portal
If you need to sideload the app and you signed and assigned the Windows 8.1 Company Portal app with the Symantec code-signing certificate, follow the steps in the next section.
-### How do I upgrade my signed and sideloaded Windows 8.1 Company Portal app to the Windows 10 Company Portal app?
-Our recommended migration path is to delete the existing assignment for the Windows 8.1 Company Portal app by setting the assignment action to **Uninstall**. After you select this setting, you can assign the Windows 10 Company Portal app normally.
-Otherwise, the Windows 10 Company Portal app must be appropriately updated and signed to ensure that the upgrade path is respected.
-If you sign and assign the Windows 10 Company Portal app in this way, you will need to repeat this process for each new app update when it is available in the store. The app is not automatically updated when the store is updated.
-Here's how you sign and assign the app in this way:
-1. Download the [Microsoft Intune Windows 10 Company Portal App Signing Script](https://aka.ms/intunecpscript).
- This script requires the Windows SDK for Windows 10 to be installed on the host computer. [Download the Windows SDK for Windows 10](https://go.microsoft.com/fwlink/?linkid=162443).
-2. Download the Windows 10 Company Portal app from the Microsoft Store for Business, as discussed previously.
-3. To sign the Windows 10 Company Portal app, run the script with the input parameters detailed in the script header, as shown in the following table.
- Dependencies do not need to be passed into the script. They are required only when the app is being uploaded to the Microsoft Intune admin center.
-| Parameter | Description |
-| InputWin10AppxBundle | The path to the source appxbundle file. |
-| OutputWin10AppxBundle | The output path for the signed appxbundle file.
-| Win81Appx | The path to the Windows 8.1 Company Portal (.APPX) file. |
-| PfxFilePath | The path to the Symantec Enterprise Mobile Code Signing Certificate (.PFX) file. |
-| PfxPassword | The password of the Symantec Enterprise Mobile Code Signing Certificate. |
-| PublisherId | The Publisher ID of the enterprise. If it is absent, the Subject field of the Symantec Enterprise Mobile Code Signing Certificate is used. |
-| SdkPath | The path to the root folder of the Windows SDK for Windows 10. This argument is optional and defaults to ${env:ProgramFiles(x86)}\Windows Kits\10. |
-When the script has finished running, it outputs the signed version of the Windows 10 Company Portal app. You can then assign the signed version of the app as a line-of-business (LOB) app via Intune, which upgrades the currently assigned versions to this new app.
## Next steps
- [Assign apps to groups](apps-deploy.md)
diff --git a/memdocs/intune/apps/store-apps-microsoft.md b/memdocs/intune/apps/store-apps-microsoft.md
index d61a1b79097..1179b58d2e3 100644
--- a/memdocs/intune/apps/store-apps-microsoft.md
+++ b/memdocs/intune/apps/store-apps-microsoft.md
@@ -93,7 +93,6 @@ The Microsoft Store provides a large variety of apps designed to work on your Mi
> - The app is not available if there is an age restriction.
> - The app is a paid app, which is not supported.
> - The app is an Android app.
- > - The app is a Microsoft Store for Business app that is not available publicly in the consumer store.
3. Choose the app that you want to deploy and choose **Select**.
diff --git a/memdocs/intune/configuration/administrative-templates-restrict-usb.md b/memdocs/intune/configuration/administrative-templates-restrict-usb.md
index 49376fb5acf..b30958ee843 100644
--- a/memdocs/intune/configuration/administrative-templates-restrict-usb.md
+++ b/memdocs/intune/configuration/administrative-templates-restrict-usb.md
@@ -38,7 +38,7 @@ This article shows you:
- How to create an ADMX policy with USB settings in the Intune admin center
- How to use a log file to troubleshoot devices that shouldn't be blocked
-Applies to:
+This article applies to:
- Windows 11
- Windows 10
diff --git a/memdocs/intune/configuration/administrative-templates-update-office.md b/memdocs/intune/configuration/administrative-templates-update-office.md
index cd52028a984..e66ccddb34b 100644
--- a/memdocs/intune/configuration/administrative-templates-update-office.md
+++ b/memdocs/intune/configuration/administrative-templates-update-office.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 11/06/2023
+ms.date: 08/20/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: configuration
@@ -29,13 +29,13 @@ ms.collection:
# Use Update Channel and Target Version settings to update Microsoft 365 with Microsoft Intune Administrative Templates
-In Intune, you can use [Windows ADMX templates to configure group policy settings](administrative-templates-windows.md). This article shows you how to update Microsoft 365 using an administrative template in Intune. It also gives guidance on confirming your policies apply successfully. This information also helps when troubleshooting.
+In Intune, you can use [Windows administrative (ADMX) templates to configure group policy settings](administrative-templates-windows.md). This article shows you how to update Microsoft 365 using an administrative template in Intune. It also gives guidance on confirming your policies apply successfully, which helps when troubleshooting.
In this scenario, you create an administrative template in Intune that updates Microsoft 365 on your devices.
For more information on administrative templates, go to [Windows ADMX templates to configure group policy settings](administrative-templates-windows.md).
-Applies to:
+This feature applies to:
- Windows 11
- Windows 10
@@ -43,27 +43,34 @@ Applies to:
## Prerequisites
-Be sure to [enable Microsoft 365 Apps Automatic Updates](/deployoffice/configure-update-settings-for-office-365-proplus) for your Office apps. You can do this using group policy, or the Intune Office 2016 ADMX template:
+- Requires Microsoft Intune and a Microsoft 365 subscription. For information on Intune licensing, go to [Microsoft Intune licensing](../fundamentals/licenses.md).
-:::image type="content" source="./media/administrative-templates-update-office/admx-enable-automatic-updates.png" alt-text="Screenshot that shows enabling Office automatic updates using an administrative template in Microsoft Intune.":::
+- To configure the ADMX policy, at a minimum, sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) with the **Policy and Profile manager** role. For information on the built-in roles in Intune, and what they can do, go to [Role-based access control (RBAC) with Microsoft Intune](../fundamentals/role-based-access-control.md).
+- [Enable Microsoft 365 Apps Automatic Updates](/deployoffice/configure-update-settings-for-office-365-proplus) for your Office apps. You can enable automatic updates using group policy, or the Intune Office 2016 ADMX template:
+:::image type="content" source="./media/administrative-templates-update-office/admx-enable-automatic-updates.png" alt-text="Screenshot that shows enabling Office automatic updates using an administrative template in Microsoft Intune." lightbox="./media/administrative-templates-update-office/admx-enable-automatic-updates.png":::
## Set the Update Channel in the Intune administrative template
-1. In your [Intune administrative template](administrative-templates-windows.md#create-the-template), go to the **Update Channel** setting, and enter the channel you want. For example, choose `Semi-Annual Channel`:
+Use an Intune policy to set the update channel for Microsoft 365 apps. The update channel determines how frequently Office checks for updates.
+1. In your [Intune administrative template](administrative-templates-windows.md#create-the-template), go to the **Update Channel (2.0)** setting, and enter the channel you want. For example, select `Semi-Annual Enterprise Channel`:
- :::image type="content" source="./media/administrative-templates-update-office/admx-enable-update-channel-setting.png" alt-text="In Microsoft Intune and Intune admin center, create an administrative ADMX template that sets the Update Channel setting for Office.":::
+ :::image type="content" source="./media/administrative-templates-update-office/admx-enable-update-channel-setting.png" alt-text="In Microsoft Intune and Intune admin center, create an administrative ADMX template that sets the Update Channel setting for Office." lightbox="./media/administrative-templates-update-office/admx-enable-update-channel-setting.png":::
- > [!NOTE]
- > It's recommended to update more frequently. Semi-annually is only used as an example.
+ > [!TIP]
+ > - It's recommended to update more frequently. Semi-annually is only used as an example.
+ > - For information on the different update channels, go to [Overview of update channels for Microsoft 365 Apps](/microsoft-365-apps/updates/overview-update-channels).
-2. Be sure to [assign the policy](device-profile-assign.md) to your Windows client devices. To test your policy sooner, you can also sync the policy:
+2. When the policy is ready, [assign the policy](device-profile-assign.md) to your Windows client devices. To test your policy sooner, you can also sync the policy.
- [Sync the policy in Intune](../remote-actions/device-sync.md)
- [Manually sync the policy on the device](../user-help/sync-your-device-manually-windows.md#sync-from-settings-app-windows-10-or-later)
## Check the Intune registry keys
-After you assign the policy and the device syncs, you can confirm the policy is applied:
+After you assign the policy and the device syncs, you can confirm the Intune policy is applied.
1. On the device, open the **Registry Editor** app.
2. Go to the Intune policy path: `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\
- Android 11 | ❌ This new app aligns closely with Google's standards. It's suggested to deploy one profile with all the required configuration settings.
If you use multiple OEMConfig profiles, then don't configure the same top parent group or bundle in multiple profiles. It can cause conflicts. For more important information, go to [OEMConfig overview - Before you begin](android-oem-configuration-overview.md#before-you-begin)
For more information on the new **Zebra OEMConfig Powered by MX** app, go to [New Zebra OEMConfig app for Android](https://techcommunity.microsoft.com/t5/intune-customer-success/new-zebra-oemconfig-app-for-android-11-and-later/ba-p/3846730). |
-| **Legacy Zebra OEMConfig** | - Android 11 and earlier | ✔️ You can split your Zebra OEMConfig settings into smaller profiles. For example, create a baseline profile that affects all devices. Then, create more profiles that configure settings specific to a device. |
+| **Legacy Zebra OEMConfig** | - Android 11 and earlier | ✅ You can split your Zebra OEMConfig settings into smaller profiles. For example, create a baseline profile that affects all devices. Then, create more profiles that configure settings specific to a device. |
## Multiple profiles using the Legacy Zebra OEMConfig app
diff --git a/memdocs/intune/configuration/platform-sso-macos.md b/memdocs/intune/configuration/platform-sso-macos.md
index df9ef54b538..9fd9842f56a 100644
--- a/memdocs/intune/configuration/platform-sso-macos.md
+++ b/memdocs/intune/configuration/platform-sso-macos.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 06/06/2024
+ms.date: 08/22/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: configuration
@@ -34,11 +34,11 @@ ms.collection:
On your macOS devices, you can configure Platform SSO to enable single sign-on (SSO) using passwordless authentication, Microsoft Entra ID user accounts, or smart cards. Platform SSO is an enhancement to the [Microsoft Enterprise SSO plug-in](/entra/identity-platform/apple-sso-plugin) and the [SSO app extension](use-enterprise-sso-plug-in-macos-with-intune.md). Platform SSO can sign users into their managed Mac devices using their Microsoft Entra ID credentials and Touch ID.
-This article applies to:
+This feature applies to:
- macOS
-The [Microsoft Enterprise SSO plug-in](/entra/identity-platform/apple-sso-plugin) in Microsoft Entra ID includes two SSO features - **Platform SSO** and the **SSO app extension**. This article focuses on configuring [Platform SSO with Entra ID](/entra/identity/devices/macos-psso) for macOS devices which is in preview.
+The [Microsoft Enterprise SSO plug-in](/entra/identity-platform/apple-sso-plugin) in Microsoft Entra ID includes two SSO features - **Platform SSO** and the **SSO app extension**. This article focuses on configuring [Platform SSO with Microsoft Entra ID](/entra/identity/devices/macos-psso) for macOS devices (public preview).
Some benefits of Platform SSO include:
@@ -59,12 +59,25 @@ This article shows you how to configure Platform SSO for macOS devices in Intune
## Prerequisites
- Devices must be running macOS 13.0 and newer.
-- Microsoft Intune [Company Portal app](../apps/apps-company-portal-macos.md) version **5.2404.0** and newer is required. This version includes Platform SSO.
-- Supported web browsers include:
+- Microsoft Intune [Company Portal app](../apps/apps-company-portal-macos.md) version **5.2404.0** and newer is required on the devices. This version includes Platform SSO.
+- The following web browsers support Platform SSO:
- Microsoft Edge
- - Google Chrome with the [Microsoft Single Sign On extension](https://chromewebstore.google.com/detail/windows-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji). You can deploy this extension using [Chrome Enterprise policy - ExtensionInstallForcelist](https://chromeenterprise.google/policies/?policy=ExtensionInstallForcelist) (opens Google's web site) in the settings catalog.
+ - Google Chrome with the [Microsoft Single Sign On extension](https://chromewebstore.google.com/detail/windows-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji)
+ Using an [Intune preference file (.plist) policy](preference-file-settings-macos.md), you can force this extension to install. In your `.plist` file, you need some of the information at [Chrome Enterprise policy - ExtensionInstallForcelist](https://chromeenterprise.google/policies/?policy=ExtensionInstallForcelist) (opens Google's web site).
+ > [!WARNING]
+ > There are sample `.plist` files at [ManagedPreferencesApplications examples on GitHub](https://github.com/ProfileCreator/ProfileManifests/tree/master/Manifests/ManagedPreferencesApplications). This GitHub repository is not owned, not maintained, and not created by Microsoft. Use the information at your own risk.
- Safari
-- To create the Intune policy, at a minimum, sign in with an account that has the following Intune permissions:
+ You can use Intune to add web browser apps, including [package (`.pkg`)](../apps/lob-apps-macos.md) and [disk image (`.dmg`)](../apps/lob-apps-macos-dmg.md) files, and deploy the app to your macOS devices. To get started, go to [Add apps to Microsoft Intune](../apps/apps-add.md).
+- Platform SSO uses the Intune settings catalog to configure the required settings. To create the settings catalog policy, at a minimum, sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) with an account that has the following Intune permissions:
- Device Configuration **Read**, **Create**, **Update**, and **Assign** permissions
There are some built-in roles that have these permissions, including the **Policy and Profile Manager** Intune RBAC role. For more information on RBAC roles in Intune, go to [Role-based access control (RBAC) with Microsoft Intune](../fundamentals/role-based-access-control.md).
@@ -149,9 +162,12 @@ For more information, go to [Microsoft Entra certificate-based authentication on
## Step 2 - Create the Platform SSO policy in Intune
-To configure the Platform SSO policy, use the following steps to create an [Intune settings catalog](settings-catalog.md) policy. These settings are required by the Microsoft Enterprise SSO plug-in. For more information, go to [Microsoft Enterprise SSO plug-in for Apple devices](/entra/identity-platform/apple-sso-plugin).
+To configure the Platform SSO policy, use the following steps to create an [Intune settings catalog](settings-catalog.md) policy. The Microsoft Enterprise SSO plug-in requires the settings listed.
-For details about the payload settings for the Extensible Single Sign-on extension, go to [Extensible Single Sign-on MDM payload settings for Apple devices](https://support.apple.com/guide/deployment/depfd9cdf845/web) (opens Apple's web site).
+- To learn more about the plug-in, go to [Microsoft Enterprise SSO plug-in for Apple devices](/entra/identity-platform/apple-sso-plugin).
+- For details about the payload settings for the Extensible Single Sign-on extension, go to [Extensible Single Sign-on MDM payload settings for Apple devices](https://support.apple.com/guide/deployment/depfd9cdf845/web) (opens Apple's web site).
+**Create the policy**:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy**.
@@ -188,23 +204,26 @@ For details about the payload settings for the Extensible Single Sign-on extensi
Close the settings picker.
> [!TIP]
- > There are more optional Platform SSO settings you can configure in the policy. For a list, go to [More Platform SSO settings you can configure](#more-platform-sso-settings-you-can-configure) (in this article).
+ > There are more Platform SSO settings you can configure in the policy:
+ >
+ > - [Non-Microsoft apps and Microsoft Enterprise SSO Extension settings](#non-microsoft-apps-and-microsoft-enterprise-sso-extension-settings) (in this article)
+ > - [End user experience settings](#end-user-experience-settings) (in this article)
8. Configure the following required settings:
| Name | Configuration value | Description |
| **Authentication Method (Deprecated)** (macOS 13 only) | **Password** or **UserSecureEnclave** | Select the Platform SSO authentication method that you chose in [Step 1 - Decide the authentication method](#step-1---decide-the-authentication-method) (in this article).
This setting applies to macOS 13 only. For macOS 14.0 and later, use the **Platform SSO** > **Authentication Method** setting.|
- | **Extension Identifier** | `com.microsoft.CompanyPortalMac.ssoextension` | This ID is the SSO app extension that the profile needs for SSO to work.
The **Extension Identifier** and **Team Identifier** values work together. |
- | **Platform SSO** > **Authentication Method** (macOS 14+) | **Password**, **UserSecureEnclave** or **SmartCard** | Select the Platform SSO authentication method that you chose in [Step 1 - Decide the authentication method](#step-1---decide-the-authentication-method) (in this article).
This setting applies to macOS 14 and later. For macOS 13, use the **Authentication Method (Deprecated)** setting. |
+ | **Extension Identifier** | `com.microsoft.CompanyPortalMac.ssoextension` | Copy and paste this value in the setting.
This ID is the SSO app extension that the profile needs for SSO to work.
The **Extension Identifier** and **Team Identifier** values work together. |
+ | **Platform SSO** > **Authentication Method** (macOS 14+) | **Password**, **UserSecureEnclave**, or **SmartCard** | Select the Platform SSO authentication method that you chose in [Step 1 - Decide the authentication method](#step-1---decide-the-authentication-method) (in this article).
This setting applies to macOS 14 and later. For macOS 13, use the **Authentication Method (Deprecated)** setting. |
| **Platform SSO** > **Use Shared Device Keys** (macOS 14+) | **Enabled** | When enabled, Platform SSO uses the same signing and encryption keys for all users on the same device. Users upgrading from macOS 13.x to 14.x are prompted to register again. |
- | **Registration token** | `{{DEVICEREGISTRATION}}` | You must include the curly braces. For more information on this registration token, go to [Configure Microsoft Entra device registration](/entra/identity-platform/apple-sso-plugin#configure-microsoft-entra-device-registration).
This setting requires that you also configure the `AuthenticationMethod` setting.
- If you use only macOS 13 devices, then configure the **Authentication Method (Deprecated)** setting.
- If you use only macOS 14+ devices, then configure the **Platform SSO** > **Authentication Method** setting.
- If you have a mix of macOS 13 and macOS 14+ devices, then configure both authentication settings in the same profile. |
+ | **Registration token** | `{{DEVICEREGISTRATION}}` | Copy and paste this value in the setting. You must include the curly braces.
To learn more about this registration token, go to [Configure Microsoft Entra device registration](/entra/identity-platform/apple-sso-plugin#configure-microsoft-entra-device-registration).
This setting requires that you also configure the `AuthenticationMethod` setting.
- If you use only macOS 13 devices, then configure the **Authentication Method (Deprecated)** setting.
- If you use only macOS 14+ devices, then configure the **Platform SSO** > **Authentication Method** setting.
- If you have a mix of macOS 13 and macOS 14+ devices, then configure both authentication settings in the same profile. |
| **Screen Locked Behavior** | **Do Not Handle** | When set to **Do Not Handle**, the request continues without SSO. |
- | **Token To User Mapping** > **Account Name** | `preferred_username` | This token specifies that the Entra [`preferred_username`](/entra/identity-platform/id-token-claims-reference#payload-claims) attribute value is used for the macOS account's Account Name value. |
- | **Token To User Mapping** > **Full Name** | `name` | This token specifies that the Entra [`name`](/entra/identity-platform/id-token-claims-reference#payload-claims) claim is used for the macOS account's Full Name value. |
- | **Team Identifier** | `UBF8T346G9` | This identifier is the team identifier of the Enterprise SSO plug-in app extension. |
+ | **Token To User Mapping** > **Account Name** | `preferred_username` | Copy and paste this value in the setting.
This token specifies that the Entra [`preferred_username`](/entra/identity-platform/id-token-claims-reference#payload-claims) attribute value is used for the macOS account's Account Name value. |
+ | **Token To User Mapping** > **Full Name** | `name` | Copy and paste this value in the setting.
This token specifies that the Entra [`name`](/entra/identity-platform/id-token-claims-reference#payload-claims) claim is used for the macOS account's Full Name value. |
+ | **Team Identifier** | `UBF8T346G9` | Copy and paste this value in the setting.
This identifier is the team identifier of the Enterprise SSO plug-in app extension. |
| **Type** | Redirect | |
- | **URLs** | Enter all the following URLs:
If your environment needs to allow sovereign cloud domains, then also add the following URLs:
`https://login-us.microsoftonline.com` | These URL prefixes are the identity providers that do SSO app extensions. The URLs are required for **redirect** payloads and are ignored for **credential** payloads.
For more information on these URLs, go to [Microsoft Enterprise SSO plug-in for Apple devices](/entra/identity-platform/apple-sso-plugin). |
+ | **URLs** | Copy and paste all the following URLs:
If your environment needs to allow sovereign cloud domains, like Azure Government or Azure China 21Vianet, then also add the following URLs:
`https://login-us.microsoftonline.com` | These URL prefixes are the identity providers that do SSO app extensions. The URLs are required for **redirect** payloads and are ignored for **credential** payloads.
For more information on these URLs, go to [Microsoft Enterprise SSO plug-in for Apple devices](/entra/identity-platform/apple-sso-plugin). |
> If you have a mix of macOS 13 and macOS 14+ devices in your environment, then configure the **Platform SSO** > **Authentication Method** and the **Authentication Method (Deprecated)** authentication settings in the same profile.
@@ -234,12 +253,12 @@ The Company Portal app for macOS deploys and installs the Microsoft Enterprise S
Using Intune, you can add the Company Portal app and deploy it as a required app to your macOS devices:
-- For the steps, go to [Add the Company Portal app for macOS](../apps/apps-company-portal-macos.md).
-- Optional. Configure the Company Portal app to include your organization information. For the steps, go to [How to configure the Intune Company Portal apps, Company Portal website, and Intune app](../apps/company-portal-app.md).
+- [Add the Company Portal app for macOS](../apps/apps-company-portal-macos.md) lists the steps.
+- Configure the Company Portal app to include your organization information (Optional). For the steps, go to [How to configure the Intune Company Portal apps, Company Portal website, and Intune app](../apps/company-portal-app.md).
There aren't any specific steps to configure the app for Platform SSO. Just make sure the latest Company Portal app is added to Intune and deployed to your macOS devices.
-If you have an older version of the Company Portal app installed, then Platform SSO won't work.
+If you have an older version of the Company Portal app installed, then Platform SSO fails.
## Step 4 - Enroll the devices and apply the policies
@@ -262,7 +281,7 @@ When the device receives the policy, there's a **Registration required** notific
:::image type="content" border="false" source="./media/platform-sso-macos/platform-sso-macos-registration-required.png" alt-text="Screenshot that shows the registration required prompt on end user devices when you configure Platform SSO in Microsoft Intune.":::
-- End users select this notification, sign in to the Microsoft Entra ID plug-in with their organization account, and complete multifactor authentication (MFA) if required.
+- End users select this notification, sign in to the Microsoft Entra ID plug-in with their organization account, and complete multifactor authentication (MFA), if required.
> [!NOTE]
> MFA is a feature of Microsoft Entra. Make sure MFA is enabled in your tenant. For more information, including any other app requirements, go to [Microsoft Entra multifactor authentication](/entra/identity/authentication/concept-mfa-howitworks).
@@ -288,7 +307,50 @@ After you confirm that your settings catalog policy is working, unassign any exi
If you keep both policies, conflicts can occur.
-## More Platform SSO settings you can configure
+## Non-Microsoft apps and Microsoft Enterprise SSO Extension settings
+If you previously used the Microsoft Enterprise SSO Extension, and/or want to enable SSO on non-Microsoft apps, then add the **Extension Data** setting to your existing Platform SSO settings catalog policy.
+The **Extension Data** setting is a similar concept to an open text field; you can configure any values you need.
+In this section, we use the **Extension Data** setting to:
+- Configure settings you used in your previous Microsoft Enterprise SSO Extension Intune policy.
+- Configure settings that allow non-Microsoft apps to use SSO.
+This section lists the minimum recommended settings you should add. In your previous Microsoft Enterprise SSO Extension policy, you might have configured more settings. We recommend you add any other key & value pair settings you configured in your previous Microsoft Enterprise SSO Extension policy.
+Remember, there should only be one SSO policy assigned to your groups. So, if you're using Platform SSO, then you must configure the Platform SSO settings **and** the Microsoft Enterprise SSO Extension settings in the Platform SSO settings catalog policy you created in [Step 2 - Create the Platform SSO policy in Intune](#step-2---create-the-platform-sso-policy-in-intune) (in this article).
+The following settings are commonly recommended for configuring SSO settings, including configuring SSO support for non-Microsoft applications.
+1. In your existing Platform SSO settings catalog policy, add **Extension Data**:
+ 1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) (**Devices** > **Manage devices** > **Configuration**), select your existing Platform SSO settings catalog policy.
+ 2. In **Properties** > **Configuration settings**, select **Edit** > **Add settings**.
+ 3. In the settings picker, expand **Authentication**, and select **Extensible Single Sign On (SSO)**:
+ :::image type="content" source="./media/platform-sso-macos/settings-picker-authentication-extensible-sso.png" alt-text="Screenshot that shows the Settings Catalog settings picker, and selecting authentication and extensible SSO category in Microsoft Intune.":::
+ 4. In the list, select **Extension Data** and close the settings picker:
+ :::image type="content" source="./media/platform-sso-macos/settings-picker-authentication-extensible-sso-extension-data.png" alt-text="Screenshot that shows the Settings Catalog settings picker, and selecting authentication and Extension Data in Microsoft Intune.":::
+2. In **Extension Data**, **Add** the following keys and values:
+ | Key | Type | Value | Description |
+ | --- | --- | --- | --- |
+ | **AppPrefixAllowList** | String | `com.microsoft.,com.apple.` | Copy and paste this value in the setting.
**AppPrefixAllowList** lets you create a list of app vendors with apps that can use SSO. You can add more app vendors to this list as needed. |
+ | **browser_sso_interaction_enabled** | Integer | `1` | Configures a recommended broker setting. |
+ | **disable_explicit_app_prompt** | Integer | `1` | Configures a recommended broker setting. |
+ The following example shows the recommended configuration:
+ :::image type="content" source="./media/platform-sso-macos/extension-data-AppPrefixAllowList.png" alt-text="Screenshot that shows how to configure Extension Data settings, such as AppPrefixAllowList.":::
+3. Select **Next** to save your changes, and complete the policy. If the policy is already assigned to users or groups, then these groups receive the policy changes the next time they [sync with the Intune service](device-profile-troubleshoot.md#policy-refresh-intervals).
+## End user experience settings
When you create the settings catalog profile in [Step 2 - Create the Platform SSO policy in Intune](#step-2---create-the-platform-sso-policy-in-intune), there are more optional settings that you can configure.
@@ -297,10 +359,22 @@ The following settings let you customize the end-user experience and give more g
| Platform SSO settings | Possible values | Usage |
| --- | --- | --- |
| **Account Display Name** | Any string value. | Customize the organization name end users see in the Platform SSO notifications. |
-| **Enable Create User At Login** | **Enable** or **Disable**. | Allow any organizational user to sign in to the device using their Microsoft Entra credentials. When creating new local accounts, the provided username and password must be the same as the user's Entra ID UPN (e.g., `user@contoso.com`) and password.|
+| **Enable Create User At Login** | **Enable** or **Disable**. | Allow any organizational user to sign in to the device using their Microsoft Entra credentials. When you create new local accounts, the provided username and password must be the same as the user's Microsoft Entra ID UPN (`user@contoso.com`) and password.|
| **New User Authorization Mode** | **Standard**, **Admin**, or **Groups** | One-time permissions the user has at sign-in when the account is created using Platform SSO. Currently, **Standard** and **Admin** values are supported. At least one **Admin** user is required on the device before **Standard** mode can be used.|
| **User Authorization Mode** | **Standard**, **Admin**, or **Groups** | Persistent permissions the user has at sign-in each time the user authenticates using Platform SSO. Currently, **Standard** and **Admin** values are supported. At least one **Admin** user is required on the device before **Standard** mode can be used.|
+## Other MDMs
+You can configure Platform SSO with other mobile device management services (MDMs), if that MDM supports Platform SSO. When using another MDM service, use the following guidance:
+- The settings listed in this article are the Microsoft-recommended settings you should configure. You can copy/paste the setting values from this article in your MDM service policy.
+ The configuration steps in your MDM service can be different. We recommend you work with your MDM service vendor to correctly configure and deploy these Platform SSO settings.
+- Device registration with Platform SSO is more secure and uses hardware-bound device certificates. These changes can affect some MDM flows, like integration with [device compliance partners](../protect/device-compliance-partners.md).
+ You should talk to your MDM service vendor to understand if the MDM tested Platform SSO, certified that their software works properly with Platform SSO, and is ready to support customers using Platform SSO.
## Common errors
When you configure Platform SSO, you might see the following errors:
diff --git a/memdocs/intune/configuration/preference-file-settings-macos.md b/memdocs/intune/configuration/preference-file-settings-macos.md
index 7ce27f74787..a94a569f899 100644
--- a/memdocs/intune/configuration/preference-file-settings-macos.md
+++ b/memdocs/intune/configuration/preference-file-settings-macos.md
@@ -8,7 +8,7 @@ keywords: preference file, property list file, plist, macOS, microsoft intune, e
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 01/16/2024
+ms.date: 08/22/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: configuration
@@ -37,7 +37,10 @@ This feature applies to:
Property list files, also called preference files, include information about your macOS apps. You define app properties or settings that you want to preconfigure. When the file is ready, you can use Intune to deploy the file to your devices and configure the app settings in your file.
-Property list files are typically used for web browsers, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac), and custom apps.
+Property list files are typically used for web browsers, like Google Chrome, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac), and custom apps.
+> There are sample `.plist` files at [ManagedPreferencesApplications examples on GitHub](https://github.com/ProfileCreator/ProfileManifests/tree/master/Manifests/ManagedPreferencesApplications). This GitHub repository is not owned, not maintained, and not created by Microsoft. Use the information at your own risk.
> [!TIP]
> For Microsoft Edge version 77 and newer, you can use the settings catalog. You don't have to use a preference file. For more information, go to [Settings catalog](settings-catalog.md).
@@ -55,16 +58,16 @@ These settings are added to a device configuration profile in Intune, and then a
## What you need to know
-- These settings aren't validated. Test your changes before assigning the profile to your devices.
-- If you're not sure how to enter an app key, change the setting within the app. Then, review the app's preference file using [Xcode](https://developer.apple.com/xcode/) to see how the setting is configured.
+- Test your changes before assigning the profile to your devices. Intune doesn't validate the settings in the property list file.
+- Review the app's preference file using [Xcode](https://developer.apple.com/xcode/) to see how the setting is configured. If you're not sure how to enter an app key, change the setting within the app. Then, review the app's preference file using [Xcode](https://developer.apple.com/xcode/).
Apple recommends removing nonmanageable settings using Xcode before importing the file.
- Only some apps work with managed preferences, and might not allow you to manage all settings.
- Be sure you upload property list files that target device channel settings, not user channel settings. Property list files target the entire device.
-- If you're configuring the Microsoft Edge version 77 and newer app, then use the [Settings catalog](settings-catalog.md). For a list of the settings you can configure, go to [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies) (opens another Microsoft website).
+- Use the [Settings catalog](settings-catalog.md) to configure Microsoft Edge version 77 and newer. For a list of the settings you can configure, go to [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies) (opens another Microsoft website).
- Be sure macOS is listed as a supported platform. If some settings aren't available in the settings catalog, then it's recommended to continue using the preference file.
+ Be sure macOS is listed as a supported platform. If some settings aren't available in the settings catalog, then use the preference file.
## Create the profile
diff --git a/memdocs/intune/configuration/quickstart-email-profile.md b/memdocs/intune/configuration/quickstart-email-profile.md
index 0be3acbc914..2b26cd2f000 100644
--- a/memdocs/intune/configuration/quickstart-email-profile.md
+++ b/memdocs/intune/configuration/quickstart-email-profile.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 11/09/2023
+ms.date: 08/14/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: configuration
@@ -62,7 +62,7 @@ For more information on the different roles in Intune, go to [Role-based access
3. Enter the following properties:
- **Platform**: Select **iOS/iPadOS**.
- - **Profile type**: Select **Temmplates** > **Email**.
+ - **Profile type**: Select **Templates** > **Email**.
4. Select **Create**.
@@ -87,7 +87,7 @@ For more information on the different roles in Intune, go to [Role-based access
9. In **Scope tags** (optional), select **Next**. In this example, we don't use scope tags.
-10. In **Assignments**, use the drop-down for **Assign to** and select **All users and all devices**. Then, select **Next**.
+10. In **Assignments**, use the drop-down for **Assign to** and select **All users and all devices**. Then, select **Next**.
11. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned.
diff --git a/memdocs/intune/configuration/settings-catalog-common-features.md b/memdocs/intune/configuration/settings-catalog-common-features.md
index 47988859fe2..cb552936d10 100644
--- a/memdocs/intune/configuration/settings-catalog-common-features.md
+++ b/memdocs/intune/configuration/settings-catalog-common-features.md
@@ -65,7 +65,7 @@ Previously, to configure Google Chrome settings on Windows devices, you created
This feature applies to:
- Windows 11
-- Windows 10 and later
+- Windows 10
You can create a universal print policy, add printers, and then deploy this printer list to your managed users. When the policy is deployed, it automatically installs the printers you added. Users can see these printers, and select a printer from your list.
diff --git a/memdocs/intune/configuration/settings-catalog.md b/memdocs/intune/configuration/settings-catalog.md
index b6605adffa4..42a54ae1526 100644
--- a/memdocs/intune/configuration/settings-catalog.md
+++ b/memdocs/intune/configuration/settings-catalog.md
@@ -217,7 +217,8 @@ After you give the new profile a name, you can edit the profile to adjust the se
This feature applies to:
-- Windows 10 and later
+- Windows 11
+- Windows 10
When you create a settings catalog policy, you can export the policy to a `.json` file. You can then import this file to create a new policy. This feature is useful if you want to create a policy that's similar to an existing policy. For example, you export a policy, import it to create a new policy, and then make changes to the new policy.
diff --git a/memdocs/intune/configuration/shared-user-device-settings-windows-holographic.md b/memdocs/intune/configuration/shared-user-device-settings-windows-holographic.md
index d7b63fbceaa..eae6a90af92 100644
--- a/memdocs/intune/configuration/shared-user-device-settings-windows-holographic.md
+++ b/memdocs/intune/configuration/shared-user-device-settings-windows-holographic.md
@@ -38,9 +38,9 @@ For more information on this feature in Intune, see [Control access, accounts, a
## Before your begin
-- [Create a Windows 10/11 shared multi-user device configuration profile](shared-user-device-settings.md).
+- [Create a Windows shared multi-user device configuration profile](shared-user-device-settings.md).
-- When you create a Windows 10/11 shared user device configuration profile, there are more settings than what's listed in this article. The settings in this article are supported on Windows Holographic for Business devices.
+- When you create a Windows shared user device configuration profile, there are more settings than what's listed in this article. The settings in this article are supported on Windows Holographic for Business devices.
## Shared multi-user device settings
diff --git a/memdocs/intune/configuration/shared-user-device-settings-windows.md b/memdocs/intune/configuration/shared-user-device-settings-windows.md
index 2a7a6c4635f..fce3c383ddb 100644
--- a/memdocs/intune/configuration/shared-user-device-settings-windows.md
+++ b/memdocs/intune/configuration/shared-user-device-settings-windows.md
@@ -26,12 +26,12 @@ ms.collection:
- M365-identity-device-management
-# Windows 10/11 and newer settings to manage shared devices using Intune
+# Windows 10/11 settings to manage shared devices using Intune
> [!NOTE]
> [!INCLUDE [not-all-settings-are-documented](../includes/not-all-settings-are-documented.md)]
-Windows 10/11 client devices, like the Microsoft Surface, can be used by many users. Devices that have multiple users are called shared devices, and are a part of mobile device management (MDM) solutions.
+Windows client devices, like the Microsoft Surface, can be used by many users. Devices that have multiple users are called shared devices, and are a part of mobile device management (MDM) solutions.
End users can sign in to these shared devices with a guest account. As they use the device, they only get access to features you allow. As the Intune administrator, you configure access, choose when accounts are deleted, control power management settings, and more for your shared Windows client devices.
@@ -41,7 +41,7 @@ For more information on this feature in Intune, go to [Control access, accounts,
## Before your begin
-- Create a [Windows 10/11 shared multi-user device configuration profile](shared-user-device-settings.md).
+- Create a [Windows shared multi-user device configuration profile](shared-user-device-settings.md).
## Shared multi-user device settings
@@ -97,7 +97,7 @@ These settings use the [SharedPC CSP](/windows/client-management/mdm/sharedpc-cs
- **Enabled**: Uses the recommended settings for devices used in schools, which are more restrictive.
- **Disabled**: The default and recommended education policies aren't used.
- For more information on what the education policies do, go to [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education).
+ For more information on what the education policies do, go to [Windows configuration recommendations for education customers](/education/windows/configure-windows-for-education).
> [!TIP]
> [Set up a shared or guest PC](/windows/configuration/set-up-shared-or-guest-pc) (opens another docs web site) is a great resource on this Windows client feature, including concepts and group policies that can be set in shared mode.
diff --git a/memdocs/intune/configuration/shared-user-device-settings.md b/memdocs/intune/configuration/shared-user-device-settings.md
index 626a63b41bd..78f4dc3b641 100644
--- a/memdocs/intune/configuration/shared-user-device-settings.md
+++ b/memdocs/intune/configuration/shared-user-device-settings.md
@@ -26,14 +26,7 @@ ms.collection:
# Control access, accounts, and power features on shared PC or multi-user Windows devices using Intune
-Devices that have multiple users are called shared devices, and are a common part of mobile device management (MDM) solutions. Using Microsoft Intune, you can create and configure shared devices on the following platforms:
-- Windows 10/11 Professional
-- Windows 10/11 Enterprise
-- Windows Holographic for Business, such as the HoloLens
-> [!TIP]
-> For iOS/iPadOS shared devices, go to [shared device solutions for iOS/iPadOS](../enrollment/device-enrollment-shared-ios.md).
+Devices that have multiple users are called shared devices, and are a common part of mobile device management (MDM) solutions. Using Microsoft Intune, you can create and configure shared devices.
For example, schools have devices that are typically used by many students. School Intune admins can turn on the Shared PC feature to allow one user at a time. Students can't switch between different signed-in accounts on the device. When the student signs out, you also choose to remove all user-specific settings.
@@ -55,6 +48,15 @@ This article shows you how to create a shared multi-user device configuration pr
When you create the profile in Intune, you deploy or assign the profile to device groups in your organization. You can also assign this profile to device groups with mixed device types and operating system (OS) versions.
+This feature applies to:
+- Windows 10/11 Professional
+- Windows 10/11 Enterprise
+- Windows Holographic for Business, such as the HoloLens
+> [!TIP]
+> For iOS/iPadOS shared devices, go to [shared device solutions for iOS/iPadOS](../enrollment/device-enrollment-shared-ios.md).
## Prerequisites
- To create the policy, at a minimum, sign in with an account that has the **Policy and Profile Manager** Intune role. For more information, go to [Role-based access control (RBAC) with Microsoft Intune](../fundamentals/role-based-access-control.md).
diff --git a/memdocs/intune/configuration/tutorial-walkthrough-administrative-templates.md b/memdocs/intune/configuration/tutorial-walkthrough-administrative-templates.md
index 83ba88e20d9..d83515a4c24 100644
--- a/memdocs/intune/configuration/tutorial-walkthrough-administrative-templates.md
+++ b/memdocs/intune/configuration/tutorial-walkthrough-administrative-templates.md
@@ -32,7 +32,7 @@ ms.collection:
#Customer intent: As an administrator, I want learn and use ADMX templates in the cloud so that I can control and manage Office, Windows, and Microsoft Edge settings on Windows 10/11 devices.
-# Walkthrough: Use the cloud to configure group policy on Windows 10/11 devices with ADMX templates and Microsoft Intune
+# Walkthrough: Use the cloud to configure group policy on Windows client devices with ADMX templates and Microsoft Intune
> [!NOTE]
> This walkthrough was created as a technical workshop for Microsoft Ignite. It has more prerequisites than typical walkthroughs, as it compares using and configuring ADMX policies in Intune and on-premises.
@@ -40,7 +40,7 @@ ms.collection:
Group policy administrative templates, also known as ADMX templates, include settings you can configure on Windows client devices, including PCs. The ADMX template settings are available by different services. These settings are used by Mobile Device Management (MDM) providers, including Microsoft Intune. For example, you can turn on Design Ideas in PowerPoint, set a home page in Microsoft Edge, and more.
> [!TIP]
-> For an overview of ADMX templates in Intune, including the ADMX templates built-in to Intune, go to [Use Windows 10/11 ADMX templates in Microsoft Intune](administrative-templates-windows.md).
+> For an overview of ADMX templates in Intune, including the ADMX templates built-in to Intune, go to [Use Windows ADMX templates in Microsoft Intune](administrative-templates-windows.md).
For more information on ADMX policies, go to [Understanding ADMX-backed policies](/windows/client-management/mdm/understanding-admx-backed-policies).
diff --git a/memdocs/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos.md b/memdocs/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos.md
index f29f466c2fa..6cac8938c85 100644
--- a/memdocs/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos.md
+++ b/memdocs/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos.md
@@ -32,7 +32,7 @@ zone_pivot_groups: apple-enterprise-sso
Apple devices can use single sign-on (SSO) to access devices, apps, and websites using their Microsoft Entra ID. SSO lets users sign in and get access without entering their credentials each time.
-This article applies to:
+This feature applies to:
- iOS/iPadOS
- macOS
diff --git a/memdocs/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-with-intune.md b/memdocs/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-with-intune.md
index 65ed11126b6..ee1ba6e7981 100644
--- a/memdocs/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-with-intune.md
+++ b/memdocs/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-with-intune.md
@@ -31,7 +31,7 @@ ms.collection:
[!INCLUDE [Apple SSO Boilerplate](../includes/apple-enterprise-sso-intro-boilerplate.md)]
-This article applies to:
+This feature applies to:
- iOS/iPadOS
diff --git a/memdocs/intune/configuration/use-enterprise-sso-plug-in-macos-with-intune.md b/memdocs/intune/configuration/use-enterprise-sso-plug-in-macos-with-intune.md
index 297b3b20aa1..094ba841f79 100644
--- a/memdocs/intune/configuration/use-enterprise-sso-plug-in-macos-with-intune.md
+++ b/memdocs/intune/configuration/use-enterprise-sso-plug-in-macos-with-intune.md
@@ -31,11 +31,11 @@ ms.collection:
[!INCLUDE [Apple SSO Boilerplate](../includes/apple-enterprise-sso-intro-boilerplate.md)]
-This article applies to:
+This feature applies to:
- macOS
- For iOS/iPadOS, go to [Use the Microsoft Enterprise SSO plug-in on iOS/iPadOS devices](use-enterprise-sso-plug-in-ios-ipados-with-intune.md).
+ For iOS/iPadOS, go to [Use the Microsoft Enterprise SSO plug-in on iOS/iPadOS devices](use-enterprise-sso-plug-in-ios-ipados-with-intune.md).
On macOS devices, you can configure SSO app extension settings in two places in Intune:
diff --git a/memdocs/intune/configuration/vpn-settings-android-enterprise.md b/memdocs/intune/configuration/vpn-settings-android-enterprise.md
index 971bd3b6a22..493e5b6ee74 100644
--- a/memdocs/intune/configuration/vpn-settings-android-enterprise.md
+++ b/memdocs/intune/configuration/vpn-settings-android-enterprise.md
@@ -170,6 +170,6 @@ For more information, see [Use a VPN and per-app VPN policy on Android Enterpris
- [Assign the profile](device-profile-assign.md) and [monitor its status](device-profile-monitor.md).
-- Create VPN profiles for [Android device administrator](vpn-settings-android.md), [iOS/iPadOS](vpn-settings-ios.md), [macOS](vpn-settings-macos.md), and [Windows 10 and later](vpn-settings-windows-10.md).
+- Create VPN profiles for [Android device administrator](vpn-settings-android.md), [iOS/iPadOS](vpn-settings-ios.md), [macOS](vpn-settings-macos.md), and [Windows](vpn-settings-windows-10.md).
- Learn how to [Troubleshoot VPN profile issues in Microsoft Intune](/troubleshoot/mem/intune/device-configuration/troubleshoot-vpn-profiles).
diff --git a/memdocs/intune/configuration/vpn-settings-android.md b/memdocs/intune/configuration/vpn-settings-android.md
index d0ed199ad02..8cf5c8871bc 100644
--- a/memdocs/intune/configuration/vpn-settings-android.md
+++ b/memdocs/intune/configuration/vpn-settings-android.md
@@ -74,4 +74,4 @@ As an Intune administrator, you can create and assign VPN settings to Android de
- [Assign the profile](device-profile-assign.md) and [monitor its status](device-profile-monitor.md).
-- Create VPN profiles for [Android Enterprise](vpn-settings-android-enterprise.md), [iOS/iPadOS](vpn-settings-ios.md), [macOS](vpn-settings-macos.md), and [Windows 10 and later](vpn-settings-windows-10.md).
+- Create VPN profiles for [Android Enterprise](vpn-settings-android-enterprise.md), [iOS/iPadOS](vpn-settings-ios.md), [macOS](vpn-settings-macos.md), and [Windows](vpn-settings-windows-10.md).
diff --git a/memdocs/intune/configuration/vpn-settings-ios.md b/memdocs/intune/configuration/vpn-settings-ios.md
index 21f34c8628e..62153272f31 100644
--- a/memdocs/intune/configuration/vpn-settings-ios.md
+++ b/memdocs/intune/configuration/vpn-settings-ios.md
@@ -414,4 +414,4 @@ If you use a proxy, then configure the following settings.
The profile is created, but may not be doing anything yet. Be sure to [assign the profile](device-profile-assign.md) and [monitor its status](device-profile-monitor.md).
-Configure VPN settings on [Android](vpn-settings-android.md), [Android Enterprise](vpn-settings-android-enterprise.md), [macOS](vpn-settings-macos.md), and [Windows 10](vpn-settings-windows-10.md) devices.
+Configure VPN settings on [Android](vpn-settings-android.md), [Android Enterprise](vpn-settings-android-enterprise.md), [macOS](vpn-settings-macos.md), and [Windows](vpn-settings-windows-10.md) devices.
diff --git a/memdocs/intune/configuration/vpn-settings-macos.md b/memdocs/intune/configuration/vpn-settings-macos.md
index 14f6e2c7879..f2391ab5732 100644
--- a/memdocs/intune/configuration/vpn-settings-macos.md
+++ b/memdocs/intune/configuration/vpn-settings-macos.md
@@ -134,4 +134,4 @@ Select the **type of automatic VPN** you want. Your options:
- [Assign the profile](device-profile-assign.md) and [monitor its status](device-profile-monitor.md).
-- Configure VPN settings on [Android](vpn-settings-android.md), [Android Enterprise](vpn-settings-android-enterprise.md), [iOS/iPadOS](vpn-settings-ios.md), and [Windows 10](vpn-settings-windows-10.md) devices.
+- Configure VPN settings on [Android](vpn-settings-android.md), [Android Enterprise](vpn-settings-android-enterprise.md), [iOS/iPadOS](vpn-settings-ios.md), and [Windows](vpn-settings-windows-10.md) devices.
diff --git a/memdocs/intune/configuration/vpn-settings-windows-8-1.md b/memdocs/intune/configuration/vpn-settings-windows-8-1.md
index fe59b5568f0..32ba5dd1d64 100644
--- a/memdocs/intune/configuration/vpn-settings-windows-8-1.md
+++ b/memdocs/intune/configuration/vpn-settings-windows-8-1.md
@@ -109,4 +109,4 @@ Depending on the settings you choose, not all values in the following list are c
- [Assign the profile](device-profile-assign.md), and [monitor its status](device-profile-monitor.md).
-- Configure VPN settings on [Android](vpn-settings-android.md), [Android Enterprise](vpn-settings-android-enterprise.md), [macOS](vpn-settings-macos.md), and [Windows 10/11](vpn-settings-windows-10.md) devices.
+- Configure VPN settings on [Android](vpn-settings-android.md), [Android Enterprise](vpn-settings-android-enterprise.md), [macOS](vpn-settings-macos.md), and [Windows](vpn-settings-windows-10.md) devices.
diff --git a/memdocs/intune/configuration/wi-fi-settings-android-aosp.md b/memdocs/intune/configuration/wi-fi-settings-android-aosp.md
index e6eca6cf507..34822016269 100644
--- a/memdocs/intune/configuration/wi-fi-settings-android-aosp.md
+++ b/memdocs/intune/configuration/wi-fi-settings-android-aosp.md
@@ -43,7 +43,7 @@ For more information on AOSP, go to [Android Open Source Project](https://source
## Before you begin
-Create an [Android (AOSP) device configuration profile](wi-fi-settings-configure.md).
+- Create an [Android (AOSP) device configuration profile](wi-fi-settings-configure.md).
## Basic
@@ -173,6 +173,6 @@ Create an [Android (AOSP) device configuration profile](wi-fi-settings-configure
The profile is created, but might not be doing anything. Be sure to [assign this profile](device-profile-assign.md) and [monitor its status.](device-profile-monitor.md).
-You can also create Wi-Fi profiles for [Android Enterprise](wi-fi-settings-android-enterprise.md), [iOS/iPadOS](wi-fi-settings-ios.md), [macOS](wi-fi-settings-macos.md), and [Windows 10/11](wi-fi-settings-windows.md).
+You can also create Wi-Fi profiles for [Android Enterprise](wi-fi-settings-android-enterprise.md), [iOS/iPadOS](wi-fi-settings-ios.md), [macOS](wi-fi-settings-macos.md), and [Windows](wi-fi-settings-windows.md).
[Troubleshoot common issues with Wi-Fi profiles](/troubleshoot/mem/intune/troubleshoot-wi-fi-profiles#common-issues).
diff --git a/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md b/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md
index 7099467be13..c4fd01fe79d 100644
--- a/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md
+++ b/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md
@@ -320,6 +320,6 @@ Select this option if you're deploying to an Android Enterprise dedicated, corpo
- The profile is created, but might not be doing anything. Be sure to [assign this profile](device-profile-assign.md) and [monitor its status](device-profile-monitor.md).
-- You can also create Wi-Fi profiles for [Android](wi-fi-settings-android.md), [iOS/iPadOS](wi-fi-settings-ios.md), [macOS](wi-fi-settings-macos.md), and [Windows 10](wi-fi-settings-windows.md).
+- You can also create Wi-Fi profiles for [Android](wi-fi-settings-android.md), [iOS/iPadOS](wi-fi-settings-ios.md), [macOS](wi-fi-settings-macos.md), and [Windows](wi-fi-settings-windows.md).
- [Troubleshoot common issues with Wi-Fi profiles](/troubleshoot/mem/intune/troubleshoot-wi-fi-profiles#common-issues).
diff --git a/memdocs/intune/configuration/wi-fi-settings-android.md b/memdocs/intune/configuration/wi-fi-settings-android.md
index f43e2e9fef8..43e4c4d31d9 100644
--- a/memdocs/intune/configuration/wi-fi-settings-android.md
+++ b/memdocs/intune/configuration/wi-fi-settings-android.md
@@ -39,12 +39,11 @@ This feature applies to:
These Wi-Fi settings are separated in to two categories: Basic settings and Enterprise-level settings. This article describes these settings.
- [!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
+[!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
## Before you begin
-Create an [Android device administrator Wi-Fi device configuration profile](wi-fi-settings-configure.md).
+- Create an [Android device administrator Wi-Fi device configuration profile](wi-fi-settings-configure.md).
## Basic
diff --git a/memdocs/intune/configuration/wi-fi-settings-ios.md b/memdocs/intune/configuration/wi-fi-settings-ios.md
index 46c074dd0ef..5bfa05bcde7 100644
--- a/memdocs/intune/configuration/wi-fi-settings-ios.md
+++ b/memdocs/intune/configuration/wi-fi-settings-ios.md
@@ -175,4 +175,4 @@ This article describes the settings you can configure.
- Be sure to [assign this profile](device-profile-assign.md) and [monitor its status](device-profile-monitor.md).
-- Configure Wi-Fi settings on [Android](wi-fi-settings-android.md), [Android Enterprise](wi-fi-settings-android-enterprise.md), [macOS](wi-fi-settings-macos.md), and [Windows 10](wi-fi-settings-windows.md) devices.
+- Configure Wi-Fi settings on [Android](wi-fi-settings-android.md), [Android Enterprise](wi-fi-settings-android-enterprise.md), [macOS](wi-fi-settings-macos.md), and [Windows](wi-fi-settings-windows.md) devices.
diff --git a/memdocs/intune/configuration/wi-fi-settings-macos.md b/memdocs/intune/configuration/wi-fi-settings-macos.md
index 926aa8e81ff..03de0653506 100644
--- a/memdocs/intune/configuration/wi-fi-settings-macos.md
+++ b/memdocs/intune/configuration/wi-fi-settings-macos.md
@@ -138,4 +138,4 @@ Enterprise profiles use Extensible Authentication Protocol (EAP) to authenticate
## Related articles
- Be sure to [assign the profile](device-profile-assign.md) and [monitor its status](device-profile-monitor.md).
-- Configure Wi-Fi settings on [Android](wi-fi-settings-android.md), [Android Enterprise](wi-fi-settings-android-enterprise.md), [iOS/iPadOS](wi-fi-settings-ios.md), and [Windows 10](wi-fi-settings-windows.md) devices.
+- Configure Wi-Fi settings on [Android](wi-fi-settings-android.md), [Android Enterprise](wi-fi-settings-android-enterprise.md), [iOS/iPadOS](wi-fi-settings-ios.md), and [Windows](wi-fi-settings-windows.md) devices.
diff --git a/memdocs/intune/configuration/windows-health-monitoring.md b/memdocs/intune/configuration/windows-health-monitoring.md
index 5bf1b534761..472c4c9fd90 100644
--- a/memdocs/intune/configuration/windows-health-monitoring.md
+++ b/memdocs/intune/configuration/windows-health-monitoring.md
@@ -53,7 +53,7 @@ This article shows you how to create the profile, and enable the monitoring.
2. Select **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy**.
3. Enter the following properties:
- - **Platform**: Choose **Windows 10 and later**.
+ - **Platform**: Select **Windows 10 and later**.
- **Profile type**: Select **Templates** > **Windows health monitoring**.
> [!NOTE]
diff --git a/memdocs/intune/configuration/wired-network-settings-windows.md b/memdocs/intune/configuration/wired-network-settings-windows.md
index 0bf84b35dbf..f7eefd27989 100644
--- a/memdocs/intune/configuration/wired-network-settings-windows.md
+++ b/memdocs/intune/configuration/wired-network-settings-windows.md
@@ -34,6 +34,11 @@ You can create a profile with specific wired network settings, and then deploy t
This article describes the settings you can configure.
+This feature applies to:
+- Windows 11
+- Windows 10
## Before you begin
- Create a [wired network device configuration profile](wired-networks-configure.md).
diff --git a/memdocs/intune/copilot/media/security-copilot/security-copilot-prompts-icon.png b/memdocs/intune/copilot/media/security-copilot/security-copilot-prompts-icon.png
deleted file mode 100644
index ecc10add959..00000000000
Binary files a/memdocs/intune/copilot/media/security-copilot/security-copilot-prompts-icon.png and /dev/null differ
diff --git a/memdocs/intune/developer/media/app-sdk-ios/intune-app-sdk-ios-copy-bundle-resources.png b/memdocs/intune/developer/media/app-sdk-ios/intune-app-sdk-ios-copy-bundle-resources.png
deleted file mode 100644
index cff5d7e8d4e..00000000000
Binary files a/memdocs/intune/developer/media/app-sdk-ios/intune-app-sdk-ios-copy-bundle-resources.png and /dev/null differ
diff --git a/memdocs/intune/developer/media/app-sdk-ios/intune-app-sdk-ios-weak-link-apple-archive.png.png b/memdocs/intune/developer/media/app-sdk-ios/intune-app-sdk-ios-weak-link-apple-archive.png.png
deleted file mode 100644
index 516376691a2..00000000000
Binary files a/memdocs/intune/developer/media/app-sdk-ios/intune-app-sdk-ios-weak-link-apple-archive.png.png and /dev/null differ
diff --git a/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md b/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md
index f3f1649505d..621d4f8bf0e 100644
--- a/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md
+++ b/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 07/18/2024
+ms.date: 08/19/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -32,9 +32,6 @@ ms.collection:
# Set up account driven Apple User Enrollment
-> This feature is in public preview. For more information, see [Public preview in Microsoft Intune](../fundamentals/public-preview.md).
Set up account driven Apple User Enrollment for personal devices enrolling in Microsoft Intune. Account driven user enrollment provides a faster and more user-friendly enrollment experience than [user enrollment with Company Portal](apple-user-enrollment-with-company-portal.md). The device user initiates enrollment by signing into their work account in the Settings app. After the user approves device management, the enrollment profile silently installs and Intune policies are applied. Intune uses just-in-time registration and the Microsoft Authenticator app for authentication to reduce the number of times users have to sign in during enrollment and when accessing work apps.
This article describes how to set up account driven Apple User Enrollment in Microsoft Intune. You will:
diff --git a/memdocs/intune/enrollment/connect-intune-android-enterprise.md b/memdocs/intune/enrollment/connect-intune-android-enterprise.md
index 7760a78b779..d65a9f4aad8 100644
--- a/memdocs/intune/enrollment/connect-intune-android-enterprise.md
+++ b/memdocs/intune/enrollment/connect-intune-android-enterprise.md
@@ -1,14 +1,14 @@
# required metadata
-title: Connect Intune account to Managed Google Play account
+title: Connect Intune account to managed Google Play account
titleSuffix: Microsoft Intune
description: Learn how to connect your Intune account to your Managed Google Play account.
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 07/24/2024
+ms.date: 08/21/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -31,7 +31,7 @@ ms.collection:
- highpri
-# Connect your Intune account to your Managed Google Play account
+# Connect your Intune account to your managed Google Play account
To manage Intune-enrolled devices with any of the supported Android Enterprise management options, you must connect your Microsoft Intune tenant to your managed Google Play account. Available management options include:
@@ -51,46 +51,46 @@ This article describes how to link your accounts in the Microsoft Intune admin c
## Before you begin
-> Beginning July 2024, we recommend using your Microsoft Entra account to connect to Google Play. As a result of recent changes made by Google, you can now link your Microsoft Entra identity account to a Google account, instead of using a personal Gmail account. For more information about these changes, see [Google blog: How we’re making Android Enterprise signup and access to Google services better](https://blog.google/products/android-enterprise/android-enterprise-signup-google-services/). Current Microsoft Intune tenants who have already associated a personal Gmail account with Intune will continue to be supported.
+> As of August 2024, you can link your Microsoft Entra identity account to a Google account, instead of using an enterprise Gmail account. We recommend using your Microsoft Entra account to connect to Google Play. For more information about this change, see [Google blog: How we’re making Android Enterprise signup and access to Google services better](https://blog.google/products/android-enterprise/android-enterprise-signup-google-services/). Current Microsoft Intune tenants who have already associated a Gmail account with Intune will continue to be supported.
-- Confirm Android Enterprise availability in your country or region. For more information, see [Is Android Enterprise available in my country?](https://support.google.com/work/android/answer/6270910)
-- Confirm the Microsoft Entra account you want to use. This account is used to manage the Google Admin account and associated subscriptions, and will be associated with all Android Enterprise management tasks under your Microsoft Intune tenant.
+- Confirm Android Enterprise availability in your country or region. For more information, see [Is Android Enterprise available in my country?](https://support.google.com/work/android/answer/6270910).
+- Confirm the Microsoft Entra account you want to use. This account is used to manage the Google Admin account and associated subscriptions, and will be associated with all Android Enterprise management tasks in your Microsoft Intune tenant.
- Confirm that the Microsoft Entra account has a mailbox set up so that you can complete the validation process required by Google.
## Connect accounts
> [!TIP]
-> Due to interaction between Google and Microsoft domains, this process may require you to adjust your browser settings. Make sure that `portal.azure.com`, `play.google.com`, and `enterprise.google.com` are in the same security zone in your browser.
+> Due to interaction between Google and Microsoft domains, you might need to adjust your browser settings to complete this process. Make sure that `portal.azure.com`, `play.google.com`, and `enterprise.google.com` are in the same security zone in your browser.
Complete these steps to enable Android Enterprise management options in Microsoft Intune.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Go to **Devices** > **Enrollment**.
3. Select the **Android** tab.
-4. Under **Prerequisites**, choose **Managed Google Play**. If you're using a custom Intune admin role, access to this option requires organization *read* and *update* permissions.
+4. Under **Prerequisites**, choose **Managed Google Play**. If you're using a custom Intune role, access to this option requires organization *read* and *update* permissions.
5. Select **I agree** to grant Microsoft permission to [send user and device information to Google](../protect/data-intune-sends-to-google.md).
-6. Select **Launch Google to connect now** to open the Managed Google Play website. The website opens on a new tab in your browser.
+6. Select **Launch Google to connect now** to open the managed Google Play website. The website opens on a new tab in your browser.
7. On the Google sign-in page, confirm that the prefilled Microsoft Entra account is the account you want to associate with all Android Enterprise management tasks for this tenant.
- > - This account is used to manage the Google Admin account and associated subscriptions, as appropriate. The Microsoft Entra account must have a mailbox set up to complete the validation process required by Google.
- > - We recommend using the Microsoft Entra account you're signed into to create the Google account. After you establish the connection, you can add and remove more administrators, if needed, in the Google admin console.
+ > - This account is used to manage the Google Admin account and associated subscriptions, as appropriate. The Microsoft Entra account must have an active mailbox to complete the validation process required by Google.
+ > - We recommend using the Microsoft Entra account you're signed into to create the Google Admin account. After you establish the connection, you can add and remove more administrators, if needed, in the Google admin console.
8. Follow the onscreen prompts to finish creating a Google Admin account.
9. When prompted, select **Allow and create account** to allow Microsoft Intune to manage your Android Enterprise devices.
> [!TIP]
-> To choose a scope tag for your managed Google Play apps, go to **Tenant administration** > **Connectors and tokens** > **Managed Google Play** in the Microsoft Intune admin center. Then select a scope tag to apply to all newly-approved Managed Google Play apps. You must have the following permissions to interact with this area in the admin center and to remove the selected scope tag. Tenant admins, or admins who are in charge of giving admin permissions to others, can go to **Tenant Administration** > **Roles** to edit permissions.
+> To choose a scope tag for your managed Google Play apps, go to **Tenant administration** > **Connectors and tokens** > **Managed Google Play** in the Microsoft Intune admin center. Then select a scope tag to apply to all newly-approved managed Google Play apps. You must have the following permissions to interact with this area in the admin center and to remove the selected scope tag. Tenant admins, or admins who are in charge of giving admin permissions to others, can go to **Tenant Administration** > **Roles** to edit permissions.
> - Android Sync - Read
> - Android Sync – UpdateOnBoarding
-## Disconnect your Android Enterprise administrative account
+## Disconnect your Android Enterprise administrative account
-You can turn off Android Enterprise enrollment and management by following these steps:
+You can disconnect the link between Microsoft Intune and Google in the admin center. Disconnecting the account disables Android Enterprise device management for your tenant.
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) with your Intune administrator account.
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) with an Intune Administrator account.
2. [Retire](../remote-actions/devices-wipe.md#retire) all of the following devices:
- Android Enterprise personally owned work profile devices
- Android Enterprise corporate-owned work profile devices
@@ -104,7 +104,7 @@ You can turn off Android Enterprise enrollment and management by following these
## Next steps
-After you connect to the Managed Google Play account, you can set up Microsoft Intune for these Android Enterprise scenarios:
+After you connect to a managed Google Play account, you can set up Microsoft Intune for these Android Enterprise scenarios:
- [Personally owned work profile devices](android-work-profile-enroll.md).
- [Corporate-owned work profile devices](android-corporate-owned-work-profile-enroll.md).
- [Dedicated devices](android-kiosk-enroll.md).
diff --git a/memdocs/intune/enrollment/ios-user-enrollment-supported-actions.md b/memdocs/intune/enrollment/ios-user-enrollment-supported-actions.md
index 1a5c3ab0052..c5701e52ea8 100644
--- a/memdocs/intune/enrollment/ios-user-enrollment-supported-actions.md
+++ b/memdocs/intune/enrollment/ios-user-enrollment-supported-actions.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 07/18/2024
+ms.date: 08/19/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -34,10 +34,7 @@ You can utilize Apple User Enrollment to enroll and manage user-owned iOS/iPadOS
This article provides an overview of the Apple User Enrollment features and functionality supported by Microsoft Intune.
-## Apple User Enrollment methods
-> The account driven user enrollment feature is in public preview. For more information, see [Public preview in Microsoft Intune](../fundamentals/public-preview.md).
+## Apple User Enrollment methods
Microsoft Intune supports account driven Apple User Enrollment and Apple User Enrollment with Company Portal.
diff --git a/memdocs/intune/enrollment/media/apple-configurator-enroll-ios/apple-configurator.png b/memdocs/intune/enrollment/media/apple-configurator-enroll-ios/apple-configurator.png
deleted file mode 100644
index def11aed54d..00000000000
Binary files a/memdocs/intune/enrollment/media/apple-configurator-enroll-ios/apple-configurator.png and /dev/null differ
diff --git a/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/asm-device-assignment.png b/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/asm-device-assignment.png
deleted file mode 100644
index e8d7261418c..00000000000
Binary files a/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/asm-device-assignment.png and /dev/null differ
diff --git a/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/asm-server-assignment.png b/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/asm-server-assignment.png
deleted file mode 100644
index e4ed2525482..00000000000
Binary files a/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/asm-server-assignment.png and /dev/null differ
diff --git a/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/authenticatewithcompanyportal.png b/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/authenticatewithcompanyportal.png
deleted file mode 100644
index ee07548d826..00000000000
Binary files a/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/authenticatewithcompanyportal.png and /dev/null differ
diff --git a/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/image01.png b/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/image01.png
deleted file mode 100644
index d5a37c988c4..00000000000
Binary files a/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/image01.png and /dev/null differ
diff --git a/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/image02.png b/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/image02.png
deleted file mode 100644
index a0662db90ef..00000000000
Binary files a/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/image02.png and /dev/null differ
diff --git a/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/setupassistantcustom.png b/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/setupassistantcustom.png
deleted file mode 100644
index 64ad008266e..00000000000
Binary files a/memdocs/intune/enrollment/media/apple-school-manager-set-up-ios/setupassistantcustom.png and /dev/null differ
diff --git a/memdocs/intune/enrollment/media/connect-intune-android-enterprise/android-work-bind.png b/memdocs/intune/enrollment/media/connect-intune-android-enterprise/android-work-bind.png
deleted file mode 100644
index 2a5c7df75b5..00000000000
Binary files a/memdocs/intune/enrollment/media/connect-intune-android-enterprise/android-work-bind.png and /dev/null differ
diff --git a/memdocs/intune/enrollment/media/device-enrollment-program-enroll-ios/ios-enroll.png b/memdocs/intune/enrollment/media/device-enrollment-program-enroll-ios/ios-enroll.png
deleted file mode 100644
index f4c9c7f72ea..00000000000
Binary files a/memdocs/intune/enrollment/media/device-enrollment-program-enroll-ios/ios-enroll.png and /dev/null differ
diff --git a/memdocs/intune/enrollment/media/enrollment-autopilot/autopilot-import-device.png b/memdocs/intune/enrollment/media/enrollment-autopilot/autopilot-import-device.png
deleted file mode 100644
index 1f405fe6655..00000000000
Binary files a/memdocs/intune/enrollment/media/enrollment-autopilot/autopilot-import-device.png and /dev/null differ
diff --git a/memdocs/intune/enrollment/media/windows-enroll/auto-enroll-azure-select.png b/memdocs/intune/enrollment/media/windows-enroll/auto-enroll-azure-select.png
deleted file mode 100644
index 70ad6c2396f..00000000000
Binary files a/memdocs/intune/enrollment/media/windows-enroll/auto-enroll-azure-select.png and /dev/null differ
diff --git a/memdocs/intune/enrollment/windows-bulk-enroll.md b/memdocs/intune/enrollment/windows-bulk-enroll.md
index 0fa6aa875ba..ae7609b6284 100644
--- a/memdocs/intune/enrollment/windows-bulk-enroll.md
+++ b/memdocs/intune/enrollment/windows-bulk-enroll.md
@@ -6,7 +6,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 04/02/2024
+ms.date: 08/22/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -61,32 +61,32 @@ Additionally, ensure that the service principal for Microsoft.Azure.SyncFabric (
1. Install [Windows Configuration Designer (WCD)](https://www.microsoft.com/p/windows-configuration-designer/9nblggh4tx22) from the Microsoft Store.
1. Open the **Windows Configuration Designer** app and select **Provision desktop devices**.
1. A **New project** window opens where you specify the following information:
- **Name** - A name for your project
- **Project folder** - Save location for the project
- **Description** - An optional description of the project

-1. Enter a unique name for your devices. Names can include a serial number (%SERIAL%) or a random set of characters. Optionally, you can also enter a product key if you are upgrading the edition of Windows, configure the device for shared use, and remove pre-installed software.
+1. Enter a unique name for your devices. Names can include a serial number (%SERIAL%) or a random set of characters. Optionally, you can also enter a product key if you are upgrading the edition of Windows, configure the device for shared use, and remove pre-installed software.
1. Optionally, you can configure the Wi-Fi network devices connect to when they first start. If the network devices aren't configured, a wired network connection is required when the device is first started.
1. Select **Enroll in Azure AD**, enter a **Bulk Token Expiry** date, and then select **Get Bulk Token**. The token validity period is 180 days.
> [!NOTE]
> Once a provisioning package is created, it can be revoked before its expiration by removing the associated package_{GUID} user account from Microsoft Entra ID.
1. Provide your Microsoft Entra credentials to get a bulk token.
> [!NOTE]
- > The account used to request the bulk token must be included in the [MDM user scope](windows-enroll.md#enable-windows-automatic-enrollment) that is specified in Microsoft Entra ID. If this account is removed from a group that is tied to the MDM user scope, bulk enrollment will stop working.
+ > - The account you use to request the bulk token must be included in the [MDM user scope](windows-enroll.md#enable-windows-automatic-enrollment) in Microsoft Entra ID. If you remove this account from a group that's tied to the MDM user scope, bulk enrollment will stop working.
+ > - Bulk token retrieval does not work for federated user accounts enabled for staged rollouts.
1. In the **Stay signed in to all your apps** page, select **No, sign in to this app only**. If you keep the check box selected and press OK, the device you are using will become managed by your organization. If you do not intend for your device to be managed, make sure to select **No, sign in to this app only**.
1. Click **Next** when **Bulk Token** is fetched successfully.
@@ -94,7 +94,7 @@ Additionally, ensure that the service principal for Microsoft.Azure.SyncFabric (
1. Optionally, you can **Add applications** and **Add certificates**. These apps and certificates are provisioned on the device.
1. Optionally, you can password protect your provisioning package. Click **Create**.
## Provision devices
@@ -106,8 +106,8 @@ Additionally, ensure that the service principal for Microsoft.Azure.SyncFabric (
For step-by-step instruction on applying a provisioning package, see [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package).
-3. After you apply the package, the device will automatically restart in one minute.
+1. After you apply the package, the device will automatically restart in one minute.
4. When the device restarts, it connects to the Microsoft Entra ID and enrolls in Microsoft Intune.
diff --git a/memdocs/intune/fundamentals/azure-virtual-desktop-multi-session.md b/memdocs/intune/fundamentals/azure-virtual-desktop-multi-session.md
index 8a640685328..9c207d54018 100644
--- a/memdocs/intune/fundamentals/azure-virtual-desktop-multi-session.md
+++ b/memdocs/intune/fundamentals/azure-virtual-desktop-multi-session.md
@@ -137,6 +137,8 @@ Windows 10 or Windows 11 Administrative Templates are supported for Windows 10 o
- ADMX-backed policies are supported. Some policies aren't yet available in the Settings catalog.
- ADMX-ingested policies are supported, including Office and Microsoft Edge settings available in Office administrative template files and Microsoft Edge administrative template files. For a complete list of ADMX-ingested policy categories, see [Win32 and Desktop Bridge app policy configuration](/windows/client-management/mdm/win32-and-centennial-app-policy-configuration#overview). Some ADMX ingested settings won't be applicable to Windows 10 or Windows 11 Enterprise multi-session.
+To list supported Administrative Templates, you'll need to use the filter in Settings catalog.
## Compliance and Conditional access
You can secure your Windows 10 or Windows 11 Enterprise multi-session VMs by configuring compliance policies and Conditional Access policies in the Microsoft Intune admin center. The following compliance policies are supported on Windows 10 or Windows 11 Enterprise multi-session VMs:
@@ -256,7 +258,7 @@ The following sections provide troubleshooting guidance for common issues.
Configuration policy reports as Not applicable|Some policies aren't applicable to Azure Virtual Desktop VMs.|
|Microsoft Edge/Microsoft Office ADMX policy doesn't show up when I apply the filter for Windows 10 or Windows 11 Enterprise multi-session edition|Applicability for these settings isn't based on the Windows version or edition but on whether those apps have been installed on the device. To add these settings to your policy, you may have to remove any filters applied in the settings picker.|
|App configured to install in system context didn't apply|Confirm the app doesn't have a dependency or supersedence relationship on any apps configured to install in user context. User context apps aren't currently supported on Windows 10 or Windows 11 Enterprise multi-session.|
-|Update rings for Windows 10 and later policy didn't apply|Windows update rings policies aren't currently supported.|
+|Update rings for Windows 10 and later policy didn't apply|Windows update rings policies aren't currently supported. Quality updates can be managed via settings available in the [settings catalog](../configuration/settings-catalog.md).|
## Next steps
diff --git a/memdocs/intune/fundamentals/china.md b/memdocs/intune/fundamentals/china.md
index b9c8e4c1821..d9e6afa6738 100644
--- a/memdocs/intune/fundamentals/china.md
+++ b/memdocs/intune/fundamentals/china.md
@@ -8,7 +8,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 08/23/2022
+ms.date: 08/21/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -31,7 +31,7 @@ ms.collection:
- government
-# Intune operated by 21Vianet in China
+# Intune operated by 21Vianet in China
Intune operated by 21Vianet is designed to meet the needs for secure, reliable, and scalable cloud services in China. Intune as a service is built on top of Microsoft Azure. Microsoft Azure operated by 21Vianet is a physically separated instance of cloud services located in China. It's independently operated and transacted by 21Vianet. This service is powered by technology that Microsoft has licensed to 21Vianet.
@@ -41,7 +41,7 @@ Microsoft doesn't operate the service itself. 21Vianet operates, provides, and m
## Feature differences in Intune operated by 21Vianet
-Because the China services are operated by a partner from inside China, there are some feature differences with Intune.
+Because the China services are operated by a partner from inside China, there are some feature differences with Intune.
- Intune operated by 21Vianet only supports standalone deployments. Customers can use co-management to attach their existing Configuration Manager deployment to the Microsoft Intune cloud.
- Migrations from public clouds to sovereign clouds aren't supported. Customers interested in moving to Intune operated by 21Vianet must migrate manually.
@@ -50,29 +50,31 @@ Because the China services are operated by a partner from inside China, there ar
- Management of Windows 10 is supported by using the modern MDM channel.
- Intune operated by 21Vianet doesn't support on-premises Exchange Connector.
- Windows Autopilot and Business Store features aren't currently available.
-- Intune operated by 21Vianet supports the Microsoft Store app (legacy) with Available assignment. You can deploy the Company Portal for Windows from the Download Center. Download the Microsoft Intune Company Portal for Windows from the Official [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=105219) and deploy it via the LOB required app as a workaround.
+- Intune operated by 21Vianet supports the Company Portal for Windows app. Use WinGet to download the Company portal package and dependencies and then deploy as a Line-of-Business app via Intune. [Use the WinGet tool to install and manage applications](/windows/package-manager/winget/).
- Microsoft Intune Endpoint Analytics and Log Analytics features aren't currently available.
- Because Google Mobile Services isn't available in China, customers in Intune operated by 21Vianet can't use features that require Google Mobile Services. These features include:
- Google Play Protect capabilities such as Play integrity verdict.
- Managing apps from the Google Play Store.
- Android Enterprise capabilities. For more information, see this [Google documentation](https://support.google.com/work/android/answer/6270910?hl=en).
-- The Intune Company Portal app for Android uses Google Mobile Services to communicate with the Microsoft Intune service. Because Google Play services isn't available in China, some tasks can require up to 8 hours to finish. For more information, see this [article](../apps/manage-without-gms.md#limitations-of-intune-management-when-gms-is-unavailable).
+- The Intune Company Portal app for Android uses Google Mobile Services to communicate with the Microsoft Intune service. Because Google Play services isn't available in China, some tasks can require up to 8 hours to finish. For more information, see this [article](../apps/manage-without-gms.md#limitations-of-intune-management-when-gms-is-unavailable).
- To follow local regulations and provide improved functionality, the Intune client experience (Company Portal app) may differ in China.
- Fencing isn't available.
- Mobile Application Management (MAM) availability is conditional on those apps being available in People's Republic of China.
-- Intune operated by 21Vianet doesn't support Android (AOSP) management for corporate devices.
-- Intune operated by 21Vianet doesn't support Mobile Threat Defense (MTD) connector for Android and iOS devices with MTD vendors.
+- Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices are supported for the MTD partners that also support the 21Vianet environment. When you sign in to a 21Vianet tenant, you will see the connectors that are available in that environment.
+- Intune operated by 21Vianet doesn't support Android (AOSP) management for corporate devices.
- Intune operated by 21Vianet doesn't support partner device management integration with Jamf for macOS devices.
## You control customer data
In Microsoft Azure, Intune, Microsoft 365, and Power BI operated by 21Vianet, you have full control of your data:
- You know where customer data is located.
- You control access to your customer data.
- You control your customer data if you leave the service.
- You have options to control the security of your customer data.
With Microsoft Azure, Intune, Microsoft 365, and Power BI operated by 21Vianet, you’re the owner of your data:
- 21Vianet doesn’t use customer data for advertising.
- You control who has access to your customer data.
- We use logical isolation to segregate each customer’s data.
@@ -88,4 +90,4 @@ The Tenant Administrator role for Intune operated by 21Vianet can request data f
## Next steps
-[Learn more about Intune supported configurations](supported-devices-browsers.md)
+[Learn more about Intune supported configurations](supported-devices-browsers.md)
\ No newline at end of file
diff --git a/memdocs/intune/fundamentals/cloud-configuration-setup-guide.md b/memdocs/intune/fundamentals/cloud-configuration-setup-guide.md
index 5ba12bedd29..f1c0a8d5e7c 100644
--- a/memdocs/intune/fundamentals/cloud-configuration-setup-guide.md
+++ b/memdocs/intune/fundamentals/cloud-configuration-setup-guide.md
@@ -105,7 +105,7 @@ In this step, you enable MDM automatic enrollment in Intune and configure how de
If you already use Windows Autopilot, then skip this step, and go to [Step 3 - Deploy a script to configure Known Folder Move and remove built-in apps](#step-3---configure-onedrive-known-folder-move-and-deploy-a-script-to-remove-built-in-apps) (in this article).
-### ✔️ 1 - Enable automatic enrollment
+### ✅ 1 - Enable automatic enrollment
Enable automatic enrollment for the organization users that you want to use cloud config. Automatic enrollment is required for cloud config. For more information on automatic enrollment, go to [Enrollment guide - Windows automatic enrollment](../fundamentals/deployment-guide-enrollment-windows.md#windows-automatic-enrollment).
@@ -119,7 +119,7 @@ Enable automatic enrollment for the organization users that you want to use clou
4. Don't configure the MAM user scope, MAM terms of user URL, MDM discovery URL, and MAM compliance URL settings. Leave these settings blank. MAM settings aren't configured for cloud config.
5. Select **Save** to save your changes.
-### ✔️ 2 - Choose how devices enroll and configure users to be standard users on devices
+### ✅ 2 - Choose how devices enroll and configure users to be standard users on devices
After Windows automatic enrollment is enabled in Intune, the next step is to determine how devices enroll in Intune. When they enroll, they're available to receive your cloud config policies. You also need to configure users to be standard users on their devices. Standard users can only install apps that your organization approves.
@@ -238,7 +238,7 @@ When you configure OneDrive **Known Folder Move**, user files and data are autom
This step helps simplify the Windows user experience.
-### ✔️ 1 - Configure OneDrive Known Folder Move with an Administrative Template
+### ✅ 1 - Configure OneDrive Known Folder Move with an Administrative Template
With **Known Folder Move**, users data (files and folders) is saved to OneDrive. When users sign in to another device, OneDrive automatically synchronizes the data to the new device. Users don't have to manually move their files.
@@ -265,7 +265,7 @@ To configure **Known Folder Move**, use an ADMX template in Intune:
7. Assign the profile to the group you created in [Step 1 - Create a Microsoft Entra group](#step-1---create-a-microsoft-entra-group) (in this article).
-### ✔️ 2 - Deploy a script to remove built-in apps
+### ✅ 2 - Deploy a script to remove built-in apps
Microsoft created a Windows PowerShell script that:
@@ -321,13 +321,13 @@ To prevent these outside apps, use the following steps:
This step deploys Microsoft Edge and Microsoft Teams. You can deploy other essential apps in this step. Remember, only deploy what users need.
-### ✔️ 1 - Deploy Microsoft Edge
+### ✅ 1 - Deploy Microsoft Edge
1. [Add Microsoft Edge to Intune](../apps/apps-windows-edge.md).
2. For **App settings**, select the **Stable Channel**.
3. Assign the Microsoft Edge app to the group you created in [Step 1 - Create a Microsoft Entra group](#step-1---create-a-microsoft-entra-group) (in this article).
-### ✔️ 2- Deploy Microsoft Teams
+### ✅ 2- Deploy Microsoft Teams
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Apps** > **Windows**.
@@ -364,7 +364,7 @@ This step deploys Microsoft Edge and Microsoft Teams. You can deploy other essen
This step configures endpoint security settings to help keep devices secure, including the built-in Windows security baseline and BitLocker settings.
-### ✔️ 1 - Deploy the Windows 10/11 MDM security baseline
+### ✅ 1 - Deploy the Windows 10/11 MDM security baseline
For Windows in cloud configuration, it's recommended to use the Windows 10/11 [security baseline](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines). There are some setting values you can change based on your organization's preference.
@@ -387,7 +387,7 @@ Configure the security baseline in Intune:
6. In **Assignments**, select the group that you created in [Step 1 - Create a Microsoft Entra group](#step-1---create-a-microsoft-entra-group) (in this article).
7. Select **Create** to create and assign the baseline.
-### ✔️ 2 - Deploy more BitLocker settings with a drive encryption endpoint security profile
+### ✅ 2 - Deploy more BitLocker settings with a drive encryption endpoint security profile
There are more BitLocker settings that help keep your devices secure. Configure these BitLocker settings in Intune:
@@ -501,7 +501,7 @@ Create the compliance policy in Intune:
There are optional policies you can create and deploy with your cloud config. This section describes these optional policies.
-### ✔️ Configure a tenant domain name
+### ✅ Configure a tenant domain name
Configure devices to automatically use your tenant's domain name for user sign-ins. When you add a domain name, users don't have to type their full UPN to sign in.
@@ -515,7 +515,7 @@ Add the tenant domain name in Intune:
6. In **Configuration settings**, for **Password**, configure the **Preferred Microsoft Entra tenant domain**. Enter the Microsoft Entra domain name that users should use to sign in to devices.
7. Assign the profile to the group you created in [Step 1 - Create a Microsoft Entra group](#step-1---create-a-microsoft-entra-group) (in this article).
-### ✔️ Deploy other essential productivity and line of business (LOB) apps
+### ✅ Deploy other essential productivity and line of business (LOB) apps
You might have a few essential LOB apps that all devices need. Choose a minimum number of these apps to deploy. If you deliver apps using a virtualization solution, then also deploy the virtualization client app to devices.
@@ -525,19 +525,19 @@ You might need specific LOB apps on some of your devices. Or, there might be som
Cloud config is recommended for devices that need just a few key apps, along with collaboration and browsing.
-### ✔️ Deploy resources that users need for organization access
+### ✅ Deploy resources that users need for organization access
Configure essential resources that users might need, which depends on your organization's processes. Essential resources can include certificates, printers, VPN connections, and Wi-Fi profiles.
In Intune, assign these resources to the group you created in [Step 1 - Create a Microsoft Entra group](#step-1---create-a-microsoft-entra-group) (in this article).
-### ✔️ Configure recommended settings for OneDrive Known Folder Move
+### ✅ Configure recommended settings for OneDrive Known Folder Move
There are more settings that improve the user experience for OneDrive **Known Folder Move**. The settings aren't required for **Known Folder Move** to work but are helpful.
For more information on these settings, go to [OneDrive settings recommended for Known Folder Move](/sharepoint/ideal-state-configuration).
-### ✔️ Configure recommended Microsoft Edge settings
+### ✅ Configure recommended Microsoft Edge settings
There are some Microsoft Edge app settings that can be configured for a better user experience. You can configure these settings based on requirements or preference for the end user experience.
diff --git a/memdocs/intune/fundamentals/cloud-configuration.md b/memdocs/intune/fundamentals/cloud-configuration.md
index 69f0ef4b43b..f6fb7652d91 100644
--- a/memdocs/intune/fundamentals/cloud-configuration.md
+++ b/memdocs/intune/fundamentals/cloud-configuration.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 10/19/2023
+ms.date: 08/19/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -34,18 +34,18 @@ ms.collection:
Windows 10/11 in cloud configuration is a Microsoft-recommended device configuration. You can turn any Windows 10/11 Professional, Enterprise, and Education device into a cloud-optimized device.
-It's ideal for:
+Cloud configuration is ideal for:
-- Frontline workers
+- Frontline workers (FLW)
- Remote workers
-- Other users with focused workflow needs, like productivity and browsing
+- Users with focused workflow needs, like productivity and browsing
Cloud config makes these devices easy to use, and secures these devices with Microsoft-recommended security features.
There are two ways to deploy cloud config:
- **Option 1 - Automatic** (this article): Use the guided scenario described in this article to automatically create all the groups and policies with their configured values.
-- **Option 2 - Manual**: Use a step-by-step setup guide to deploy cloud config yourself, including manually creating all the policies. For more information on this option, go to [Windows client cloud config setup guide](cloud-configuration-setup-guide.md).
+- **Option 2 - Manual**: Use a step-by-step setup guide to deploy cloud config yourself, including manually creating all the policies. For information on this option, go to [Windows client cloud config setup guide](cloud-configuration-setup-guide.md).
With Windows 10/11 in cloud configuration:
@@ -59,67 +59,70 @@ With Windows 10/11 in cloud configuration:
## What this guided scenario does
-Using Microsoft Intune, you can use a guided scenario to deploy a cloud configuration. The guided scenario automatically creates all the resources you need, including the following resources:
+Using Microsoft Intune, you can use a guided scenario to deploy a cloud configuration. The guided scenario automatically creates all the resources you need, including:
- Creates a new Microsoft Entra security group, or uses an existing Microsoft Entra security group.
-- Deploys the Microsoft Edge and Microsoft Teams apps. For more information on deploying these apps individually, go to:
+- Deploys the Microsoft Edge and Microsoft Teams apps. For information on deploying these apps individually, go to:
- [Add Microsoft Edge for Windows 10/11](../apps/apps-windows-edge.md)
- [Add Microsoft 365 apps to Windows 10/11 devices](../apps/apps-add-office365.md)
- Creates a Windows 10/11 security baseline policy with recommended security settings that are already configured.
- For more information about security baselines, and what they do, go to [Use security baselines to configure Windows client devices](../protect/security-baselines.md).
+ For information about security baselines, and what they do, go to [Use security baselines to configure Windows client devices](../protect/security-baselines.md).
- Creates a Windows Autopilot enrollment profile that automatically enrolls devices in Microsoft Intune.
- For more information on creating your own Windows Autopilot profile, go to [Configure Autopilot profiles](/autopilot/profiles).
+ For information on creating your own Windows Autopilot profile, go to [Configure Autopilot profiles](/autopilot/profiles).
- Turns on and configures the Windows Autopilot enrollment status page (ESP). This page shows users the enrollment progress.
- For more information about the ESP, go to [Set up the Enrollment Status Page](../enrollment/windows-enrollment-status.md).
+ For information about the ESP, go to [Set up the Enrollment Status Page](../enrollment/windows-enrollment-status.md).
- Creates an administrative template that configures OneDrive with the Known Folder Move settings. With these settings, user files and data are automatically saved in OneDrive.
For information on this setting, go to [Redirect and move Windows known folders](/onedrive/redirect-known-folders).
-- Creates an administrative template that configures some SmartScreen settings in the Microsoft Edge app. For more information on creating your own profile, go to [Configure Microsoft Edge policy settings](../configuration/administrative-templates-configure-edge.md).
+- Creates an administrative template that configures some SmartScreen settings in the Microsoft Edge app. For information on creating your own profile, go to [Configure Microsoft Edge policy settings](../configuration/administrative-templates-configure-edge.md).
-- Creates a compliance policy that monitors compliance and health. Users are allowed to use noncompliant devices, and access resources. If your organization blocks access to non-compliant devices, then create another compliance policy that blocks access, and assign it to the same group.
+- Creates a compliance policy that monitors compliance and health. Users are allowed to use noncompliant devices, and access resources. If your organization blocks access to noncompliant devices, then create another compliance policy that blocks access, and assign it to the same group.
- For more information on the compliance settings you can configure on your own, go to [Windows client settings to mark devices as compliant or not compliant](../protect/compliance-policy-create-windows.md).
+ For information on the compliance settings you can configure on your own, go to [Windows client settings to mark devices as compliant or not compliant](../protect/compliance-policy-create-windows.md).
- Deploys a Windows PowerShell script that removes built-in apps, and simplifies the Start menu.
- For more information about PowerShell scripts in Intune, go to [Use PowerShell scripts on Windows client devices](../apps/intune-management-extension.md).
+ For information about PowerShell scripts in Intune, go to [Use PowerShell scripts on Windows client devices](../apps/intune-management-extension.md).
- Creates a Windows client update ring policy. This policy automatically updates the devices, including product updates, drivers, and Windows updates.
- For more information about update rings, and creating your policy, go to [Update rings for Windows client devices](../protect/windows-10-update-rings.md).
+ For information about update rings, and creating your policy, go to [Update rings for Windows client devices](../protect/windows-10-update-rings.md).
> [!TIP]
-> This guided scenario creates all these resources for you, automatically. If you want create your own individual resources, and not use the guided scenario, then you can. For the specific steps, go to the [cloud config overview and setup guide](https://aka.ms/CloudConfigGuide).
+> This guided scenario creates all these resources for you, automatically. If you want create your own individual resources, and not use the guided scenario, you can. For the steps, go to the [cloud config overview and setup guide](https://aka.ms/CloudConfigGuide).
## Prerequisites
-- At a minimum, the account creating the guided scenario must have the following licenses:
+- Confirm your licenses. At a minimum, the account creating the guided scenario must have the following licenses:
- Microsoft Entra ID P1
- Microsoft Intune
- Microsoft Teams
- - OneDrive for Business
+ - OneDrive
- Windows 10 Pro
- Windows 11 Pro
- All of these services are included with the Microsoft 365 E3 license. For more security options and features, it's recommended to use the Microsoft 365 E5 license. To help decide which license is right for your organization, go to [Transform your enterprise with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
+ All of these services are included with the Microsoft 365 E3 license. For more security options and features, use the Microsoft 365 E5 license. To help decide which license is right for your organization, go to [Transform your enterprise with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
- [Set the MDM authority to Intune](mdm-authority-set.md). The mobile device management (MDM) authority setting determines how you manage your devices. As an IT admin, you must set an MDM authority before users can enroll devices for management.
-- Enable automatic enrollment for Windows client devices. For more information, go to:
+- Enable automatic enrollment for Windows client devices. For information, go to:
- [Quickstart: Set up automatic enrollment for Windows client devices](../enrollment/quickstart-setup-auto-enrollment.md)
- [Enable Windows 10/11 automatic enrollment](../enrollment/windows-enroll.md#enable-windows-automatic-enrollment)
-- Sign in as the Intune Service Administrator, also known as the Intune Administrator. For more information on the roles in Intune, go to [Role-based access control (RBAC) with Microsoft Intune](role-based-access-control.md).
+- Sign in as the Intune Service Administrator Microsoft Entra role, also known as the Intune Administrator. For information on the roles that affect Intune, go to:
+ - [Intune Administrator - Microsoft Entra built-in role](/entra/identity/role-based-access-control/permissions-reference#intune-administrator)
+ - [Role-based access control (RBAC) with Microsoft Intune](role-based-access-control.md)
## Step 1 - Introduction
@@ -127,7 +130,7 @@ Open the guided scenario:
1. Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Troubleshooting + support** > **Guided scenarios** > **Deploy Windows 10 and later in cloud configuration** > **Start**.
-3. Select **Next**.
+3. In **Introduction**, select **Next**.
## Step 2 - Basics
@@ -147,17 +150,22 @@ Choose how your devices are named when they enroll, and choose the prefix of all
- **Resource name prefix**: When you deploy the guided scenario, several resources are automatically created. To distinguish the items used in this deployment, add a prefix:
- - **Enter a resource prefix name**: Enter some text that will be at the beginning of the items created. For example, enter `Windows cloud config`. All resources created will be named something like **Windows cloud config Autopilot profile**, or **Windows cloud config compliance policy**.
+ - **Enter a resource prefix name**: Enter some text that will be at the beginning of the items created. For example, enter `Windows cloud config`. All resources created are named something like **Windows cloud config Autopilot profile**, or **Windows cloud config compliance policy**.
+- **Resources to be created**: Select the default file format for the resources created by this guided scenario. Your options:
+ - **Office Open Document**: Creates the resources in Office Open Document format (ODF).
+ - **Office Open XML**: Creates the resources in Office Open XML format, which is typically the recommended format.
Your settings look similar to the following image:
- :::image type="content" source="./media/cloud-configuration/guided-scenario-basics.png" alt-text="Screenshot that shows how to configure the device name template and resource name prefix in a Windows 10/11 cloud configuration guided scenario in Microsoft Intune.":::
+ :::image type="content" source="./media/cloud-configuration/guided-scenario-basics.png" alt-text="Screenshot that shows how to configure the device name template and resource name prefix in a Windows 10/11 cloud configuration guided scenario in Microsoft Intune." lightbox="./media/cloud-configuration/guided-scenario-basics.png":::
- Select **Next**.
## Step 3 - Apps
-Select the apps you want to deploy to devices. Microsoft recommends deploying the smallest number of apps as possible. The idea is to keep your cloud config devices simple, and easy to manage.
+Select the apps you want to deploy to devices. Microsoft recommends you deploy the smallest number of apps as possible. The idea is to keep your cloud config devices simple, and easy to manage.
- **Cloud config defaults**: This guided scenario automatically includes the Microsoft Edge and Microsoft Teams apps. They can't be removed when creating the guided scenario. You can delete or uninstall these apps after the guided scenario finishes.
@@ -166,15 +174,15 @@ Select the apps you want to deploy to devices. Microsoft recommends deploying th
- **Select additional M365 apps (optional)**: From the list, add other Microsoft 365 apps that you want on the devices. Remember, keep the list small, and only include apps your users need. The idea is to keep the devices simple.
> [!TIP]
- > To add apps not listed, or add line-of-business apps, complete this guided scenario. Then, in the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps**, and create a policy. Deploy the app policy to the same group that you deployed this cloud config guided scenario. For more information on adding apps, go to [Add apps to Microsoft Intune](../apps/apps-add.md).
+ > To add apps not listed, or add line-of-business apps, complete this guided scenario. Then, in the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps**, and create a policy. Deploy the app policy to the same group that you deployed this cloud config guided scenario. For information on adding apps, go to [Add apps to Microsoft Intune](../apps/apps-add.md).
- Select **Next**.
## Step 4 - Assignments
-Select the groups that will receive this guided scenario, and all the resources it creates.
+Select the groups that should receive this guided scenario, and all the resources it creates.
-- **Create new group**: Creates a new group, and deploys the guided scenario policies to this group. As devices are added to this group, they'll start to receive this guided scenario.
+- **Create new group**: Creates a new group, and deploys the guided scenario policies to this group. As devices are added to this group, they receive this guided scenario.
- **Group name**: Enter the group name. For example, enter `Cloud configured devices`.
- **Choose an existing group**: Select an existing group. You guided scenario policies are deployed to this group.
@@ -204,7 +212,7 @@ When it deploys successfully, you can use the monitoring and reporting features
## What you need to know
-- You can complete the guided scenario before there are any devices in the group. When devices are added to the group, and have internet access, then they'll automatically start receiving the policies in this guided scenario.
+- You can complete the guided scenario before there are any devices in the group. When devices are added to the group, and have internet access, then they automatically start receiving the policies in this guided scenario.
You can also:
@@ -218,7 +226,7 @@ When it deploys successfully, you can use the monitoring and reporting features
- After the guided scenario is deployed, you can go to a policy, and see the settings and their configured values. You can change any of these settings to another value, if you like.
- To remove the guided scenario settings from devices, go to each policy created by the cloud config guided scenario. Configure the settings to **Not Configured**. Deploy each policy again to the same group as this guided scenario.
- The next time the device checks in, the setting is no longer locked. Then, the setting can be changed by another policy, and possibly the end user. It's possible the setting might have the same value set by the guided scenario.
+ The next time the device checks in, the setting is no longer locked. Then, another policy or possibly the end can change the setting. It's possible the setting might have the same value set by the guided scenario.
Now, you can delete the individual items created by this guided scenario, including apps, policies, the Windows PowerShell script, and the group.
diff --git a/memdocs/intune/fundamentals/create-custom-role.md b/memdocs/intune/fundamentals/create-custom-role.md
index 3acde65e365..5ac5b597eb8 100644
--- a/memdocs/intune/fundamentals/create-custom-role.md
+++ b/memdocs/intune/fundamentals/create-custom-role.md
@@ -127,11 +127,11 @@ The following permissions are available when creating custom roles.
| Device compliance policies/Read | View device compliance policies and the list of Exchange Active Sync Connectors, or view the settings for Exchange on-premises access. |
| Device compliance policies/Update | Change device compliance policies, Exchange ActiveSync connectors and Exchange on-premises access settings. |
| Device compliance policies/View reports | View, generate, and export device compliance reports. |
-| Device configurations/Assign | Assign device configuration profiles or assign device enrollment restrictions to Microsoft Entra security groups. |
-| Device configurations/Create | Create new device configuration profiles, or create new device enrollment restrictions. |
-| Device configurations/Delete | Delete device configuration profiles, or delete device enrollment restrictions. |
-| Device configurations/Read | View device configuration profiles, or view device enrollment restrictions. |
-| Device configurations/Update | Change device configuration profiles, or change device enrollment restrictions. |
+| Device configurations/Assign | Assign device configuration profiles to Microsoft Entra security groups. |
+| Device configurations/Create | Create new device configuration profiles. |
+| Device configurations/Delete | Delete device configuration profiles. |
+| Device configurations/Read | View device configuration profiles. |
+| Device configurations/Update | Change device configuration profiles. |
| Device configurations/View Reports | View, generate, and export device configuration reports and reports for endpoint security policies. |
| Device enrollment managers/Read | View the list of device enrollment manager accounts. |
| Device enrollment managers/Update | Create new device enrollment manager accounts, or delete device enrollment manager accounts. |
diff --git a/memdocs/intune/fundamentals/deployment-guide-intune-setup.md b/memdocs/intune/fundamentals/deployment-guide-intune-setup.md
index f53f631f091..0eaab3d21b2 100644
--- a/memdocs/intune/fundamentals/deployment-guide-intune-setup.md
+++ b/memdocs/intune/fundamentals/deployment-guide-intune-setup.md
@@ -340,13 +340,13 @@ There are some policy types that can't be exported. There are some policy types
| Windows app (Win32) | ❌ Export
❌ Import
To add your LOB app to a new tenant, you also need the original `.intunewin` application source files.|
| **Compliance policies** | |
| Actions for Non-Compliance | ❌ Export
❌ Import
It's possible there could be a link to an e-mail template. When you import a policy that has non-compliance actions, the default actions for non-compliance are added instead. |
-| Assignments | ✔️ Export
❌ Import
Assignments are targeted to a group ID. In a new tenant, the group ID is different. |
+| Assignments | ✅ Export
❌ Import
Assignments are targeted to a group ID. In a new tenant, the group ID is different. |
| **Configuration profiles** | |
-| Email | ✔️ Export
✔️ If an email profile doesn't use certificates, then the import should work.
❌ If an email profile uses a root certificate, then the profile can't be imported to a new tenant. The root certificate ID is different in a new tenant. |
-| SCEP certificate | ✔️ Export
❌ Import
SCEP certificate profiles use a root certificate. The root certificate ID is different in a new tenant. |
-| VPN | ✔️ Export
✔️ If a VPN profile doesn't use certificates, then the import should work.
❌ If a VPN profile uses a root certificate, then the profile can't be imported to a new tenant. The root certificate ID is different in a new tenant. |
-| Wi-Fi | ✔️ Export
✔️ If a Wi-Fi profile doesn't use certificates, then the import should work.
❌ If a Wi-Fi profile uses a root certificate, then the profile can't be imported to a new tenant. The root certificate ID is different in a new tenant. |
-| Assignments | ✔️ Export
❌ Import
Assignments are targeted to a group ID. In a new tenant, the group ID is different. |
+| Email | ✅ Export
✅ If an email profile doesn't use certificates, then the import should work.
❌ If an email profile uses a root certificate, then the profile can't be imported to a new tenant. The root certificate ID is different in a new tenant. |
+| SCEP certificate | ✅ Export
❌ Import
SCEP certificate profiles use a root certificate. The root certificate ID is different in a new tenant. |
+| VPN | ✅ Export
✅ If a VPN profile doesn't use certificates, then the import should work.
❌ If a VPN profile uses a root certificate, then the profile can't be imported to a new tenant. The root certificate ID is different in a new tenant. |
+| Wi-Fi | ✅ Export
✅ If a Wi-Fi profile doesn't use certificates, then the import should work.
❌ If a Wi-Fi profile uses a root certificate, then the profile can't be imported to a new tenant. The root certificate ID is different in a new tenant. |
+| Assignments | ✅ Export
❌ Import
Assignments are targeted to a group ID. In a new tenant, the group ID is different. |
| **Endpoint Security** | |
| Endpoint detection and response | ❌ Export
❌ Import
This policy is linked to Microsoft Defender for Endpoint. In the new tenant, you configure Microsoft Defender for Endpoint, which automatically includes the **Endpoint detection and response** policy. |
diff --git a/memdocs/intune/fundamentals/deployment-guide-platform-windows.md b/memdocs/intune/fundamentals/deployment-guide-platform-windows.md
index b40e9f5347d..a5c2b973cf4 100644
--- a/memdocs/intune/fundamentals/deployment-guide-platform-windows.md
+++ b/memdocs/intune/fundamentals/deployment-guide-platform-windows.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 07/22/2024
+ms.date: 08/21/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -161,8 +161,10 @@ After devices are set up, you can use supported remote actions to manage and tro
| ---- | ------ |
|[Take remote action on devices](../remote-actions/device-management.md)|Learn how to drill down and remotely manage and troubleshoot individual devices in Intune. This article lists all remote actions available in Intune and links to those procedures. |
|[Use TeamViewer to remotely administer Intune devices](../remote-actions/teamviewer-support.md)|Configure TeamViewer within Intune, and learn how to remotely administer a device. |
-|[Use security tasks to view threats and vulnerabilities](../protect/atp-manage-vulnerabilities.md)|Use Intune to remediate endpoint weakness identified by Microsoft Defender for Endpoint. Before you can work with security tasks, you must integrate Microsoft Defender for Endpoint with Intune. |
-|[Use organizational messages](../remote-actions/organizational-messages-overview.md)|Use organizational messages to send important messages to employees on Intune-managed devices running Windows 11. Organizational messages can be used to communicate in remote and hybrid work scenarios.|
+|[Use security tasks to view threats and vulnerabilities](../protect/atp-manage-vulnerabilities.md)|Use Intune to remediate endpoint weakness identified by Microsoft Defender for Endpoint. Before you can work with security tasks, you must integrate Microsoft Defender for Endpoint with Intune. |
## Step 10: Help employees and students
diff --git a/memdocs/intune/fundamentals/deployment-plan-configuration-profile.md b/memdocs/intune/fundamentals/deployment-plan-configuration-profile.md
index d799f3659fa..4219ad6b85b 100644
--- a/memdocs/intune/fundamentals/deployment-plan-configuration-profile.md
+++ b/memdocs/intune/fundamentals/deployment-plan-configuration-profile.md
@@ -7,7 +7,7 @@ description: Step 4 to deploy device configuration profiles as part of the minim
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 10/20/2023
+ms.date: 08/14/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: configuration
@@ -29,7 +29,7 @@ ms.collection:
# Step 4 - Configure device features and settings to secure devices and access resources
-So far, you've set up your Intune subscription, created app protection policies, and created device compliance policies.
+So far, you set up your Intune subscription, created app protection policies, and created device compliance policies.
In this step, you're ready to configure a minimum or baseline set of security and device features that all devices must have.
@@ -42,7 +42,7 @@ This article applies to:
- macOS
- Windows
-When you create device configuration profiles, there are different levels and types of policies available. These levels are the minimum Microsoft recommended policies. Know that your environment and business needs may be different.
+When you create device configuration profiles, there are different levels and types of policies available. These levels are the minimum Microsoft recommended policies. Know that your environment and business needs can be different.
- **Level 1 - Minimum device configuration**: In this level, Microsoft recommends you create policies that:
@@ -52,7 +52,7 @@ When you create device configuration profiles, there are different levels and ty
- **Level 2 - Enhanced device configuration**: In this level, Microsoft recommends you create policies that:
- Expand device security, including configuring disk encryption, enabling secure boot, and adding more password rules.
- - Use the built-in features and templates to configure more settings that are important for your organization, including analyzing on-premises GPOs.
+ - Use the built-in features and templates to configure more settings that are important for your organization, including analyzing on-premises Group Policy Objects (GPOs).
- **Level 3 - High device configuration**: In this level, Microsoft recommends you create policies that:
@@ -63,7 +63,7 @@ When you create device configuration profiles, there are different levels and ty
This article lists the different levels of device configuration policies that organizations should use. Most of these policies in this article focus on access to organization resources and security.
-These features are configured in device configuration profiles in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). When the profiles are ready, they can be deployed from Intune to your devices.
+These features are configured in device configuration profiles in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). When the Intune profiles are ready, they can be assigned to your users and devices.
> [!TIP]
> [Take a tour of Intune and the Microsoft Intune admin center](tutorial-walkthrough-endpoint-manager.md).
@@ -86,7 +86,7 @@ For a more granular list of Windows settings and their recommended values, go to
### Antivirus and scanning
-✔️ **Install antivirus software and regularly scan for malware**
+✅ **Install antivirus software and regularly scan for malware**
All devices should have antivirus software installed and be regularly scanned for malware. Intune integrates with third party partner mobile threat defense (MTD) services that provide AV and threat scanning. For macOS and Windows, antivirus and scanning are built in to Intune with Microsoft Defender for Endpoint.
@@ -112,7 +112,7 @@ For more information on these features, go to:
### Detection and response
-✔️ **Detect attacks and act on these threats**
+✅ **Detect attacks and act on these threats**
When you detect threats quickly, you can help minimize the impact of the threat. When you combine these policies with Conditional Access, you can block users and devices from accessing organization resources if a threat is detected.
@@ -139,9 +139,9 @@ For more information on these features, go to:
### Firewall
-✔️ **Enable the firewall on all devices**
+✅ **Enable the firewall on all devices**
-Some platforms come with a built-in firewall and on others, you may have to install a firewall separately. Intune integrates with third party partner mobile threat defense (MTD) services that can manage a firewall for Android and iOS/iPadOS devices. For macOS and Windows, firewall security is built in to Intune with Microsoft Defender for Endpoint.
+Some platforms come with a built-in firewall and on others, you might have to install a firewall separately. Intune integrates with third party partner mobile threat defense (MTD) services that can manage a firewall for Android and iOS/iPadOS devices. For macOS and Windows, firewall security is built in to Intune with Microsoft Defender for Endpoint.
Your policy options:
@@ -163,7 +163,7 @@ For more information on these features, go to:
### Password policy
-✔️ **Create a strong password/PIN policy and block simple passcodes**
+✅ **Create a strong password/PIN policy and block simple passcodes**
PINs unlock devices. On devices that access organization data, including personally owned devices, you should require strong PINs/passcodes and support biometrics to unlock devices. Using biometrics is part of a password-less approach, which is recommended.
@@ -174,7 +174,7 @@ Your policy options:
| Platform | Policy type |
| --- | --- |
| Android Enterprise | Intune device restrictions profile to manage the:
- Device password
- Work profile password |
-| AOSP | Intune device restrictions profile |
+| Android Open-Source Project (AOSP) | Intune device restrictions profile |
| iOS/iPadOS | Intune device restrictions profile |
| macOS | Intune device restrictions profile |
| Windows client | - Intune security baselines (recommended) - Intune device restrictions profile |
@@ -195,9 +195,9 @@ For a list of the settings you can configure, go to:
### Software updates
-✔️ **Regularly install software updates**
+✅ **Regularly install software updates**
-All devices should be updated regularly and policies should be created to make sure these updates are successfully installed. For most platforms, Intune has dedicated policies that focus on managing and installing updates.
+All devices should be updated regularly and policies should be created to make sure these updates are successfully installed. For most platforms, Intune has policy settings that focus on managing and installing updates.
Your policy options:
@@ -226,33 +226,33 @@ This section focuses on accessing resources in your organization. These resource
- VPN connection for remote connectivity
- Wi-Fi connection for on-premises connectivity
-:::image type="content" source="./media/deployment-plan-configuration-profile/deploy-email-vpn-wifi.png" alt-text="Diagram that shows an email, VPN and Wi-Fi profiles deployed from Microsoft Intune to end user devices.":::
+:::image type="content" source="./media/deployment-plan-configuration-profile/deploy-email-vpn-wifi.png" alt-text="Diagram that shows an email, VPN, and Wi-Fi profiles deployed from Microsoft Intune to end user devices.":::
### Email
Many organizations deploy email profiles with preconfigured settings to user devices.
-✔️ **Automatically connect to user email accounts**
+✅ **Automatically connect to user email accounts**
The profile includes the email configuration settings that connect to your email server.
Depending on the settings you configure, the email profile can also automatically connect the users to their individual email account settings.
-✔️ **Use enterprise level email apps**
+✅ **Use enterprise level email apps**
-Email profiles in Intune use common and popular email apps, like Outlook. The email app is deployed to user devices. After it's deployed, you deploy the email device configuration profile with the settings that configure the email app.
+Email profiles in Intune use common and popular email apps, like Outlook. The email app is deployed to user devices. After the app is deployed, you deploy the email device configuration profile with the settings that configure the email app.
The email device configuration profile includes settings that connect to your Exchange.
-✔️ **Access work or school email**
+✅ **Access work or school email**
Creating an email profile is a common minimum baseline policy for organizations with users that use email on their devices.
-Intune has built in email settings for Android, iOS/iPadOS, and Windows client devices. When users open their email app, they can automatically connect, authenticate, and synchronize their organizational email accounts on their devices.
+Intune has built-in email settings for Android, iOS/iPadOS, and Windows client devices. When users open their email app, they can automatically connect, authenticate, and synchronize their organizational email accounts on their devices.
-✔️ **Deploy anytime**
+✅ **Deploy anytime**
-On new devices, it's recommended to deploy the email app during the enrollment process. When enrollment completes, then deploy the email device configuration policy.
+On new devices, we recommended you deploy the email app during the enrollment process. When enrollment completes, then deploy the email device configuration policy.
If you have existing devices, then deploy the email app at any time, and deploy the email device configuration policy.
@@ -283,25 +283,25 @@ Many organizations deploy VPN profiles with preconfigured settings to user devic
If your organization uses cloud services with modern authentication and secure identities, then you probably don't need a VPN profile. Cloud-native services don't require a VPN connection.
-If your apps or services aren't cloud-based or aren't cloud-native, then it's recommended to deploy a VPN profile to connect to your internal organization network.
+If your apps or services aren't cloud-based or aren't cloud-native, then deploy a VPN profile to connect to your internal organization network.
-✔️ **Work from anywhere**
+✅ **Work from anywhere**
Creating a VPN profile is a common minimum baseline policy for organizations with remote workers and hybrid workers.
As users work from anywhere, they can use the VPN profile to securely connect to your organization's network to access resources.
-Intune has built in VPN settings for Android, iOS/iPadOS, macOS, and Windows client devices. On user devices, your VPN connection is shown as an available connection. Users select it. And, depending on the settings in your VPN profile, users can automatically authenticate and connect to the VPN on their devices.
+Intune has built-in VPN settings for Android, iOS/iPadOS, macOS, and Windows client devices. On user devices, your VPN connection is shown as an available connection. Users select it. And, depending on the settings in your VPN profile, users can automatically authenticate and connect to the VPN on their devices.
-✔️ **Use enterprise level VPN apps**
+✅ **Use enterprise level VPN apps**
VPN profiles in Intune use common enterprise VPN apps, like Check Point, Cisco, Microsoft Tunnel, and more. The VPN app is deployed to user devices. After the app is deployed, then you deploy the VPN connection profile with settings that configure the VPN app.
The VPN device configuration profile includes settings that connect to your VPN server.
-✔️ **Deploy anytime**
+✅ **Deploy anytime**
-On new devices, it's recommended to deploy the VPN app during the enrollment process. When enrollment completes, then deploy the VPN device configuration policy.
+On new devices, we recommended you deploy the VPN app during the enrollment process. When enrollment completes, then deploy the VPN device configuration policy.
If you have existing devices, deploy the VPN app at any time, and then deploy the VPN device configuration policy.
@@ -328,21 +328,21 @@ To get started:
Many organizations deploy Wi-Fi profiles with preconfigured settings to user devices. If your organization has a remote-only workforce, then you don't need to deploy Wi-Fi connection profiles. Wi-Fi profiles are optional and are used for on-premises connectivity.
-✔️ **Connect wirelessly**
+✅ **Connect wirelessly**
As users work from different mobile devices, they can use the Wi-Fi profile to wirelessly and securely connect to your organization's network.
The profile includes the Wi-Fi configuration settings that automatically connect to your network and/or SSID (service set identifier). Users don't have to manually configure their Wi-Fi settings.
-✔️ **Support mobile devices on-premises**
+✅ **Support mobile devices on-premises**
Creating a Wi-Fi profile is a common minimum baseline policy for organizations with mobile devices that work on-premises.
-Intune has built in Wi-Fi settings for Android, iOS/iPadOS, macOS, and Windows client devices. On user devices, your Wi-Fi connection is shown as an available connection. Users select it. And, depending on the settings in your Wi-Fi profile, users can automatically authenticate and connect to the Wi-Fi on their devices.
+Intune has built-in Wi-Fi settings for Android, iOS/iPadOS, macOS, and Windows client devices. On user devices, your Wi-Fi connection is shown as an available connection. Users select it. And, depending on the settings in your Wi-Fi profile, users can automatically authenticate and connect to the Wi-Fi on their devices.
-✔️ **Deploy anytime**
+✅ **Deploy anytime**
-On new devices, it's recommended to deploy the Wi-Fi device configuration policy when devices enroll in Intune.
+On new devices, we recommended you deploy the Wi-Fi device configuration policy when devices enroll in Intune.
If you have existing devices, you can deploy the Wi-Fi device configuration policy at any time.
@@ -362,7 +362,7 @@ To get started:
## Level 2 - Enhanced protection and configuration
-This level expands on what you've configured in level 1 and adds more security for your devices. In this section, you create a level 2 set of policies that configure more security settings for your devices.
+This level expands on what you configured in level 1 and adds more security for your devices. In this section, you create a level 2 set of policies that configure more security settings for your devices.
Microsoft recommends the following level 2 security policies:
@@ -385,7 +385,7 @@ Microsoft recommends the following level 2 security policies:
For more specific information, go to [Introduction to Apple platform security](https://support.apple.com/guide/security/intro-to-apple-platform-security-seccd5016d31/web) and [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web) (opens Apple's web site).
- There are Intune policies that focus on password settings and encrypting backups.
+ There are Intune policy settings that focus on [password settings and encrypting backups](../configuration/device-restrictions-ios.md).
# [macOS](#tab/macos-disk)
@@ -458,17 +458,17 @@ Microsoft recommends the following level 2 security policies:
- Windows
-- If you use **on-premises GPOs** and want to know if these same settings are available in Intune, then use Group Policy analytics. This feature analyzes your GPOs and depending on the analysis, can import them into an Intune settings catalog policy.
+- If you use **on-premises GPOs** and want to know if these same settings are available in Intune, then use [Group Policy analytics](../configuration/group-policy-analytics.md). This feature analyzes your GPOs and depending on the analysis, can import them into an Intune settings catalog policy.
For more information, go to [Analyze your on-premises GPOs and import them in Intune](../configuration/group-policy-analytics.md).
## Level 3 - High protection and configuration
-This level expands on what you've configured in levels 1 and 2. It adds extra security features used in enterprise level organizations.
+This level expands on what you configured in levels 1 and 2. It adds extra security features used in enterprise level organizations.
- **Expand password-less authentication** to other services used by your workforce. In level 1, you enabled biometrics so users can sign in to their devices with a fingerprint or facial recognition. In this level, expand password-less to other parts of the organization.
- - **Use certificates to authenticate** email, VPN, and Wi-Fi connections. Certificates are deployed to users and devices, and are then used by users to get access to resources in your organization through these email, VPN, and Wi-Fi connections.
+ - **Use certificates to authenticate** email, VPN, and Wi-Fi connections. Certificates are deployed to users and devices, and are then used by users to get access to resources in your organization through the email, VPN, and Wi-Fi connections.
To learn more about using certificates in Intune, go to:
@@ -497,17 +497,21 @@ This level expands on what you've configured in levels 1 and 2. It adds extra se
- In addition to Microsoft Tunnel for devices enrolled with Intune, you can use **Microsoft Tunnel for Mobile Application Management** (Tunnel for MAM) to extend tunnel capabilities to Android and iOS/iPad devices that are *not enrolled* with Intune. [Tunnel for MAM](../protect/microsoft-tunnel-mam.md) is available as an Intune add-on that requires an extra license.
- For more information, see [Use Intune Suite add-on capabilities](../fundamentals/intune-add-ons.md).
+ For more information, go to [Use Intune Suite add-on capabilities](../fundamentals/intune-add-ons.md).
-- **Use Windows Local Administrator Password Solution (LAPS) policy** to manage and back up the built-in local administrator account on your Windows devices. Because the local admin account can’t be deleted and has full permissions to the device, management of the built-in Windows administrator account is an important step in securing your organization. Intune policy for Windows LAPS uses the capabilities that are available for Windows devices that run version 21h2 or later.
+- **Use Windows Local Administrator Password Solution (LAPS) policy** to manage and back up the built-in local administrator account on your Windows devices. Because the local admin account can't be deleted and has full permissions to the device, management of the built-in Windows administrator account is an important step in securing your organization. Intune policy for Windows LAPS uses the capabilities that are available for Windows devices that run version 21h2 or later.
- For more information, see [Intune support for Windows LAPS](../protect/windows-laps-overview.md).
+ For more information, go to [Intune support for Windows LAPS](../protect/windows-laps-overview.md).
- Use **Microsoft Intune Endpoint Privilege Management** (EPM) to reduce the attack surface of your Windows devices. EPM empowers you to have users that run as standard users (without administrator rights) yet remain productive by determining when those users can run apps in an elevated context.
- EPM elevation rules can be based on file hashes, certificate rules, and more. The rules you configure help to ensure that only the expected and trusted applications you allow can run as elevated. Rules can manage the child processes that an app creates, support requests by users to elevate a managed process, and allow for automatic elevations of files that just need to run without any user interruption.
+ EPM elevation rules can be based on file hashes, certificate rules, and more. The rules you configure help to ensure that only the expected and trusted applications you allow can run as elevated. Rules can:
- [Endpoint Privilege Management](../protect/epm-overview.md) is available as an Intune add-on that requires an extra license. For more information, see [Use Intune Suite add-on capabilities](../fundamentals/intune-add-ons.md).
+ - Manage the child processes that an app creates.
+ - Support requests by users to elevate a managed process.
+ - Allow for automatic elevations of files that just need to run without any user interruption.
+ [Endpoint Privilege Management](../protect/epm-overview.md) is available as an Intune add-on that requires an extra license. For more information, go to [Use Intune Suite add-on capabilities](../fundamentals/intune-add-ons.md).
- **Use Android Common Criteria mode** on Android devices that are used by highly sensitive organizations, like government establishments.
@@ -528,9 +532,8 @@ This level expands on what you've configured in levels 1 and 2. It adds extra se
- **Android device administrator**
- [Use and manage Zebra devices with Zebra Mobility Extensions](../configuration/android-zebra-mx-overview.md)
- [Device settings to run as a kiosk](../configuration/device-restrictions-android.md#kiosk)
- [!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
+ [!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
# [iOS/iPadOS](#tab/ios-kiosk)
diff --git a/memdocs/intune/fundamentals/filters-device-properties.md b/memdocs/intune/fundamentals/filters-device-properties.md
index a86409ebbf8..23deca8fafb 100644
--- a/memdocs/intune/fundamentals/filters-device-properties.md
+++ b/memdocs/intune/fundamentals/filters-device-properties.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 07/18/2024
+ms.date: 08/21/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -43,37 +43,49 @@ Advanced rule editing is also available. You can use common operators, such as `
This article describes the different [managed device properties](#managed-device-properties), [managed app properties](#managed-app-properties), and [operators](#supported-operators) you can use in your filters, and gives examples.
- [!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
+[!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
## Managed device properties
You can use the following device properties in your managed device filter rules:
-- **`deviceName` (Device Name)**: Create a filter rule based on the Intune device name property. Enter a string value for the device's full name (using `-eq`, `-ne`, `-in`, `-notIn` operators), or partial value (using `-startswith`, `-contains`, `-notcontains` operators).
+- **`cpuArchitecture` (CPU Architecture)**: Create a filter rule based on the Intune device CPU architecture property.
+ For Windows, your options are (with `-eq`, `-ne`, `-in`, `-notIn` operators):
+ - amd64
+ - x86
+ - arm64
+ - unknown
+ For macOS, your options are (with `-eq`, `-ne`, `-in`, `-notIn` operators):
+ - x64
+ - arm64
+ - unknown
- - `(device.deviceName -eq "Scott's Device")`
- - `(device.deviceName -in ["Scott's device", "Sara's device"])`
- - `(device.deviceName -startsWith "S")`
+ - `(device.cpuArchitecture -eq "arm64")`
+ - `(device.cpuArchitecture -in ["x64", "arm64"])`
+ - `(device.cpuArchitecture -eq "unknown")`
This property applies to:
- - Android device administrator
- - Android Enterprise
- - Android (AOSP)
- - iOS/iPadOS
- macOS
- Windows 11
- Windows 10
-- **`manufacturer` (Manufacturer)**: Create a filter rule based on the Intune device manufacturer property. Enter the full string value (using `-eq`, `-ne`, `-in`, `-notIn` operators), or partial value (using `-startswith`, `-contains`, `-notcontains` operators).
+ > [!NOTE]
+ > Currently, enrollment scenarios don't support the `cpuArchitecture` property. Support will be added in a future update (no ETA).
+- **`deviceCategory` (Device Category)**: Create a filter rule based on the Intune device category property. Enter the full string value (using `-eq`, `-ne`, `-in`, `-notIn` operators), or partial value (using `-startswith`, `-contains`, `-notcontains` operators).
- - `(device.manufacturer -eq "Microsoft")`
- - `(device.manufacturer -startsWith "Micro")`
+ - `(device.deviceCategory -eq "Engineering devices")`
+ - `(device.deviceCategory -contains "Engineering")`
+ - `(device.model -startsWith "E")`
This property applies to:
@@ -85,17 +97,13 @@ You can use the following device properties in your managed device filter rules:
- Windows 11
- Windows 10
-- **`model` (Model)**: Create a filter rule based on the Intune device model property. Enter the full string value (using `-eq`, `-ne`, `-in`, `-notIn` operators), or partial value (using `-startswith`, `-contains`, `-notcontains` operators).
+- **`deviceName` (Device Name)**: Create a filter rule based on the Intune device name property. Enter a string value for the device's full name (using `-eq`, `-ne`, `-in`, `-notIn` operators), or partial value (using `-startswith`, `-contains`, `-notcontains` operators).
- For iOS/iPadOS and macOS devices, use the model, not the product name. Only the model is recognized for Apple devices. For example, for iPhone 8 devices, enter the model as `iPhone 8`.
- - `(device.model -eq "Surface Book 3")`
- - `(device.model -in ["Surface Book 3", "Surface Book 2"])`
- - `(device.model -startsWith "Surface Book")`
- - `(device.model -startsWith "MacBookPro")`
- - `(device.model -startsWith "iPhone 8")`
+ - `(device.deviceName -eq "Scott's Device")`
+ - `(device.deviceName -in ["Scott's device", "Sara's device"])`
+ - `(device.deviceName -startsWith "S")`
This property applies to:
@@ -107,13 +115,11 @@ You can use the following device properties in your managed device filter rules:
- Windows 11
- Windows 10
-- **`deviceCategory` (Device Category)**: Create a filter rule based on the Intune device category property. Enter the full string value (using `-eq`, `-ne`, `-in`, `-notIn` operators), or partial value (using `-startswith`, `-contains`, `-notcontains` operators).
+- **`deviceOwnership` (Ownership)**: Create a filter rule based on the device's ownership property in Intune. Select `Personal`, `Corporate`, or unknown values using the `-eq` and `-ne` operators.
- Examples:
+ Example:
- - `(device.deviceCategory -eq "Engineering devices")`
- - `(device.deviceCategory -contains "Engineering")`
- - `(device.model -startsWith "E")`
+ - `(device.deviceOwnership -eq "Personal")`
This property applies to:
@@ -125,54 +131,39 @@ You can use the following device properties in your managed device filter rules:
- Windows 11
- Windows 10
-- **`operatingSystemVersion` (Operating System Version)**: Create a filter rule based on the Intune device operating system (OS) version. Enter a version value (using `-eq`, `-ne`, `-gt`, `-ge`, `-lt`, `-le` operators).
+- **`deviceTrustType` (Microsoft Entra join type)**: Create a filter rule based on the device's Microsoft Entra join type. Choose between Azure AD joined, Azure AD registered, Hybrid Azure AD joined, or Unknown values (with `-eq`, `-ne`, `-in`, `-notIn` operators).
- - `(device.operatingSystemVersion -eq 14.2.1)`
- - `(device.operatingSystemVersion -gt 10.0.22000.1000)`
- - `(device.operatingSystemVersion -le 10.0.22631.3235)`
- For a list of supported operators, go to [operatingSystemVersion supported operators](#operatingsystemversion-supported-operators) (in this article).
+ - `(device.deviceTrustType -eq "Azure AD joined")`
+ - `(device.deviceTrustType -ne "Azure AD registered")`
+ - `(device.deviceTrustType -in ["Hybrid Azure AD joined","Azure AD joined"])`
This property applies to:
- - Android device administrator
- - Android Enterprise
- - Android (AOSP)
- - iOS/iPadOS
- - macOS
- Windows 11
- Windows 10
> [!NOTE]
- > The `operatingSystemVersion` property is in public preview. For more information on what that means, go to [Public preview in Microsoft Intune](../fundamentals/public-preview.md).
+ > The `deviceTrustType` property exists in Microsoft Entra ID and Intune. The values in this Intune filters article apply to Intune. They don't apply to Microsoft Entra ID.
-- **`osVersion` (OS Version)**: Create a filter rule based on the Intune device operating system (OS) version. Enter the full string value (using `-eq`, `-ne`, `-in`, `-notIn` operators), or partial value (using `-startswith`, `-contains`, `-notcontains` operators).
+- **`enrollmentProfileName` (Enrollment profile name)**: Create a filter rule based on the enrollment profile name. This property is applied to a device when the device enrolls. It's a string value created by you, and matches the Windows Autopilot, Apple Automated Device Enrollment (ADE), or Google enrollment profile applied to the device. To see your enrollment profile names, sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and go to **Devices** > **Enroll devices**.
- > [!TIP]
- > The `osVersion` property is being deprecated. Instead, use the `operatingSystemVersion` property. When `operatingSystemVersion` is generally available (GA), the `osVersion` property will retire, and you won't be able to create new filters using this property. Existing filters that use `osVersion` continue to work.
+ Enter the full string value (using `-eq`, `-ne`, `-in`, `-notIn` operators), or partial value (using `-startswith`, `-contains`, `-notcontains` operators).
- - `(device.osVersion -eq "14.2.1")`
- - `(device.osVersion -in ["10.15.3 (19D2064)","10.14.2 (18C54)"])`
- - `(device.osVersion -startsWith "10.0.18362")`
+ - `(device.enrollmentProfileName -eq "DEP iPhones")`
+ - `(device.enrollmentProfileName -startsWith "Autopilot Profile")`
+ - `(device.enrollmentProfileName -ne $null)`
This property applies to:
- - Android device administrator
- Android Enterprise
- Android (AOSP)
- iOS/iPadOS
- - macOS
- Windows 11
- Windows 10
- > [!NOTE]
- > For Apple devices, the `OSversion` property doesn't include Apple's Security Patch Version (SPV) information. The SPV is the letter after the version number, like `14.1.2a`. When creating filters for Apple devices, don't include the SPV in the `OSversion` rule syntax.
- **`IsRooted` (Rooted or jailbroken)**: Create a filter rule based on the device's rooted (Android) or jailbroken (iOS/iPadOS) device property. Select `True`, `False`, or unknown values using the `-eq` and `-ne` operators.
@@ -187,11 +178,12 @@ You can use the following device properties in your managed device filter rules:
- Android (AOSP)
- iOS/iPadOS
-- **`deviceOwnership` (Ownership)**: Create a filter rule based on the device's ownership property in Intune. Select `Personal`, `Corporate`, or unknown values using the `-eq` and `-ne` operators.
+- **`manufacturer` (Manufacturer)**: Create a filter rule based on the Intune device manufacturer property. Enter the full string value (using `-eq`, `-ne`, `-in`, `-notIn` operators), or partial value (using `-startswith`, `-contains`, `-notcontains` operators).
- Example:
+ Examples:
- - `(device.deviceOwnership -eq "Personal")`
+ - `(device.manufacturer -eq "Microsoft")`
+ - `(device.manufacturer -startsWith "Micro")`
This property applies to:
@@ -203,40 +195,75 @@ You can use the following device properties in your managed device filter rules:
- Windows 11
- Windows 10
-- **`enrollmentProfileName` (Enrollment profile name)**: Create a filter rule based on the enrollment profile name. This property is applied to a device when the device enrolls. It's a string value created by you, and matches the Windows Autopilot, Apple Automated Device Enrollment (ADE), or Google enrollment profile applied to the device. To see your enrollment profile names, sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and go to **Devices** > **Enroll devices**.
- Enter the full string value (using `-eq`, `-ne`, `-in`, `-notIn` operators), or partial value (using `-startswith`, `-contains`, `-notcontains` operators).
+- **`model` (Model)**: Create a filter rule based on the Intune device model property. Enter the full string value (using `-eq`, `-ne`, `-in`, `-notIn` operators), or partial value (using `-startswith`, `-contains`, `-notcontains` operators).
+ For iOS/iPadOS and macOS devices, use the model, not the product name. Only the model is recognized for Apple devices. For example, for iPhone 8 devices, enter the model as `iPhone 8`.
- - `(device.enrollmentProfileName -eq "DEP iPhones")`
- - `(device.enrollmentProfileName -startsWith "Autopilot Profile")`
- - `(device.enrollmentProfileName -ne $null)`
+ - `(device.model -eq "Surface Book 3")`
+ - `(device.model -in ["Surface Book 3", "Surface Book 2"])`
+ - `(device.model -startsWith "Surface Book")`
+ - `(device.model -startsWith "MacBookPro")`
+ - `(device.model -startsWith "iPhone 8")`
This property applies to:
+ - Android device administrator
- Android Enterprise
- Android (AOSP)
- iOS/iPadOS
+ - macOS
- Windows 11
- Windows 10
-- **`deviceTrustType` (Microsoft Entra join type)**: Create a filter rule based on the device's Microsoft Entra join type. Choose between Azure AD joined, Azure AD registered, Hybrid Azure AD joined, or Unknown values (with `-eq`, `-ne`, `-in`, `-notIn` operators).
+- **`operatingSystemVersion` (Operating System Version)**: Create a filter rule based on the Intune device operating system (OS) version. Enter a version value (using `-eq`, `-ne`, `-gt`, `-ge`, `-lt`, `-le` operators).
- - `(device.deviceTrustType -eq "Azure AD joined")`
- - `(device.deviceTrustType -ne "Azure AD registered")`
- - `(device.deviceTrustType -in ["Hybrid Azure AD joined","Azure AD joined"])`
+ - `(device.operatingSystemVersion -eq 14.2.1)`
+ - `(device.operatingSystemVersion -gt 10.0.22000.1000)`
+ - `(device.operatingSystemVersion -le 10.0.22631.3235)`
+ For a list of supported operators, go to [operatingSystemVersion supported operators](#operatingsystemversion-supported-operators) (in this article).
This property applies to:
+ - Android device administrator
+ - Android Enterprise
+ - Android (AOSP)
+ - iOS/iPadOS
+ - macOS
- Windows 11
- Windows 10
> [!NOTE]
- > The `deviceTrustType` property exists in Microsoft Entra ID and Intune. The values in this Intune filters article apply to Intune. They don't apply to Microsoft Entra ID.
+ > The `operatingSystemVersion` property is in public preview. For more information on what that means, go to [Public preview in Microsoft Intune](../fundamentals/public-preview.md).
+- **`osVersion` (OS Version)**: Create a filter rule based on the Intune device operating system (OS) version. Enter the full string value (using `-eq`, `-ne`, `-in`, `-notIn` operators), or partial value (using `-startswith`, `-contains`, `-notcontains` operators).
+ > [!TIP]
+ > The `osVersion` property is being deprecated. Instead, use the `operatingSystemVersion` property. When `operatingSystemVersion` is generally available (GA), the `osVersion` property will retire, and you won't be able to create new filters using this property. Existing filters that use `osVersion` continue to work.
+ Examples:
+ - `(device.osVersion -eq "14.2.1")`
+ - `(device.osVersion -in ["10.15.3 (19D2064)","10.14.2 (18C54)"])`
+ - `(device.osVersion -startsWith "10.0.18362")`
+ This property applies to:
+ - Android device administrator
+ - Android Enterprise
+ - Android (AOSP)
+ - iOS/iPadOS
+ - macOS
+ - Windows 11
+ - Windows 10
+ > [!NOTE]
+ > For Apple devices, the `OSversion` property doesn't include Apple's Security Patch Version (SPV) information. The SPV is the letter after the version number, like `14.1.2a`. When creating filters for Apple devices, don't include the SPV in the `OSversion` rule syntax.
- **`operatingSystemSKU` (Operating System SKU)**: Create a filter rule based on the device's Windows client OS SKU. Enter the full string value (using `-eq`, `-ne`, `-in`, `-notIn` operators), or partial value (using `-startswith`, `-contains`, `-notcontains` operators).
diff --git a/memdocs/intune/fundamentals/filters-supported-workloads.md b/memdocs/intune/fundamentals/filters-supported-workloads.md
index 53b9e689ec8..d694ff1255c 100644
--- a/memdocs/intune/fundamentals/filters-supported-workloads.md
+++ b/memdocs/intune/fundamentals/filters-supported-workloads.md
@@ -40,7 +40,7 @@ This article assumes you're familiar with filters. If not, learn more at [Use fi
## Before you begin
-- ✔️: Supports filters.
+- ✅: Supports filters.
- ❌: Doesn't support filters.
- N/A: Doesn't apply to the platform.
@@ -58,10 +58,10 @@ You can use filters for some common app policies on the following platforms. For
| Microsoft Defender for Endpoint | N/A |
| Web link | N/A |
| Line-of-business apps | N/A |
-| Android Enterprise system app | ✔️ |
-| Managed Google Play store app | ✔️ |
-| Managed Google Play web link | ✔️ |
-| Managed Android line-of-business app | ✔️ |
+| Android Enterprise system app | ✅ |
+| Managed Google Play store app | ✅ |
+| Managed Google Play web link | ✅ |
+| Managed Android line-of-business app | ✅ |
> [!NOTE]
> Filters aren't supported on Android Enterprise personally-owned devices with work profile (BYOD) when used in "Available" app assignments. If users are targeted with an "Available" app intent, then the app continues to show as available to install from the Google managed play store. Any include or exclude filtering is ignored.
@@ -70,12 +70,12 @@ You can use filters for some common app policies on the following platforms. For
| App type | Supported |
| --- | --- |
-| Store app | ✔️ |
+| Store app | ✅ |
| Microsoft 365 apps | N/A |
| Microsoft Edge version 77 and newer | N/A |
| Microsoft Defender for Endpoint | N/A |
| Web link | ❌ |
-| Line-of-business apps | ✔️ |
+| Line-of-business apps | ✅ |
[!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
@@ -84,39 +84,39 @@ You can use filters for some common app policies on the following platforms. For
| App type | Supported |
| --- | --- |
-| Store app | ✔️ |
+| Store app | ✅ |
| Microsoft 365 apps | N/A |
| Microsoft Edge version 77 and newer | N/A |
| Microsoft Defender for Endpoint | N/A |
| Web link | ❌ |
-| iOS/iPadOS web clip | ✔️ |
-| Line-of-business apps | ✔️ |
-| iOS/iPadOS volume purchase program (VPP) app | ✔️ |
+| iOS/iPadOS web clip | ✅ |
+| Line-of-business apps | ✅ |
+| iOS/iPadOS volume purchase program (VPP) app | ✅ |
### macOS
| App type | Supported |
| --- | --- |
| Store app | N/A |
-| Microsoft 365 apps | ✔️ |
-| Microsoft Edge version 77 and newer | ✔️ |
-| Microsoft Defender for Endpoint | ✔️ |
+| Microsoft 365 apps | ✅ |
+| Microsoft Edge version 77 and newer | ✅ |
+| Microsoft Defender for Endpoint | ✅ |
| Web link | ❌ |
-| Line-of-business apps | ✔️ |
+| Line-of-business apps | ✅ |
### Windows 10/11
| App type | Supported |
| --- | --- |
-| Store app | ✔️ |
-| Microsoft 365 apps | ✔️ |
-| Microsoft Edge version 77 and newer | ✔️ |
+| Store app | ✅ |
+| Microsoft 365 apps | ✅ |
+| Microsoft Edge version 77 and newer | ✅ |
| Microsoft Defender for Endpoint | N/A |
| Web link | ❌ |
-| Windows web link | ✔️ |
-| Line-of-business apps | ✔️ |
-| Windows app (Win32) | ✔️ |
-| Microsoft Store for Business | ✔️ |
+| Windows web link | ✅ |
+| Line-of-business apps | ✅ |
+| Windows app (Win32) | ✅ |
+| Microsoft Store for Business | ✅ |
## [App configuration policies](../apps/app-configuration-policies-overview.md)
@@ -170,23 +170,23 @@ You can use filters for some common app policies on the following platforms. For
| Profile type | Supported |
| --- | --- |
| **Device configuration profile** | |
-| Custom | ✔️ |
+| Custom | ✅ |
| Derived credential | N/A |
-| Device restrictions | ✔️ |
+| Device restrictions | ✅ |
| Device restrictions (Windows 10 Team) | N/A |
| Device features | N/A |
| Email | N/A |
-| Email (Samsung KNOX only) | ✔️ |
+| Email (Samsung KNOX only) | ✅ |
| Endpoint Protection | N/A |
| Enrollment device platform restrictions | ❌ |
-| MX profile (Zebra only) | ✔️ |
-| PKCS certificate | ✔️ |
-| PKCS imported certificate | ✔️ |
-| SCEP certificate | ✔️ |
+| MX profile (Zebra only) | ✅ |
+| PKCS certificate | ✅ |
+| PKCS imported certificate | ✅ |
+| SCEP certificate | ✅ |
| Settings catalog | N/A |
-| Trusted certificate | ✔️ |
-| VPN | ✔️ |
-| Wi-Fi | ✔️ |
+| Trusted certificate | ✅ |
+| VPN | ✅ |
+| Wi-Fi | ✅ |
| | |
| **Endpoint Security profile** | |
| Account protection | N/A |
@@ -202,22 +202,22 @@ You can use filters for some common app policies on the following platforms. For
| Profile type | Supported |
| --- | --- |
| **Device configuration profile** | |
-| Custom | ✔️ |
-| Derived credential | ✔️ |
-| Device restrictions | ✔️ |
+| Custom | ✅ |
+| Derived credential | ✅ |
+| Device restrictions | ✅ |
| Device Restrictions (Windows 10 Team) | N/A |
| Device Features | N/A |
-| Email | ✔️ |
+| Email | ✅ |
| Endpoint Protection | N/A |
| Enrollment device platform restrictions | ❌ |
-| OEMConfig | ✔️ |
-| PKCS certificate | ✔️ |
-| PKCS imported certificate | ✔️ |
-| SCEP certificate | ✔️ |
+| OEMConfig | ✅ |
+| PKCS certificate | ✅ |
+| PKCS imported certificate | ✅ |
+| SCEP certificate | ✅ |
| Settings catalog | N/A |
-| Trusted certificate | ✔️ |
-| VPN | ✔️ |
-| Wi-Fi | ✔️ |
+| Trusted certificate | ✅ |
+| VPN | ✅ |
+| Wi-Fi | ✅ |
| | |
| **Endpoint Security profile** | |
| Account protection | N/A |
@@ -233,31 +233,31 @@ You can use filters for some common app policies on the following platforms. For
| Profile type | Supported |
| --- | --- |
| **Device configuration profile** | |
-| Device restrictions | ✔️ |
-| PKCS certificate | ✔️ |
-| SCEP certificate | ✔️ |
-| Trusted certificate | ✔️ |
+| Device restrictions | ✅ |
+| PKCS certificate | ✅ |
+| SCEP certificate | ✅ |
+| Trusted certificate | ✅ |
### iOS/iPadOS
| Profile type | Supported |
| --- | --- |
| **Device configuration profile** | |
-| Custom | ✔️ |
-| Derived credential | ✔️ |
-| Device restrictions | ✔️ |
+| Custom | ✅ |
+| Derived credential | ✅ |
+| Device restrictions | ✅ |
| Device Restrictions (Windows 10 Team) | N/A |
-| Device Features | ✔️ |
-| Email | ✔️ |
+| Device Features | ✅ |
+| Email | ✅ |
| Endpoint Protection | N/A |
-| Enrollment device platform restrictions | ✔️ |
-| PKCS certificate | ✔️ |
-| PKCS imported certificate | ✔️ |
-| SCEP certificate | ✔️ |
+| Enrollment device platform restrictions | ✅ |
+| PKCS certificate | ✅ |
+| PKCS imported certificate | ✅ |
+| SCEP certificate | ✅ |
| Settings catalog | N/A |
-| Trusted certificate | ✔️ |
-| VPN | ✔️ |
-| Wi-Fi | ✔️ |
+| Trusted certificate | ✅ |
+| VPN | ✅ |
+| Wi-Fi | ✅ |
| | |
| **Endpoint Security profile** | |
| Account protection | N/A |
@@ -273,24 +273,24 @@ You can use filters for some common app policies on the following platforms. For
| Profile type | Supported |
| --- | --- |
| **Device configuration profile** | |
-| Custom | ✔️ |
+| Custom | ✅ |
| Derived credential | N/A |
-| Device restrictions | ✔️ |
+| Device restrictions | ✅ |
| Device restrictions (Windows 10 Team) | N/A |
-| Device features | ✔️ |
+| Device features | ✅ |
| Email | N/A |
-| Endpoint Protection | ✔️ |
-| Enrollment device platform restrictions | ✔️ |
-| Extensions | ✔️ |
-| PKCS certificate | ✔️ |
-| PKCS imported certificate | ✔️ |
-| Preference file | ✔️ |
-| SCEP certificate | ✔️ |
-| Settings catalog | ✔️ |
-| Trusted certificate | ✔️ |
-| VPN | ✔️ |
-| Wi-Fi | ✔️ |
-| Wired network | ✔️ |
+| Endpoint Protection | ✅ |
+| Enrollment device platform restrictions | ✅ |
+| Extensions | ✅ |
+| PKCS certificate | ✅ |
+| PKCS imported certificate | ✅ |
+| Preference file | ✅ |
+| SCEP certificate | ✅ |
+| Settings catalog | ✅ |
+| Trusted certificate | ✅ |
+| VPN | ✅ |
+| Wi-Fi | ✅ |
+| Wired network | ✅ |
| | |
| **Endpoint Security profile** | |
| Account protection | N/A |
@@ -305,46 +305,46 @@ You can use filters for some common app policies on the following platforms. For
| Profile type | Supported |
| --- | --- |
-| Update rings for Windows 10/11 | ✔️ |
+| Update rings for Windows 10/11 | ✅ |
| | |
| **Device configuration profile** | |
-| Administrative Templates | ✔️ |
-| Custom | ✔️ |
+| Administrative Templates | ✅ |
+| Custom | ✅ |
| Derived credential | N/A |
-| Delivery optimization | ✔️ |
-| Device restrictions | ✔️ |
-| Device Restrictions (Windows 10 Team) | ✔️ |
+| Delivery optimization | ✅ |
+| Device restrictions | ✅ |
+| Device Restrictions (Windows 10 Team) | ✅ |
| Device Features | N/A |
-| Device Firmware Configuration Interface (DFCI) on Windows 11 and Windows 10 RS5 (1809)+ on supported UEFI | ✔️ |
-| Domain Join | ✔️ |
-| Edition upgrade and S mode switch | ✔️ |
-| Email | ✔️ |
-| Endpoint analytics Remediations scripts|✔️ |
-| Endpoint Protection | ✔️ |
-| Enrollment device platform restrictions | ✔️
Support for a subset of filter properties including device `osVersion`, `operatingSystemSKU`, and `enrollmentProfileName` |
-| Kiosk | ✔️ |
-| Network boundary | ✔️ |
-| PKCS certificate | ✔️ |
-| PKCS imported certificate | ✔️ |
-| SCEP certificate | ✔️ |
-| Secure assessment (Education) | ✔️ |
-| Settings catalog | ✔️ |
-| Shared multi-user device | ✔️ |
-| Trusted certificate | ✔️ |
-| VPN | ✔️ |
-| Wi-Fi | ✔️ |
+| Device Firmware Configuration Interface (DFCI) on Windows 11 and Windows 10 RS5 (1809)+ on supported UEFI | ✅ |
+| Domain Join | ✅ |
+| Edition upgrade and S mode switch | ✅ |
+| Email | ✅ |
+| Endpoint analytics Remediations scripts|✅ |
+| Endpoint Protection | ✅ |
+| Enrollment device platform restrictions | ✅
Support for a subset of filter properties including device `osVersion`, `operatingSystemSKU`, and `enrollmentProfileName` |
+| Kiosk | ✅ |
+| Network boundary | ✅ |
+| PKCS certificate | ✅ |
+| PKCS imported certificate | ✅ |
+| SCEP certificate | ✅ |
+| Secure assessment (Education) | ✅ |
+| Settings catalog | ✅ |
+| Shared multi-user device | ✅ |
+| Trusted certificate | ✅ |
+| VPN | ✅ |
+| Wi-Fi | ✅ |
| Wired network | ❌ |
-| Windows health monitoring | ✔️ |
+| Windows health monitoring | ✅ |
| | |
| **Endpoint Security profile** | |
-| Account protection | ✔️
**Account protection**, **Local user group membership**, and **Local admin password solution (Windows LAPS)** |
-| Antivirus | ✔️ |
-| Attack surface reduction | ✔️
Excludes **Web protection (Microsoft Edge Legacy)**, **Application control**, and **App and browser isolation** |
-| Disk encryption | ✔️ |
-| Endpoint detection and response | ✔️ |
-| Endpoint Privilege Management (EPM) |✔️ |
-| Firewall | ✔️ |
-| Microsoft Defender for Endpoint (Windows 10/11 Desktop) | ✔️ |
+| Account protection | ✅
**Account protection**, **Local user group membership**, and **Local admin password solution (Windows LAPS)** |
+| Antivirus | ✅ |
+| Attack surface reduction | ✅
Excludes **Web protection (Microsoft Edge Legacy)**, **Application control**, and **App and browser isolation** |
+| Disk encryption | ✅ |
+| Endpoint detection and response | ✅ |
+| Endpoint Privilege Management (EPM) |✅ |
+| Firewall | ✅ |
+| Microsoft Defender for Endpoint (Windows 10/11 Desktop) | ✅ |
| Security baselines | ❌ |
## Not supported on managed devices
diff --git a/memdocs/intune/fundamentals/get-started-with-intune.md b/memdocs/intune/fundamentals/get-started-with-intune.md
index 0ed8b39e327..5cfa06bac1c 100644
--- a/memdocs/intune/fundamentals/get-started-with-intune.md
+++ b/memdocs/intune/fundamentals/get-started-with-intune.md
@@ -81,7 +81,7 @@ This article provides an overview of the steps to start your Intune deployment.
In this step:
-✔️ **Confirm your devices are supported, create your Intune tenant, add users & groups, assign licenses**, and more.
+✅ **Confirm your devices are supported, create your Intune tenant, add users & groups, assign licenses**, and more.
This step focuses on setting up Intune and getting it ready for you to manage your user identities, apps, and devices. Intune uses many features in Microsoft Entra ID, including your domain, your users, and your groups.
@@ -91,9 +91,9 @@ For more information, go to [Step 1 - Set up Microsoft Intune](deployment-plan-s
In this step:
-✔️ **On devices that will enroll** in Intune, create a baseline of apps that devices must have, and then assign these app policies during enrollment. On apps that need extra security, also use app protection policies.
+✅ **On devices that will enroll** in Intune, create a baseline of apps that devices must have, and then assign these app policies during enrollment. On apps that need extra security, also use app protection policies.
-✔️ **On devices that won't enroll** in Intune, use app protection policies and multifactor authentication (MFA):
+✅ **On devices that won't enroll** in Intune, use app protection policies and multifactor authentication (MFA):
- App protection policies help protect organization data on personal devices.
- MFA helps protect your organization's data from unauthorized access.
@@ -116,9 +116,9 @@ If users with their own personal devices access organization resources, then you
In this step:
-✔️ **Create a baseline of compliance policies** that devices must have, and then assign these compliance policies during enrollment.
+✅ **Create a baseline of compliance policies** that devices must have, and then assign these compliance policies during enrollment.
-✔️ **Enable Conditional Access** to enforce your compliance policies.
+✅ **Enable Conditional Access** to enforce your compliance policies.
For more information, go to [Step 3 – Plan for compliance policies](deployment-plan-compliance-policies.md).
@@ -139,7 +139,7 @@ If you prefer, you can enroll your devices before checking compliance. It's your
In this step:
-✔️ **Create baseline of security features and device features** that should be enabled or blocked. Assign these profiles during enrollment.
+✅ **Create baseline of security features and device features** that should be enabled or blocked. Assign these profiles during enrollment.
For more information, go to [Step 4 - Create device configuration profiles to secure devices and access organization resources](deployment-plan-configuration-profile.md).
@@ -160,7 +160,7 @@ The following articles are good resources:
In this step:
-✔️ **Enroll your devices** in Intune.
+✅ **Enroll your devices** in Intune.
For more specific information, go to [Step 5 - Deployment guidance: Enroll devices in Microsoft Intune](deployment-guide-enrollment.md).
diff --git a/memdocs/intune/fundamentals/in-development.md b/memdocs/intune/fundamentals/in-development.md
index e227dacaeef..c609dd159bf 100644
--- a/memdocs/intune/fundamentals/in-development.md
+++ b/memdocs/intune/fundamentals/in-development.md
@@ -7,7 +7,7 @@ keywords:
author: dougeby
ms.author: dougeby
manager: dougeby
-ms.date: 08/12/2024
+ms.date: 08/19/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -72,20 +72,8 @@ Applies to:
For information about using EPM, see [Endpoint Privilege Management overview](../protect/epm-overview.md).
-### Resource performance report for physical devices in Advanced Analytics
-We're introducing a Resource performance report for Windows physical devices in Intune Advanced Analytics. The report will be included as an Intune-add on under Microsoft Intune Suite.
-The resource performance scores and insights for physical devices are aimed to help IT admins make CPU/RAM asset management and purchase decisions that improve the user experience while balancing hardware costs.
-For more information, see [Microsoft Intune Suite](../fundamentals/intune-add-ons.md).
## App management
-### Managed Home Screen for Android Enterprise Fully Managed devices
-Managed Home Screen (MHS) will be supported on Android Enterprise Fully Managed devices. This capability will offer organizations the ability to leverage MHS in scenarios where a device is associated with a single user.
### Added protection for iOS/iPadOS app widgets
To protect organizational data for MAM managed accounts and apps, Intune app protection policies now provide the capability to block data sync from policy managed app data to app widgets. App widgets can be added to end-user's iOS/iPadOS device lock screen, which can expose data contained by these widgets, such as meeting titles, top sites, and recent notes. In Intune, you'll be able to set the app protection policy setting **Sync policy managed app data with app widgets** to **Block** for iOS/iPadOS apps. This setting will be available as part of the **Data Protection** settings in app protection policies. This new setting will be an app protection feature similar to the **Sync policy managed app data with native app or add-ins** setting.
@@ -96,128 +84,13 @@ Applies to:
-## Device configuration
-### Enhancements to multiple administrative approval
-Multi administrative approval (MAA) adds the ability to limit application access policies to Windows applications or all non-Windows applications or both. We're adding a new access policy to the multiple administrative approval feature.
-For more information, see [multiple admin approval](../fundamentals/multi-admin-approval.md).
-### New settings available in the Apple settings catalog
-The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see [Create a policy using settings catalog](../configuration/settings-catalog.md).
-There are new settings in the Apple Settings Catalog. To see these settings, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type.
-#### iOS/iPadOS
-**Declarative Device Management (DDM) > Safari Extension Settings**:
-- Managed Extensions
- - Allowed Domains
- - Denied Domains
- - Private Browsing
- - State
-**Declarative Device Management (DDM) > Software Update Settings**:
-- Automatic Actions
- - Download
- - Install OS Updates
-- Deferrals
- - Combined Period In Days
-- Notifications
-- Rapid Security Response
- - Enable
- - Enable Rollback
-- Recommended Cadence
-- Allow ESIM Outgoing Transfers
-- Allow Personalized Handwriting Results
-- Allow Video Conferencing Remote Control
-- Allow Genmoji
-- Allow Image Playground
-- Allow Image Wand
-- Allow iPhone Mirroring
-- Allow Writing Tools
-#### macOS
-**Authentication > Extensible Single Sign On (SSO)**:
-- Platform SSO
- - Authentication Grace Period
- - FileVault Policy
- - Non Platform SSO Accounts
- - Offline Grace Period
- - Unlock Policy
-**Authentication > Extensible Single Sign On Kerberos**:
-- Allow Password
-- Allow SmartCard
-- Identity Issuer Auto Select Filter
-- Start In Smart Card Mode
-**Declarative Device Management (DDM) > Disk Management**:
-- External Storage
-- Network Storage
-**Declarative Device Management (DDM) > Safari Extension Settings**:
-- Managed Extensions
- - Allowed Domains
- - Denied Domains
- - Private Browsing
- - State
-**Declarative Device Management (DDM) > Software Update Settings**:
-- Allow Standard User OS Updates
-- Automatic Actions
- - Download
- - Install OS Updates
- - Install Security Update
-- Deferrals
- - Major Period In Days
- - Minor Period In Days
- - System Period In Days
-- Notifications
-- Rapid Security Response
- - Enable
- - Enable Rollback
-- Allow Genmoji
-- Allow Image Playground
-- Allow iPhone Mirroring
-- Allow Writing Tools
-**System Policy > System Policy Control**:
-- Enable XProtect Malware Upload
## Device enrollment
-### Use corporate Microsoft Entra account to enable Android Enterprise management options in Intune
-Managing Intune-enrolled devices with Android Enterprise management options currently requires you to connect your Intune tenant to your managed Google Play account using a personal Gmail account. Soon you will be able to use a corporate Microsoft Entra account to establish the connection. This change is happening in new tenants, and doesn't affect tenants that have already established a connection.
### Support ending for Apple User Enrollment with Company Portal
After the release of iOS/iPadOS 18, Apple will no longer support profile-based Apple User Enrollment. As a result, Intune will end support for [user enrollment with Company Portal](../enrollment/apple-user-enrollment-with-company-portal.md) shortly after the release of iOS/iPadOS 18.
@@ -233,16 +106,6 @@ To prepare, use a different management method to enroll devices. We recommend ac
- [Set up account-driven Apple User Enrollment](../enrollment/apple-account-driven-user-enrollment.md)
- [Set up web-based device enrollment for iOS/iPadOS](../enrollment/web-based-device-enrollment-ios.md)
-### Account-driven Apple User Enrollment to be generally available for iOS/iPadOS 15+ devices
-Intune will support account-driven Apple User Enrollment, the new and improved version of Apple User Enrollment, for devices running iOS/iPadOS 15 and later. This new enrollment method utilizes just-in-time registration, removing the Company Portal app for iOS as an enrollment requirement. Device users will be able to initiate enrollment directly in the Settings app, resulting in a shorter and more efficient onboarding experience. For more information, see [Set up account driven Apple User Enrollment](../enrollment/apple-account-driven-user-enrollment.md) on Microsoft Learn.
-If you prefer, you can continue to target iOS/iPadOS devices using the Apple User Enrollment method that requires Company Portal. Devices running iOS/iPadOS 14.8.1 and earlier will be unaffected by this update and can continue to use the method with Company Portal.
-Applies to:
-- iOS/iPadOS 15 and later
## Device management
@@ -267,63 +130,16 @@ Later this year, we expect iOS18 and iPadOS 18 to be released by Apple. Microsof
For more information on this change, see [Plan for change: Intune is moving to support iOS/iPadOS 16 and later](../fundamentals/whats-new.md#plan-for-change-intune-is-moving-to-support-iosipados-16-and-later).
> [!NOTE]
-> Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. For more information, go to [Support statement for supported versus allowed iOS/iPadOS versions for user-less devices](https://aka.ms/ADE_userless_support).
+> Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. For more information, see [Support statement for supported versus allowed iOS/iPadOS versions for user-less devices](https://aka.ms/ADE_userless_support).
Applies to:
- iOS/iPadOS
-### 21 Vianet support for Mobile Threat Defense connector support on 21Vianet
-Intune operated by 21Vianet will soon support Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices for MTD vendors that also have support in that environment. When an MTD partner is supported and you sign in to a 21Vianet tenant, the supported connectors will be available.
-Applies to:
-- Android
-- iOS/iPadOS
-For more information, see:
-- [Intune operated by 21Vianet in China](../fundamentals/china.md)
-- [Mobile Threat Defense integration with Intune](../protect/mobile-threat-defense.md)
-### New `cpuArchitecture` filter device property for app and policy assignments
-When you assign an app, compliance policy, or configuration profile, you can filter the assignment using different device properties, such as device manufacturer, operating system SKU, and more.
-A new `cpuArchitecture` device filter property is available for Windows and macOS devices. With this property, you can filter app and policy assignments depending on the processor architecture.
-For more information on filters and the device properties you can use, see:
-- [Use filters when assigning your apps, policies, and profiles in Microsoft Intune](filters.md)
-- [Filter properties](filters-device-properties.md)
-- [Supported workloads](filters-supported-workloads.md)
-Applies to:
-- Windows 10
-- Windows 11
-- macOS
## Device security
-### Target Date Time setting for Apple software update enforcement will schedule updates using the local time on devices
-You will be able to specify the time that OS updates are enforced on devices in their local time zone. For example, configuring an OS update to be enforced at 5pm will schedule the update for 5pm in the device's local time zone. Currently, this setting uses the time zone that the policy is configured.
-This change will only apply to new policies that are created in the August 2408 release and later. The **Target Date Time** setting is in the settings catalog at **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type > **Declarative Device Management** > Software Update.
-In a future release, the **UTC** text will be removed from the **Target Date Time** setting.
-For more information on using the settings catalog to configure software updates, see [Managed software updates with the settings catalog](../protect/managed-software-updates-ios-macos.md).
-Applies to:
-- iOS/iPadOS
-- macOS
### Defender for Endpoint security settings support in government cloud environments
Customer tenants in US Government Community Cloud (GCC) High, and Department of Defense (DoD) environments will soon be able to use Intune to manage the Defender security settings on the devices you’ve onboarded to Defender without enrolling those devices with Intune. This capability is known as [Defender for Endpoint security settings management](../protect/mde-security-integration.md).
diff --git a/memdocs/intune/fundamentals/intune-add-ons.md b/memdocs/intune/fundamentals/intune-add-ons.md
index 0f5493970b8..c3d9e64a6c4 100644
--- a/memdocs/intune/fundamentals/intune-add-ons.md
+++ b/memdocs/intune/fundamentals/intune-add-ons.md
@@ -47,14 +47,14 @@ The following table provides a list of add-on capabilities and associated Intune
|Capability|Standalone add-on|Intune Plan 2|Intune Suite|
-|Endpoint Privilege Management |✔️| |✔️|
-|Enterprise App Management |✔️| |✔️|
-|Advanced Analytics|✔️ | |✔️|
-|Remote Help|✔️| |✔️|
-|Microsoft Tunnel for Mobile Application Management| |✔️|✔️|
-|Microsoft Cloud PKI |✔️ ||✔️|
-|Firmware-over-the-air update| |✔️ |✔️ |
-|Specialized devices management| |✔️|✔️|
+|Endpoint Privilege Management |✅ | |✅ |
+|Enterprise App Management |✅ | |✅ |
+|Advanced Analytics|✅ | |✅ |
+|Remote Help|✅ | |✅ |
+|Microsoft Tunnel for Mobile Application Management| |✅ |✅ |
+|Microsoft Cloud PKI |✅ ||✅ |
+|Firmware-over-the-air update| |✅ |✅ |
+|Specialized devices management| |✅ |✅ |
### Microsoft Intune Endpoint Privilege Management
diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md
index 7c029c96c4f..628bee2182f 100644
--- a/memdocs/intune/fundamentals/intune-endpoints.md
+++ b/memdocs/intune/fundamentals/intune-endpoints.md
@@ -98,7 +98,7 @@ The data columns shown in the tables are:
ID |Desc |Category |ER |Addresses |Ports
-- |---------------------------------------------------------------- |---------------------|--- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------|
163 | Endpoint Manager client and host service| Allow
Required | False | `*.manage.microsoft.com`
`,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,` | **TCP:** 80, 443|
-172 | MDM Delivery Optimization | Default
Required | False | `*.do.dsp.mp.microsoft.com`
| **TCP:** 80, 443|
+172 | MDM Delivery Optimization | Default
Required | False | `*.do.dsp.mp.microsoft.com`
| **TCP:** 80, 443|
170 | MEM - Win32Apps| Default
Required | False | `swda01-mscdn.manage.microsoft.com`
`swdin02-mscdn.manage.microsoft.com` | **TCP:** 443|
97 | Consumer Outlook.com, OneDrive, Device authentication and Microsoft account | Default
Required | False | `account.live.com`
|**TCP:** 443 |
190 | Endpoint discovery | Default
Required | False | `go.microsoft.com` | **TCP:** 80, 443|
@@ -110,7 +110,7 @@ ID |Desc |Category |ER |Addresses |Ports
ID |Desc |Category |ER |Addresses |Ports|
-- |-- |-----|--- |--------------|--------------------------------|
-164 | Autopilot - Windows Update| Default
Required | False | `*.windowsupdate.com`
| **TCP:** 80, 443|
+164 | Autopilot - Windows Update| Default
Required | False | `*.windowsupdate.com`
| **TCP:** 80, 443|
165 | Autopilot - NTP Sync | Default
Required | False | `time.windows.com` |**UDP:** 123|
169 | Autopilot - WNS Dependencies| Default
Required | False | `clientconfig.passport.net`
`c.s-microsoft.com` | **TCP:** 443 |
173 | Autopilot - Third party deployment dependencies| Default
Required | False | `ekop.intel.com`
| **TCP:** 443|
@@ -152,9 +152,9 @@ For Intune-managed Windows devices managed using Mobile Device Management (MDM),
| ID | Desc | Category | ER | Addresses | Ports |
| --- | ---- | -------- | ----- | --------- | ----- |
-| 172 | MDM - Delivery Optimization Dependencies | Default
Required | False | `*.do.dsp.mp.microsoft.com`
| **TCP:** 80, 443 |
+| 172 | MDM - Delivery Optimization Dependencies | Default
Required | False | `*.do.dsp.mp.microsoft.com`
| **TCP:** 80, 443 |
-**Port requirements** - For peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP or 3544 for NAT traversal (optionally Teredo).
+**Port requirements** - For peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP. It uses Teredo on port 3544 for NAT traversal (use of Teredo is optional)
For client-service communication, it uses HTTP or HTTPS over port 80/443.
**Proxy requirements** - To use Delivery Optimization, you must allow Byte Range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting).
@@ -166,7 +166,6 @@ For client-service communication, it uses HTTP or HTTPS over port 80/443.
For Delivery Optimization metadata:
- \*.dl.delivery.mp.microsoft.com
-- \*.emdl.ws.microsoft.com
#### Apple dependencies
@@ -221,9 +220,7 @@ You'll also need FQDNs that are covered as part of Microsoft 365 Requirements. F
|*.update.microsoft.com| Windows Update and Delivery Optimization |
|*.delivery.mp.microsoft.com| Windows Update and Delivery Optimization |
|tsfe.trafficshaping.dsp.mp.microsoft.com| Windows Update and Delivery Optimization |
-|emdl.ws.microsoft.com| Delivery Optimization |
|*.do.dsp.mp.microsoft.com| Delivery Optimization |
-|*.emdl.ws.microsoft.com| Delivery Optimization |
|*.notify.windows.com| Push Notifications |
|*.wns.windows.com| Push Notifications |
|devicelistenerprod.microsoft.com| Windows Update for Business deployment service |
diff --git a/memdocs/intune/fundamentals/intune-govt-service-description.md b/memdocs/intune/fundamentals/intune-govt-service-description.md
index 8e2cab84295..eb9bc28b8b8 100644
--- a/memdocs/intune/fundamentals/intune-govt-service-description.md
+++ b/memdocs/intune/fundamentals/intune-govt-service-description.md
@@ -87,7 +87,6 @@ The following features are currently not available and aren't supported in GCC H
| --- | --- |
| Expedited updates | For more information on this feature, go to [Expedite Windows quality updates in Microsoft Intune](../protect/windows-10-expedite-updates.md). |
| Feature updates | For more information on this feature, go to [Feature updates for Windows in Intune](../protect/windows-10-feature-updates.md). |
-| Organizational Messages | For more information on this feature, go to [Organizational messages in Microsoft Intune](../remote-actions/organizational-messages-overview.md). |
| Windows Autopilot | The following features are in the planning phase: - Customize out-of-box experience (OOBE) and rename devices during provisioning based on organizational structure - Self-deploying and pre-provisioning mode - More admin-specified configurations delivered before allowing desktop access. - Enhanced optional desktop onboarding experience inside the Windows Company Portal app - The ability to associate a device with a tenant. For information about Windows Autopilot, go to [Windows Autopilot overview](/autopilot/overview). |
### Not available
diff --git a/memdocs/intune/fundamentals/intune-scale-guidelines.md b/memdocs/intune/fundamentals/intune-scale-guidelines.md
index ac647e7d1e2..a6072d64e44 100644
--- a/memdocs/intune/fundamentals/intune-scale-guidelines.md
+++ b/memdocs/intune/fundamentals/intune-scale-guidelines.md
@@ -184,7 +184,7 @@ The [Full delegation model](#full-delegation-model) is recommended.
#### Windows update rings
- We recommend that Windows update rings are managed centrally. The Central team should create as many common Windows update ring policies as they need to support the variance of the local admins.
-- The local admins shouldn't create their own Windows update rings. When you delegate to a large numbers of administrators, the total number of objects may become large and difficult to manage. Best practices vary for each feature. For more information, go to [Windows update rings](../protect/windows-10-update-rings.md).
+- The local admins shouldn't create their own Windows update rings. When you delegate to a large number of administrators, the total number of objects may become large and difficult to manage. Best practices vary for each feature. For more information, go to [Windows update rings](../protect/windows-10-update-rings.md).
#### Feature updates
@@ -223,8 +223,6 @@ For more information, go to [How many tokens can I upload.](../apps/vpp-apps-ios
- Local admins can create Win32 apps as needed within the cross-platform, line-of-business app and web-link limit. For more information, go to [Win32 app management](../apps/apps-win32-app-management.md).
-- Local admins can purchase Microsoft Store for Business (MSFB) apps as needed.
> [!NOTE]
> [Microsoft Store for Business](/microsoft-store/microsoft-store-for-business-overview) is being retired. Starting with Windows 11, you have a new option for your private volume-licensed apps. For more information, go to [Private app repository in Windows 11](/windows/application-management/private-app-repository-mdm-company-portal-windows-11) and [Update to Microsoft Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077).
@@ -262,19 +260,19 @@ In this section:
#### Autopilot
- Grant local admins the permissions to read Autopilot devices and upload new Autopilot devices.
-- Local admins shouldn't create Autopilot profiles. When you delegate to a large numbers of administrators, the total number of objects may become large and difficult to manage. The best practice varies per feature area.
+- Local admins shouldn't create Autopilot profiles. When you delegate to a large number of administrators, the total number of objects may become large and difficult to manage. The best practice varies per feature area.
For more information on Autopilot, go to [Use Autopilot to enroll Windows devices in Intune](../enrollment/tutorial-use-autopilot-enroll-devices.md).
#### Enrollment status page
- Local admins should select from existing Enrollment status page profiles to assign, or they should request the Central team to create an exception profile, only if necessary.
-- Local admins shouldn't create Enrollment status page profiles. When you delegate to a large numbers of administrators, the total number of objects may become large and difficult to manage. The best practice varies per feature area. For information on Enrollment status page, go to [Set up the Enrollment Status Page](../enrollment/windows-enrollment-status.md).
+- Local admins shouldn't create Enrollment status page profiles. When you delegate to a large number of administrators, the total number of objects may become large and difficult to manage. The best practice varies per feature area. For information on Enrollment status page, go to [Set up the Enrollment Status Page](../enrollment/windows-enrollment-status.md).
#### Apple Business Manager
If possible, local admins shouldn't be granted create, update or delete permissions on enrollment profiles. If local admins are given permissions to create Apple Business Manager profiles it also gives them create, update and delete permissions in Autopilot. However, local admins shouldn't create Autopilot profiles.
-When you delegate to a large numbers of administrators, the total number of objects may become large and difficult to manage. The best practice varies per feature area. For more information, go to [Use Apple Business Manager to enroll Apple devices in Intune](../enrollment/tutorial-use-device-enrollment-program-enroll-ios.md).
+When you delegate to a large number of administrators, the total number of objects may become large and difficult to manage. The best practice varies per feature area. For more information, go to [Use Apple Business Manager to enroll Apple devices in Intune](../enrollment/tutorial-use-device-enrollment-program-enroll-ios.md).
#### Android Enterprise profiles
@@ -300,5 +298,5 @@ For more information, go to [Device categories](../enrollment/device-group-mappi
### Endpoint analytics
- The Central team should create as many common Endpoint Analytics baselines as they need to support the variance of the Local admins.
-- If possible, local admins shouldn't create their own Endpoint Analytics baselines. When you delegate to a large numbers of administrators, the total number of objects may become large and difficult to manage. The best practice varies per feature area.
+- If possible, local admins shouldn't create their own Endpoint Analytics baselines. When you delegate to a large number of administrators, the total number of objects may become large and difficult to manage. The best practice varies per feature area.
- For more information, go to [Configuring settings in Endpoint analytics](../../analytics//settings.md#bkmk_baselines).
diff --git a/memdocs/intune/fundamentals/manage-apps.md b/memdocs/intune/fundamentals/manage-apps.md
index bca68349864..f5bcbfb2ed9 100644
--- a/memdocs/intune/fundamentals/manage-apps.md
+++ b/memdocs/intune/fundamentals/manage-apps.md
@@ -121,7 +121,6 @@ The app features in the Intune admin center make it easier to deploy these diffe
For more specific information, go to:
- - [Manage volume purchased apps from the Microsoft Store for Business](../apps/windows-store-for-business.md)
- [Add Microsoft 365 apps to Windows client devices](../apps/apps-add-office365.md)
- [Win32 app management](../apps/apps-win32-app-management.md)
diff --git a/memdocs/intune/fundamentals/manage-os-versions.md b/memdocs/intune/fundamentals/manage-os-versions.md
index a3b0eb73f0b..9b0479b7420 100644
--- a/memdocs/intune/fundamentals/manage-os-versions.md
+++ b/memdocs/intune/fundamentals/manage-os-versions.md
@@ -1,14 +1,14 @@
# required metadata
-title: Manage operating system versions of devices you manage with Intune
+title: Manage device operating system versions with Intune
titleSuffix: Microsoft Intune
-description: Learn how to manage operating system versions across platforms with Microsoft Intune.
+description: Learn about the methods for managing device operating system versions supported by Microsoft Intune.
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 10/04/2023
+ms.date: 08/23/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -117,7 +117,7 @@ You can use the Intune capabilities described in this article to help you move y
## Next steps
-Use the following resources to manage operating system versions in your organization:
+Use the following resources to manage the operating system versions that are in use in your organization:
- [Set device type restrictions](../enrollment/enrollment-restrictions-set.md)
- [Get started with device compliance](../protect/device-compliance-get-started.md)
diff --git a/memdocs/intune/fundamentals/media/cloud-configuration/guided-scenario-basics.png b/memdocs/intune/fundamentals/media/cloud-configuration/guided-scenario-basics.png
index ce95a0ed46e..8da36a82d49 100644
Binary files a/memdocs/intune/fundamentals/media/cloud-configuration/guided-scenario-basics.png and b/memdocs/intune/fundamentals/media/cloud-configuration/guided-scenario-basics.png differ
diff --git a/memdocs/intune/fundamentals/media/deployment-guide-enrollment/orig-mdm-certificate.png b/memdocs/intune/fundamentals/media/deployment-guide-enrollment/orig-mdm-certificate.png
deleted file mode 100644
index 4f1ca98594d..00000000000
Binary files a/memdocs/intune/fundamentals/media/deployment-guide-enrollment/orig-mdm-certificate.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/end-user-company-portal-messages/end-user-company-portal-messages-02.png b/memdocs/intune/fundamentals/media/end-user-company-portal-messages/end-user-company-portal-messages-02.png
deleted file mode 100644
index 6f72d1cd28b..00000000000
Binary files a/memdocs/intune/fundamentals/media/end-user-company-portal-messages/end-user-company-portal-messages-02.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/end-user-company-portal-messages/end-user-company-portal-messages-03.png b/memdocs/intune/fundamentals/media/end-user-company-portal-messages/end-user-company-portal-messages-03.png
deleted file mode 100644
index a4352f7841c..00000000000
Binary files a/memdocs/intune/fundamentals/media/end-user-company-portal-messages/end-user-company-portal-messages-03.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/high-level-architecture/intunearchitecture_wh.svg b/memdocs/intune/fundamentals/media/high-level-architecture/intunearchitecture_wh.svg
deleted file mode 100644
index c9cf36952a6..00000000000
--- a/memdocs/intune/fundamentals/media/high-level-architecture/intunearchitecture_wh.svg
+++ /dev/null
@@ -1,34210 +0,0 @@
diff --git a/memdocs/intune/fundamentals/media/introduction-intune-education/intune-azure-vs-intuneedu.png b/memdocs/intune/fundamentals/media/introduction-intune-education/intune-azure-vs-intuneedu.png
deleted file mode 100644
index 99f201d770e..00000000000
Binary files a/memdocs/intune/fundamentals/media/introduction-intune-education/intune-azure-vs-intuneedu.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/intune-reports/intune-reports-02.png b/memdocs/intune/fundamentals/media/intune-reports/intune-reports-02.png
deleted file mode 100644
index 295c4103013..00000000000
Binary files a/memdocs/intune/fundamentals/media/intune-reports/intune-reports-02.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/manage-apps/orig-manage-apps-with-intune.png b/memdocs/intune/fundamentals/media/manage-apps/orig-manage-apps-with-intune.png
deleted file mode 100644
index 82a0ea59139..00000000000
Binary files a/memdocs/intune/fundamentals/media/manage-apps/orig-manage-apps-with-intune.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/manage-devices/orig-manage-devices-with-intune.png b/memdocs/intune/fundamentals/media/manage-devices/orig-manage-devices-with-intune.png
deleted file mode 100644
index dfb573e7f01..00000000000
Binary files a/memdocs/intune/fundamentals/media/manage-devices/orig-manage-devices-with-intune.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/manage-identities/orig-identities-different-user-types.png b/memdocs/intune/fundamentals/media/manage-identities/orig-identities-different-user-types.png
deleted file mode 100644
index 1e07bab58ce..00000000000
Binary files a/memdocs/intune/fundamentals/media/manage-identities/orig-identities-different-user-types.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/all-devices-experience.png b/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/all-devices-experience.png
deleted file mode 100644
index a07fde88346..00000000000
Binary files a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/all-devices-experience.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/apple-updates-devices-experience.png b/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/apple-updates-devices-experience.png
deleted file mode 100644
index 537fcd08969..00000000000
Binary files a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/apple-updates-devices-experience.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/column-selector-all-devices.png b/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/column-selector-all-devices.png
deleted file mode 100644
index 7b4a6a26112..00000000000
Binary files a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/column-selector-all-devices.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/compliance-devices-experience.png b/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/compliance-devices-experience.png
deleted file mode 100644
index 390abe5410e..00000000000
Binary files a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/compliance-devices-experience.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/configuration-devices-experience.png b/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/configuration-devices-experience.png
deleted file mode 100644
index 922da005464..00000000000
Binary files a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/configuration-devices-experience.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/device-preview-toggle-off.png b/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/device-preview-toggle-off.png
deleted file mode 100644
index ff0a26a8948..00000000000
Binary files a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/device-preview-toggle-off.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/enrollment-devices-experience.png b/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/enrollment-devices-experience.png
deleted file mode 100644
index d15dae4118a..00000000000
Binary files a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/enrollment-devices-experience.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/overview-devices-experience.png b/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/overview-devices-experience.png
deleted file mode 100644
index 3c92cac480c..00000000000
Binary files a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/overview-devices-experience.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/public-preview-toggle-intune-2311.png b/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/public-preview-toggle-intune-2311.png
deleted file mode 100644
index de6ea6bcdd7..00000000000
Binary files a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/public-preview-toggle-intune-2311.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/public-preview-toggle-intune.png b/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/public-preview-toggle-intune.png
deleted file mode 100644
index 68c2bf20cd8..00000000000
Binary files a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/public-preview-toggle-intune.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/windows-10-devices-experience.png b/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/windows-10-devices-experience.png
deleted file mode 100644
index b486c557d73..00000000000
Binary files a/memdocs/intune/fundamentals/media/microsoft-intune-admin-center-devices/windows-10-devices-experience.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/monitor-audit-logs/audit-logs-compliance-category-activity-options.png b/memdocs/intune/fundamentals/media/monitor-audit-logs/audit-logs-compliance-category-activity-options.png
new file mode 100644
index 00000000000..4f1cea0e5dd
Binary files /dev/null and b/memdocs/intune/fundamentals/media/monitor-audit-logs/audit-logs-compliance-category-activity-options.png differ
diff --git a/memdocs/intune/fundamentals/media/monitor-audit-logs/audit-logs-date-range.png b/memdocs/intune/fundamentals/media/monitor-audit-logs/audit-logs-date-range.png
new file mode 100644
index 00000000000..0fd4a317557
Binary files /dev/null and b/memdocs/intune/fundamentals/media/monitor-audit-logs/audit-logs-date-range.png differ
diff --git a/memdocs/intune/fundamentals/media/monitor-audit-logs/audit-logs-export-data-settings.png b/memdocs/intune/fundamentals/media/monitor-audit-logs/audit-logs-export-data-settings.png
index 537f7c73cda..6f79c5d7842 100644
Binary files a/memdocs/intune/fundamentals/media/monitor-audit-logs/audit-logs-export-data-settings.png and b/memdocs/intune/fundamentals/media/monitor-audit-logs/audit-logs-export-data-settings.png differ
diff --git a/memdocs/intune/fundamentals/media/try-intune-overview/try-intune-overview-01.png b/memdocs/intune/fundamentals/media/try-intune-overview/try-intune-overview-01.png
deleted file mode 100644
index e4ae1b470b7..00000000000
Binary files a/memdocs/intune/fundamentals/media/try-intune-overview/try-intune-overview-01.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/01-classic-rules.png b/memdocs/intune/fundamentals/media/ui-changes/01-classic-rules.png
deleted file mode 100644
index 7958a843f20..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/01-classic-rules.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/02-azure-enroll-restrictions.png b/memdocs/intune/fundamentals/media/ui-changes/02-azure-enroll-restrictions.png
deleted file mode 100644
index 6a4c61060d4..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/02-azure-enroll-restrictions.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/03-azure-device-limit.png b/memdocs/intune/fundamentals/media/ui-changes/03-azure-device-limit.png
deleted file mode 100644
index f0b08469327..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/03-azure-device-limit.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/04-azure-platform-restrictions.png b/memdocs/intune/fundamentals/media/ui-changes/04-azure-platform-restrictions.png
deleted file mode 100644
index 5ff498902c6..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/04-azure-platform-restrictions.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/05-azure-personal-block.png b/memdocs/intune/fundamentals/media/ui-changes/05-azure-personal-block.png
deleted file mode 100644
index ea23f724a96..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/05-azure-personal-block.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/06-classic-dep-token.png b/memdocs/intune/fundamentals/media/ui-changes/06-classic-dep-token.png
deleted file mode 100644
index d9e07162790..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/06-classic-dep-token.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/07-azure-dep-token.png b/memdocs/intune/fundamentals/media/ui-changes/07-azure-dep-token.png
deleted file mode 100644
index 6aff07b6250..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/07-azure-dep-token.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/08-azure-dep-sync.png b/memdocs/intune/fundamentals/media/ui-changes/08-azure-dep-sync.png
deleted file mode 100644
index 26ac96a30c4..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/08-azure-dep-sync.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/09-classic-apple-serials.png b/memdocs/intune/fundamentals/media/ui-changes/09-classic-apple-serials.png
deleted file mode 100644
index 199eb8fd783..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/09-classic-apple-serials.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/10-azure-dep-serials.png b/memdocs/intune/fundamentals/media/ui-changes/10-azure-dep-serials.png
deleted file mode 100644
index d14ff4adbd1..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/10-azure-dep-serials.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/11-azure-ac-serials.png b/memdocs/intune/fundamentals/media/ui-changes/11-azure-ac-serials.png
deleted file mode 100644
index 39c23755a8a..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/11-azure-ac-serials.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/12-classic-corp-imei.png b/memdocs/intune/fundamentals/media/ui-changes/12-classic-corp-imei.png
deleted file mode 100644
index e683d998a86..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/12-classic-corp-imei.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/13-azure-corp-imei.png b/memdocs/intune/fundamentals/media/ui-changes/13-azure-corp-imei.png
deleted file mode 100644
index 542c5a4e23d..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/13-azure-corp-imei.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/14-classic-corp-profiles.png b/memdocs/intune/fundamentals/media/ui-changes/14-classic-corp-profiles.png
deleted file mode 100644
index e173dfc421f..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/14-classic-corp-profiles.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/15-azure-dep-profiles.png b/memdocs/intune/fundamentals/media/ui-changes/15-azure-dep-profiles.png
deleted file mode 100644
index 7ca40efbe39..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/15-azure-dep-profiles.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/ui-changes/16-azure-ac-profiles.png b/memdocs/intune/fundamentals/media/ui-changes/16-azure-ac-profiles.png
deleted file mode 100644
index fa0d3736714..00000000000
Binary files a/memdocs/intune/fundamentals/media/ui-changes/16-azure-ac-profiles.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/what-is-device-management/orig-device-management-features-mdm-mam.png b/memdocs/intune/fundamentals/media/what-is-device-management/orig-device-management-features-mdm-mam.png
deleted file mode 100644
index eda8f1cde54..00000000000
Binary files a/memdocs/intune/fundamentals/media/what-is-device-management/orig-device-management-features-mdm-mam.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/whats-new/intune-assessment-status.png b/memdocs/intune/fundamentals/media/whats-new/intune-assessment-status.png
deleted file mode 100644
index d66fdf153d2..00000000000
Binary files a/memdocs/intune/fundamentals/media/whats-new/intune-assessment-status.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/whats-new/intune-ffiec-assessment-status.png b/memdocs/intune/fundamentals/media/whats-new/intune-ffiec-assessment-status.png
deleted file mode 100644
index dc9b7c1889e..00000000000
Binary files a/memdocs/intune/fundamentals/media/whats-new/intune-ffiec-assessment-status.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/media/whats-new/macos-hide-checkmark-users-groups-login-items-apps-list.png b/memdocs/intune/fundamentals/media/whats-new/macos-hide-checkmark-users-groups-login-items-apps-list.png
deleted file mode 100644
index fd03f1eace1..00000000000
Binary files a/memdocs/intune/fundamentals/media/whats-new/macos-hide-checkmark-users-groups-login-items-apps-list.png and /dev/null differ
diff --git a/memdocs/intune/fundamentals/monitor-audit-logs.md b/memdocs/intune/fundamentals/monitor-audit-logs.md
index d78f57db981..2bef48b29b4 100644
--- a/memdocs/intune/fundamentals/monitor-audit-logs.md
+++ b/memdocs/intune/fundamentals/monitor-audit-logs.md
@@ -7,7 +7,7 @@ keywords:
ms.author: mandia
author: MandiOhlinger
manager: dougeby
-ms.date: 10/24/2023
+ms.date: 08/14/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -31,7 +31,9 @@ ms.collection:
# Use audit logs to track and monitor events in Microsoft Intune
-Audit logs include a record of activities that generate a change in Microsoft Intune. Create, update (edit), delete, assign, and remote actions all create audit events that administrators can review for most Intune workloads. By default, auditing is enabled for all customers. It can't be disabled.
+In Microsoft Intune, there are audit logs that include a record of activities that generate a change. For example, the create, update (edit), delete, assign, and remote actions all create audit events.
+Administrators can review the audit logs to track and monitor events for most Intune workloads. Auditing is enabled for all customers. It can't be disabled.
## Who can access the data?
@@ -40,46 +42,55 @@ Users with the following permissions can review audit logs:
- [Intune Administrator Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference#intune-administrator)
- Administrators assigned to an Intune role with **Audit data** - **Read** permissions. For a list of built-in Intune roles that have this permission, go to [Built-in role permissions for Microsoft Intune](role-based-access-control-reference.md).
-## Audit logs for Intune workloads
+## View the audit logs
-You can review audit logs in the monitoring group for each Intune workload:
+You can review audit logs in the monitoring group for each Intune workload, like compliance or Conditional Access.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Tenant administration** > **Audit logs**.
-3. To filter the results, select **Filter** and refine the results using the following options.
- - **Category**: such as **Compliance**, **Device**, and **Role**.
- - **Activity**: the options listed here are restricted by the option chosen under **Category**.
- - **Date range**: you can choose logs for the previous month, week, or day.
-4. Select **Apply**.
-5. Select an item in the list to see the activity details.
+3. A list of the logs is shown. Select a log from the list to see the activity details.
+4. If there are many logs, you can:
+ 1. Select **Date** and enter a start and end date. This date range can show logs for the previous month, week, or day.
+ :::image type="content" source="./media/monitor-audit-logs/audit-logs-date-range.png" alt-text="Filter audit logs by date in Microsoft Intune and Intune admin center.":::
+ 1. Select **Add filters** > **Category**. Select a category from the list, like **Compliance**, **Device**, or **Role**. Then, select **Apply**.
+ 1. Select **Add filters** > **Activity**. The available options depend on the **Category** you select. Then, select **Apply**.
+ For example, if you select the **Compliance** category, your **Activity** filter options look similar to the following image:
-For related information about audit logs, see [Additional information](../fundamentals/monitor-audit-logs.md#additional-information).
+ :::image type="content" source="./media/monitor-audit-logs/audit-logs-compliance-category-activity-options.png" alt-text="Filter audit logs by compliance category and select an activity in Microsoft Intune and Intune admin center.":::
+For related information about audit logs, go to:
+- [Data storage and processing in Intune](../protect/privacy-data-store-process.md)
+- [Use audit logs throughout Intune](../fundamentals/review-logs-using-azure-monitor.md#use-audit-logs-throughout-intune)
+- [Audit, export, or delete personal data in Intune](../protect/privacy-data-audit-export-delete.md)
## Route logs to Azure Monitor
-Audit logs and operational logs can also be routed to Azure Monitor. In **Tenant administration** > **Audit logs**, select **Export**:
+Audit logs and operational logs can also be routed to [Azure Monitor](/azure/azure-monitor/overview). In the Intune admin center, select **Tenant administration** > **Audit logs** > **Export**:
:::image type="content" source="./media/monitor-audit-logs/audit-logs-export-data-settings.png" alt-text="Export log data to Azure monitor by selecting Export data settings in Microsoft Intune and Intune admin center.":::
-> [!NOTE]
-> - For more information about this feature, and to review the prerequisites to use it, see [send log data to storage, event hubs, or log analytics](review-logs-using-azure-monitor.md).
-> - **Initiated by (actor)** includes information on who ran the task, and where it was run.
-> For example, if you run the activity in Intune in the Azure portal, then **Application** always lists **Microsoft Intune portal extension**, and the **Application ID** always uses the same GUID.
-> - The **Target(s)** section lists multiple targets and the properties that were changed.
+When you export, a `.csv` file is created and saved locally, possibly in `C:\Users\UserName\AppData\Local\Temp\MicrosoftEdgeDownloads\GUID`.
+When looking at the `.csv` file:
+- **Initiated by (actor)** includes information on who ran the task, and where it was run.
+ For example, if you run the activity in Intune in the Azure portal, then **Application** always lists **Microsoft Intune portal extension**, and the **Application ID** always uses the same GUID.
+- The **Target(s)** section lists multiple targets and the properties that were changed.
+For more information about this feature, including the prerequisites, go to [send log data to storage, event hubs, or log analytics](review-logs-using-azure-monitor.md).
## Use Graph API to retrieve audit events
-For details on using the graph API to get up to one year of audit events, see [List auditEvents](/graph/api/intune-auditing-auditevent-list).
+You can also use Graph API to get one year of audit events. For more information, go to [List auditEvents](/graph/api/intune-auditing-auditevent-list).
-## Next steps
+## Related articles
- [Send log data to storage, event hubs, or log analytics](review-logs-using-azure-monitor.md)
- [Review client app protection logs](../apps/app-protection-policy-settings-log.md)
-## Additional information
-- [Data storage and processing in Intune](../protect/privacy-data-store-process.md)
-- [Use audit logs throughout Intune](../fundamentals/review-logs-using-azure-monitor.md#use-audit-logs-throughout-intune)
-- [Audit, export, or delete personal data in Intune](../protect/privacy-data-audit-export-delete.md)
diff --git a/memdocs/intune/fundamentals/multi-admin-approval.md b/memdocs/intune/fundamentals/multi-admin-approval.md
index 9610ba99c75..7da061c925f 100644
--- a/memdocs/intune/fundamentals/multi-admin-approval.md
+++ b/memdocs/intune/fundamentals/multi-admin-approval.md
@@ -41,14 +41,15 @@ Access policies are supported for the following resources:
- Apps – Applies to [app deployments](../apps/apps-add.md), but doesn't apply to app protection policies.
- Scripts – Applies to deploying scripts to devices that run [Windows](../apps/intune-management-extension.md).
+- Access Policies - Applies to creating or managing multiple administrative approval policies.
## Prerequisites for access policies and approvers
-To use multi administrative approval, your tenant must have at least two administrator accounts.
+To use multi administrative approval, your tenant must have at least two administrator accounts. One account will be used to perform a change in the tenant, the second account will be used approve the change.
-To create an access policy, your account must be assigned the [*Intune Service Administrator* or *Azure Global Administrator*](../fundamentals/role-based-access-control.md) role.
+To create an access policy, your account must be assigned the [*Intune Service Administrator* or *Azure Global Administrator*](../fundamentals/role-based-access-control.md) role, or be assigned the appropriate Multi Admin Approval permissions for an Intune role. Administrators who manage the access policies specifically for multi-admin approval require the *Approval for Multi Admin Approval* permission.
-To be an approver, an account must be in the group that’s assigned to the access policy for a specific type of resource.
+To be an approver for access policies, an account must be in the approver group that’s assigned to the access policy for a specific type of resource.
If your organization allows unlicensed administrators for Intune roles, all approver groups must also be a member group of one or more Intune role assignments.
diff --git a/memdocs/intune/fundamentals/policy-map-configurations.md b/memdocs/intune/fundamentals/policy-map-configurations.md
index a1dfdf59db8..20deda492c7 100644
--- a/memdocs/intune/fundamentals/policy-map-configurations.md
+++ b/memdocs/intune/fundamentals/policy-map-configurations.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 11/02/2023
+ms.date: 08/14/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -29,11 +29,11 @@ ms.collection:
# Configurations policy mapping from Basic Mobility and Security to Intune
-This article provides mapping details between Basic Mobility and Security to Intune. Specifically, this page maps Microsoft Purview compliance portal Configurations policies to the equivalent policies in Microsoft Intune admin center.
+You can migrate from Basic Mobility and Security to Microsoft Intune. You can use the [Migration evaluation tool](migrate-to-intune.md) to automate much of this mapping.
-Intune offers more policy flexibility. So, each Office policy translates into multiple Intune and Microsoft Entra policies to achieve the same result.
+After you migrate, use this article to map the settings in Microsoft Purview compliance portal configuration policies to the equivalent settings in Intune.
-If you're migrating from Basic Mobility and Security to Intune, you can use the [Migration evaluation tool](migrate-to-intune.md) to automate much of this mapping.
+Intune offers more policy flexibility. So, each Office policy translates into multiple Intune and Microsoft Entra policies to achieve the same result.
To see these settings in the Microsoft Purview compliance portal, sign in to the [Purview compliance portal](https://protection.office.com/devicev2). Then, select **Device security policies** > policy name > **Edit policy** > **Configurations**.
@@ -41,13 +41,13 @@ To see these settings in the Microsoft Purview compliance portal, sign in to the
## Before you begin
-To configure the settings in an Intune policy, sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). [Role-based access control (RBAC) with Microsoft Intune](role-based-access-control.md) lists and describes the built-in roles that can create policies.
+- To configure the settings in an Intune policy, sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). [Role-based access control (RBAC) with Microsoft Intune](role-based-access-control.md) lists and describes the built-in roles that can create policies.
## Require encrypted backup
This setting was never supported for Windows or Android in Basic Mobility and Security.
-One configuration profile:
+One Intune configuration profile:
- **Devices** > **By platform** > **iOS/iPadOS** > **Manage devices** > **Configuration** > profile name > **Properties** > **Compliance settings Edit** > **Cloud and Storage** > **Force encrypted backup**
@@ -57,7 +57,7 @@ This setting was never supported for Windows or Android in Basic Mobility and Se
This setting is only supported on supervices iOS devices.
-One configuration profile:
+One Intune configuration profile:
- **Devices** > **By platform** > **iOS/iPadOS** > **Manage devices** > **Configuration** > profile name > **Properties** > **Configuration settings Edit** > **Cloud and Storage** > various **Block iCloud** settings
@@ -67,7 +67,7 @@ This setting was never supported for Windows or Android in Basic Mobility and Se
This setting is only supported on supervices iOS devices.
-One configuration profile:
+One Intune configuration profile:
- **Devices** > **By platform** > **iOS/iPadOS** > **Manage devices** > **Configuration** > profile name > **Properties** > **Configuration settings Edit** > **Cloud and Storage** > **Block iCloud document and data sync**
@@ -75,7 +75,7 @@ One configuration profile:
This setting was never supported for Windows or Android in Basic Mobility and Security.
-One configuration profile:
+One Intune configuration profile:
- **Devices** > **By platform** > **iOS/iPadOS** > **Manage devices** > **Configuration** > profile name > **Properties** > **Configuration settings Edit** > **Cloud and Storage** > **Block My Photo Stream**
@@ -83,7 +83,7 @@ One configuration profile:
For Android devices, this setting is only supported on Samsung Knox devices in Basic Mobility and Security.
-Three configuration profiles:
+Three Intune configuration profiles:
- **Devices** > **By platform** > **Windows** > **Manage devices** > **Configuration** > profile name > **Properties** > **Configuration settings Edit** > **General** > **Screen capture (mobile only)**
- **Devices** > **By platform** > **iOS/iPadOS** > **Manage devices** > **Configuration** > profile name > **Properties** > **Configuration settings Edit** > **General** > **Block screenshots and screen recording**
@@ -95,7 +95,7 @@ This setting was never supported for Windows or Android in Basic Mobility and Se
This setting is only supported on supervised iOS devices.
-One configuration profile:
+One Intune configuration profile:
- **Devices** > **By platform** > **iOS/iPadOS** > **Manage devices** > **Configuration** > profile name > **Properties** > **Configuration settings Edit** > **Built-in Apps** > **Block FaceTime**
@@ -105,7 +105,7 @@ For Android devices, this setting is only supported on Samsung Knox devices in B
For Windows 10 devices, the most restrictive value prevents sending security-related data.
-Three configuration profiles:
+Three Intune configuration profiles:
- **Devices** > **By platform** > **Windows** > **Manage devices** > **Configuration** > profile name > **Properties** > **Configuration settings Edit** > **Reporting and Telemetry** > **Share usage data**
@@ -123,7 +123,7 @@ For Android devices, this setting is only supported on Samsung Knox devices in B
For iOS, this setting is only supported on supervised iOS devices.
-Three configuration profiles:
+Three Intune configuration profiles:
- **Devices** > **By platform** > **Windows** > **Manage devices** > **Configuration** > profile name > **Properties** > **Configuration settings Edit** > **App store** > **App store (mobile only)**
- **Devices** > **By platform** > **iOS/iPadOS** > **Manage devices** > **Configuration** > profile name > **Properties** > **Configuration settings Edit** > **App store, Doc Viewing, Gaming** > **Block App store**
@@ -135,7 +135,7 @@ This setting was never supported for Windows or Android in Basic Mobility and Se
Apple doesn't block accessing the app store without a password, but blocks purchases without a password.
-One configuration profile:
+One Intune configuration profile:
- **Devices** > **By platform** > **iOS/iPadOS** > **Manage devices** > **Configuration** > profile name > **Properties** > **Configuration settings Edit** > **App store, Doc Viewing, Gaming** > **Require iTunes Store password for all purchases**
@@ -145,7 +145,7 @@ This setting was never supported for iOS/iPadOS in Basic Mobility and Security.
For Android devices, this setting is only supported on Samsung Knox devices in Basic Mobility and Security.
-Two configuration profiles:
+Two Intune configuration profiles:
- **Devices** > **By platform** > **Windows** > **Manage devices** > **Configuration** > profile name > **Properties** > **Configuration settings Edit** > **General** > **Removable storage**
- **Devices** > **By platform** > **Android** > **Manage devices** > **Configuration** > choose a profile with type **Device administrator** > **Properties** > **Configuration settings Edit** > **Cloud and Storage** > **Removable storage (Samsung Knox only)**
@@ -156,7 +156,7 @@ This setting was never supported for iOS/iPadOS in Basic Mobility and Security.
For Android devices, this setting is only supported on Samsung Knox devices in Basic Mobility and Security.
-Two configuration profiles:
+Two Intune configuration profiles:
- **Devices** > **By platform** > **Windows** > **Manage devices** > **Configuration** > profile name > **Properties** > **Configuration settings Edit** > > **Cellular and connectivity** > **Bluetooth**
- **Devices** > **By platform** > **Android** > **Manage devices** > **Configuration** > choose a profile with type **Device administrator** > **Properties** > **Configuration settings Edit** > **Cellular and connectivity** > **Bluetooth (Samsung Knox only)**
diff --git a/memdocs/intune/fundamentals/protection-configuration-levels.md b/memdocs/intune/fundamentals/protection-configuration-levels.md
index 67261a9630e..c57e2bb0e59 100644
--- a/memdocs/intune/fundamentals/protection-configuration-levels.md
+++ b/memdocs/intune/fundamentals/protection-configuration-levels.md
@@ -7,7 +7,7 @@ description: Learn about the different levels of protection and configuration in
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 10/20/2023
+ms.date: 08/19/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: configuration
@@ -38,7 +38,7 @@ When you're ready to create policies, you can use the different levels of protec
- [Level 2 - Enhanced protection and configuration](#level-2---enhanced-protection-and-configuration)
- [Level 3 - High protection and configuration](#level-3---high-protection-and-configuration)
-Your environment and business needs may have different levels defined. You can use these levels as a starting point and then customize them to fit your needs. For example, you can use the device configuration policies in level 1 and the app policies in level 3.
+Your environment and business needs can have different levels defined. You can use these levels as a starting point and then customize them to fit your needs. For example, you can use the device configuration policies in level 1 and the app policies in level 3.
Choose the levels that are right for your organization. There isn't a wrong choice.
@@ -48,49 +48,51 @@ This level includes policies that every organization should have, at a minimum.
### Apps (level 1)
-This level enforces a reasonable amount of data protection and access requirements while minimizing the impact to users. This level ensures that apps are protected with a PIN and encrypted and performs selective wipe operations. For Android devices, this level validates Android device attestation. This level is an entry level configuration that provides similar data protection control in Exchange Online mailbox policies. It also introduces IT and the user population to app protection policies.
+This level enforces a reasonable amount of data protection and access requirements, and minimizes end user disruption. This level ensures that apps are protected with a PIN & basic encryption, and runs selective wipe operations. For Android devices, this level validates Android device attestation. This level is an entry level configuration that provides similar data protection control in Exchange Online mailbox policies. It also introduces IT and end users to app protection policies.
In this level, Microsoft recommends you configure the following protection and access for apps:
-- Enable basic data protection requirements:
+- Enable basic data protection requirements
- Allow app basic data transfer
- Enforce basic app encryption
- Allow basic access functionality
-- Enable basic access requirements:
+- Enable basic access requirements
- Require PIN, face ID, and biometric access
- Enforce supporting basic access settings
-- Enable basic conditional application launch:
+- Enable basic conditional application launch
- Configure app basic access attempts
- Block app access based on jailbroken/rooted devices
- Restrict app access based on basic integrity of devices
-For more information, see [Level 1 basic app protection](../apps/app-protection-framework.md#level-1-enterprise-basic-data-protection).
+For more information, go to [Level 1 basic app protection](../apps/app-protection-framework.md#level-1-enterprise-basic-data-protection).
### Compliance (level 1)
-In this level, device compliance includes configuring the tenant-wide settings that apply to all devices, and deploying minimal compliance policies to all devices to enforce a core set of compliance requirements. Microsoft recommends that these configurations be in place before you allow devices to access your organization’s resources. Level 1 device compliance includes:
+In this level, device compliance configures the tenant-wide settings that apply to all devices. You also deploy minimal compliance policies to all devices to enforce a core set of compliance requirements.
+Microsoft recommends that these configurations be in place before you allow devices to access your organization's resources. Level 1 device compliance includes:
-*Compliance policy settings* are a few tenant-wide settings that affect how the Intune compliance service works with your devices.
+- **Compliance policy settings** are a few tenant-wide settings that affect how the Intune compliance service works with your devices.
-*Platform-specific compliance policies* include settings for common themes across platforms. The actual setting name and implementation can be different between different platforms:
+- **Platform-specific compliance policies** include settings for common themes across platforms. The actual setting name and implementation can vary with the different platforms:
-- Require antivirus, antispyware, and antimalware (Windows only)
-- Operating system version:
- - Maximum OS
- - Minimum OS
- - Minor and Major build versions
- - OS patch levels
-- Password configurations
- - Enforce lock screen after period of inactivity, requiring a password or pin to unlock
- - Require complex passwords with combinations of letters, numbers, and symbols
- - Require a password or PIN to unlock devices
- - Require minimum password length
+ - Require antivirus, antispyware, and antimalware (Windows only)
+ - Operating system version
+ - Maximum OS
+ - Minimum OS
+ - Minor and Major build versions
+ - OS patch levels
+ - Password configurations
+ - Enforce lock screen after period of inactivity, requiring a password or pin to unlock
+ - Require complex passwords with combinations of letters, numbers, and symbols
+ - Require a password or PIN to unlock devices
+ - Require minimum password length
-*Actions for noncompliance* are automatically included with each platform specific policy. These actions are one or more time-ordered actions you configure that apply to devices that fail to meet the compliance requirements of the policy. By default, marking a device as non-compliant is an immediate action that’s included in each policy.
+- **Actions for noncompliance** are automatically included with each platform specific policy. These actions are one or more time-ordered actions you configure. They apply to the devices that fail to meet the compliance requirements of your policy. By default, marking a device as noncompliant is an immediate action that comes with each policy.
-For more information, see [Level 1 - Minimal device compliance](../fundamentals/deployment-plan-compliance-policies.md#level-1---minimal-device-compliance).
+For more information, go to [Level 1 - Minimal device compliance](../fundamentals/deployment-plan-compliance-policies.md#level-1---minimal-device-compliance).
### Device configuration (level 1)
@@ -110,13 +112,13 @@ In this level, the profiles include settings that focus on security and resource
- VPN for remote access
- Wi-Fi for on-premises access
-For more information on these policies in this level, go to [Step 4 - Create device configuration profiles to secure devices and create connections to organization resources](deployment-plan-configuration-profile.md).
+For more information, go to [Step 4 - Create device configuration profiles to secure devices and create connections to organization resources](deployment-plan-configuration-profile.md).
## Level 2 - Enhanced protection and configuration
This level expands on the minimum set of policies to include more security and expand your mobile device management. The policies in this level secure more features, provide identity protection, and manage more device settings.
-Use the settings in this level to add what you've done in Level 1.
+Use the settings in this level to add what you configured in Level 1.
### Apps (level 2)
@@ -124,14 +126,14 @@ This level recommends a standard level of application protection for devices whe
In addition to Level 1 settings, Microsoft recommends you configure the following protection and access for apps:
-- Enable enhanced data protection requirements:
+- Enable enhanced data protection requirements
- Transfer organization related data
- Exempt selected apps data transfer requirements (iOS/iPadOS)
- Transfer telecommunication data
- Restrict cut, copy, and paste between apps
- Block screen capture (Android)
-- Enable enhanced conditional application launch:
+- Enable enhanced conditional application launch
- Block disabling application accounts
- Enforce minimum device OS requirements
- Require minimum patch version (Android)
@@ -139,13 +141,13 @@ In addition to Level 1 settings, Microsoft recommends you configure the followin
- Require device lock (Android)
- Allow app access based on increased integrity of device
-For more information, see [Level 2 enhanced app protection](../apps/app-protection-framework.md#level-2-enterprise-enhanced-data-protection).
+For more information, go to [Level 2 enhanced app protection](../apps/app-protection-framework.md#level-2-enterprise-enhanced-data-protection).
### Compliance (level 2)
-At this level, Microsoft recommends adding more complex options to your compliance policies. Many of the settings at this level have platform-specific names that all deliver similar results. The following are the categories or types of settings that Microsoft recommends you use when they're available:
+At this level, Microsoft recommends adding more granular options to your compliance policies. Many of the settings at this level have platform-specific names that all deliver similar results. The following are the categories or types of settings that Microsoft recommends you use when they're available:
-- Applications:
+- Applications
- Manage where devices get apps, like Google Play for Android
- Allow apps from specific locations
- Block apps from unknown sources
@@ -153,7 +155,7 @@ At this level, Microsoft recommends adding more complex options to your complian
- Firewall settings
- Firewall settings (macOS, Windows)
-- Encryption:
+- Encryption
- Require encryption of data storage
- BitLocker (Windows)
- FileVault (macOS)
@@ -161,7 +163,7 @@ At this level, Microsoft recommends adding more complex options to your complian
- Passwords
- Password expiration and reuse
-- System level file and boot protection:
+- System level file and boot protection
- Block USB debugging (Android)
- Block rooted or jailbroken devices (Android, iOS)
- Require system integrity protection (macOS)
@@ -169,86 +171,86 @@ At this level, Microsoft recommends adding more complex options to your complian
- Require secure boot to be enabled (Windows)
- Trusted Platform Module (Windows)
-For more information, see [Level 2 - Enhanced device compliance settings](../fundamentals/deployment-plan-compliance-policies.md#level-2---enhanced-device-compliance-settings).
+For more information, go to [Level 2 - Enhanced device compliance settings](../fundamentals/deployment-plan-compliance-policies.md#level-2---enhanced-device-compliance-settings).
### Device configuration (level 2)
In this level, you're expanding on the settings and features you configured in level 1. Microsoft recommends you create policies that:
-- Add another layer of security by enabling disk encryption, secure boot, and TPM on your devices.
+- Add another layer of security by enabling disk encryption, secure boot, and Trusted Platform Module (TPM) on your devices.
- Configure your PINs & passwords to expire and manage if/when passwords can be reused.
- Configure more granular device features, settings, and behaviors.
-- If you have on-premises GPOs, then you can determine if these GPOs are available in Intune.
+- Determine if any on-premises Group Policy Objects (GPOs) are available in Intune.
For more specific information on device configuration policies at this level, go to [Level 2 - Enhanced protection and configuration](deployment-plan-configuration-profile.md#level-2---enhanced-protection-and-configuration).
## Level 3 - High protection and configuration
-This level includes enterprise-level policies and may involve different admins in your organization. These policies continue moving to password-less authentication, have more security, and configure specialized devices.
+This level includes enterprise-level policies and can involve different admins in your organization. These policies continue moving to password-less authentication, have more security, and configure specialized devices.
-Use the settings in this level to add what you've done in Levels 1 and 2.
+Use the settings in this level to add what you configured in Levels 1 and 2.
### Apps (level 3)
-This level recommends a standard level of application protection for devices where users access more sensitive information. This level introduces advanced data protection mechanisms, enhanced PIN configuration, and app protection policy Mobile Threat Defense. This configuration is desirable for users that are accessing high risk data.
+This level recommends a standard level of application protection for devices where users access more sensitive information. This level introduces advanced data protection, enhanced PIN configuration, and app protection policy with Mobile Threat Defense. This configuration is for users that access high risk data.
In addition to level 1 and 2 settings, Microsoft recommends you configure the following protection and access for apps:
-- Enable high data protection requirements:
+- Enable high data protection requirements
- High protection when transferring telecommunication data
- Receive data from only policy managed apps
- Block opening data into organization documents
- Allow users to open data from selected services
- - Block third-party keyboards
+ - Block unwanted partner or non-Microsoft keyboards
- Require/select approved keyboards (Android)
- Block printing organization data
-- Enable high access requirements:
+- Enable high access requirements
- Block simple PIN and require specific minimum PIN length
- Require PIN reset after number of days
- Require class 3 Biometrics (Android 9.0+)
- Require override of Biometrics with PIN after biometric updates (Android)
-- Enable high conditional application launch:
+- Enable high conditional application launch
- Require device lock (Android)
- Require max allowed threat level
- Require Max OS version
-For more information, see [Level 3 high app protection](../apps/app-protection-framework.md#level-3-enterprise-high-data-protection).
+For more information, go to [Level 3 high app protection](../apps/app-protection-framework.md#level-3-enterprise-high-data-protection).
### Compliance (level 3)
-At this level, you can expand on Intune’s built-in compliance capabilities through the following capabilities:
+At this level, you can expand on Intune's built-in compliance features through the following capabilities:
- Integrate data from Mobile Threat Defense (MTD) partner
- - With an MTD partner, your compliance policies can require devices be at or under a *device threat level* or *machine risk score*, as determined by that partner
+ - With an MTD partner, your compliance policies can require devices be at or under a *device threat level* or *machine risk score*, as determined by that partner.
-- Use a third-party compliance partner with Intune
+- Use a non-Microsoft compliance partner with Intune.
- Use scripts to add custom compliance settings to your policies for settings that aren't available from within the Intune UI. (Windows, Linux)
-- Use compliance policy data with Conditional Access policies to gate access to your organization’s resources
+- Use compliance policy data with Conditional Access policies to gate access to your organization's resources.
-For more information, see [Level 3 - Advanced device compliance configurations](../fundamentals/deployment-plan-compliance-policies.md#level-3---advanced-device-compliance-configurations).
+For more information, go to [Level 3 - Advanced device compliance configurations](../fundamentals/deployment-plan-compliance-policies.md#level-3---advanced-device-compliance-configurations).
### Device configuration (level 3)
This level focuses on enterprise-level services and features, and can require an infrastructure investment. In this level, you can create policies that:
-- Expand password-less authentication to other services in your organization, including certificate based authentication, single-sign on for apps, multi-factor authentication (MFA), and the Microsoft Tunnel VPN gateway.
-- Expand Microsoft Tunnel by deploying Microsoft Tunnel for Mobile Application Management (Tunnel for MAM), which extends Tunnel support to iOS and Android devices that aren't enrolled with Intune. Tunnel for MAM is available as an Intune add-on.
+- Expand password-less authentication to other services in your organization, including certificate based authentication, single-sign on for apps, multifactor authentication (MFA), and the Microsoft Tunnel VPN gateway.
+- Expand Microsoft Tunnel by deploying Microsoft Tunnel for Mobile Application Management (Tunnel for MAM), which extends Tunnel support to iOS and Android devices that aren't enrolled with Intune. Tunnel for MAM is available as an Intune add-on.
- For more information, see [Use Intune Suite add-on capabilities](../fundamentals/intune-add-ons.md).
+ For information, go to [Use Intune Suite add-on capabilities](../fundamentals/intune-add-ons.md).
- Configure device features that apply to the Windows firmware layer. Use Android common criteria mode.
- Use Intune policy for Windows Local Administrator Password Solution (LAPS) to help secure the built-in local administrator account on your managed Windows devices.
- For more information, see [Intune support for Windows LAPS](../protect/windows-laps-overview.md).
-- Protect Windows devices through use of Endpoint Privilege Management (EPM), which helps you run your organization’s users as a standard users (without administrator rights) while enabling those same users to complete tasks that require elevated privileges.
+ For information, go to [Intune support for Windows LAPS](../protect/windows-laps-overview.md).
+- Protect Windows devices using Endpoint Privilege Management (EPM). EPM helps you run your organization's users as standard users (without administrator rights) and enables those same users to complete tasks that require elevated privileges.
- EPM is available as an Intune add-on. For more information, see [Use Intune Suite add-on capabilities](../fundamentals/intune-add-ons.md).
+ EPM is available as an Intune add-on. For information, go to [Use Intune Suite add-on capabilities](../fundamentals/intune-add-ons.md).
- Configure specialized devices like kiosks and shared devices.
- Deploy scripts, if needed.
For more specific information on device configuration policies at this level, go to [Level 3 - High protection and configuration](deployment-plan-configuration-profile.md#level-3---high-protection-and-configuration).
-## Next steps
+## Related article
For a complete list of all the device configuration profiles you can create, go to [Apply features and settings on your devices using device profiles in Microsoft Intune](../configuration/device-profiles.md).
diff --git a/memdocs/intune/fundamentals/remote-help-macos.md b/memdocs/intune/fundamentals/remote-help-macos.md
index 7c379c9ad35..2be06f0425f 100644
--- a/memdocs/intune/fundamentals/remote-help-macos.md
+++ b/memdocs/intune/fundamentals/remote-help-macos.md
@@ -47,8 +47,8 @@ Remote Help is available for macOS as both a native application, and as a Web Ap
|Capability|Client requirement|Helper app|
-|**Screen sharing**: View the remote screen.|✔️Web app✔️Native app|✔️Web app|
-|**Full control**: View the display and control the devices mouse and keyboard.|✔️Native app|✔️Web app|
+|**Screen sharing**: View the remote screen.|✅ Web app✅ Native app|✅ Web app|
+|**Full control**: View the display and control the devices mouse and keyboard.|✅ Native app|✅ Web app|
### Remote Help capabilities
@@ -122,8 +122,8 @@ On macOS, applications that access and control the screen require permission. By
|Permission|MDM control capabilities|
-|Accessibility|✔️Allow✔️Allow Standard User To Set System ServicemacOS allows this property to be set on behalf of the user to *Allow*, reducing the number of steps required to use the Remote Help native client|
-|Screen sharing|✔️Allow Standard User To Set System ServiceThis permission by default requires administrator privileges to allow it. macOS doesn't allow this property to be set to *Allow* by MDM but you can enable the ability for standard users to accept this permission.|
+|Accessibility|✅ Allow✅ Allow Standard User To Set System ServicemacOS allows this property to be set on behalf of the user to *Allow*, reducing the number of steps required to use the Remote Help native client|
+|Screen sharing|✅ Allow Standard User To Set System ServiceThis permission by default requires administrator privileges to allow it. macOS doesn't allow this property to be set to *Allow* by MDM but you can enable the ability for standard users to accept this permission.|
With settings catalog, we can streamline the end users experience for allowing these permissions.
diff --git a/memdocs/intune/fundamentals/what-is-device-management.md b/memdocs/intune/fundamentals/what-is-device-management.md
index 694dc96bd53..2fd75bfb51c 100644
--- a/memdocs/intune/fundamentals/what-is-device-management.md
+++ b/memdocs/intune/fundamentals/what-is-device-management.md
@@ -80,13 +80,13 @@ For more information, go to:
There are a couple of ways to approach device management.
-✔️ **Mobile device management (MDM)**
+✅ **Mobile device management (MDM)**
First, you can manage different aspects of devices using the features built in to Intune. This approach is called mobile device management (MDM).
Users "enroll" their devices, and use certificates to communicate with Intune. As an IT administrator, you push apps on devices, restrict devices to a specific operating system, block personal devices, and more. If a device is ever lost or stolen, you can also remove all data from the device.
-✔️ **Mobile application management (MAM)**
+✅ **Mobile application management (MAM)**
In the second approach, you manage apps on devices. This approach is called mobile application management (MAM).
diff --git a/memdocs/intune/fundamentals/whats-new-archive.md b/memdocs/intune/fundamentals/whats-new-archive.md
index 3e6e9d6475a..6a7cadaf7c9 100644
--- a/memdocs/intune/fundamentals/whats-new-archive.md
+++ b/memdocs/intune/fundamentals/whats-new-archive.md
@@ -33,7 +33,340 @@ ms.collection:
[!INCLUDE [azure_portal](../includes/azure_portal.md)]
+## Week of March 3, 2024
+### Device enrollment
+#### Role-based access control changes to enrollment settings for Windows Hello for Business
+We updated Role-based access control (RBAC) in the enrollment area for Windows Hello for Business. Enrollment settings related to Windows Hello for Business are read-only for all roles except the Intune Service Administrator. The Intune Service Administrator can create and edit Windows Hello for Business enrollment settings.
+For more information, see [Role-based access control](../protect/windows-hello.md#role-based-access-control) in the *Windows Hello at device enrollment* article.
+### Device security
+#### New enrollment configuration for Windows Hello for Business
+A new Windows Hello for Business enrollment setting, **Enable enhanced sign in security** is available in the Intune admin center. Enhanced sign-in security is a Windows Hello feature that prevents malicious users from gaining access to a user's biometrics through external peripherals.
+For more information about this setting, see [Create a Windows Hello for Business policy](../protect/windows-hello.md).
+#### HTML formatting supported in noncompliance email notifications
+Intune now supports HTML formatting in noncompliance email notifications for all platforms. You can use supported HTML tags to add formatting such as italics, URL links, and bulleted lists to your organization's messages.
+For more information, see [Create a notification message template](../protect/actions-for-noncompliance.md#create-a-notification-message-template).
+## Week of February 26, 2024
+### Microsoft Intune Suite
+#### New Microsoft Cloud PKI service
+Use the Microsoft Cloud PKI service to simplify and automate certificate lifecycle management for Intune-managed devices. Microsoft Cloud PKI is a feature component of the Microsoft Intune Suite and is also available as a standalone [Intune add-on](../fundamentals/intune-add-ons.md). The cloud-based service provides a dedicated PKI infrastructure for your organization, and doesn't require on-premises servers, connectors, or hardware. Microsoft Cloud PKI automatically issues, renews, and revokes certificates for all OS platforms supporting the SCEP certificate device configuration profile. Issued certificates can be used for certificate-based authentication for Wi-Fi, VPN, and other services supporting certificate-based authentication. For more information, see [Overview of Microsoft Cloud PKI](../protect/microsoft-cloud-pki-overview.md).
+Applies to:
+- Windows
+- Android
+- iOS/iPadOS
+- macOS
+### Intune apps
+#### Newly available protected app for Intune
+The following protected app is now available for Microsoft Intune:
+- Cinebody by Super 6 LLC
+For more information about protected apps, see [Microsoft Intune protected apps](../apps/apps-supported-intune-apps.md).
+## Week of February 19, 2024 (Service release 2402)
+### App management
+#### More app configuration permissions for Android apps
+There are six new permissions that can be configured for an Android app using an app configuration policy. They are:
+- Allow background body sensor data
+- Media Video (read)
+- Media Images (read)
+- Media Audio (read)
+- Nearby Wifi Devices
+- Nearby Devices
+For more information about how to use app config policies for Android apps, see [Add app configuration policies for managed Android Enterprise devices](../apps/app-configuration-policies-use-android.md).
+#### Newly available protected apps for Intune
+The following protected apps are now available for Microsoft Intune:
+- Bob HR by Hi Bob Ltd
+- ePRINTit SaaS by ePRINTit USA LLC
+- Microsoft Copilot by Microsoft Corporation
+For more information about protected apps, see [Microsoft Intune protected apps](../apps/apps-supported-intune-apps.md).
+#### Update to Intune Management Extension on Windows
+To support expanded functionality and bug fixes, use .NET Framework 4.7.2 or higher with the Intune Management Extension on Windows clients. If a Windows client continues to use an earlier version of the .NET Framework, the Intune Management Extension continues to function. The .NET Framework 4.7.2 is available from Windows Update as of July 10, 2018, which is included in Windows 10 1809 (RS5) and newer. Multiple versions of the .NET Framework can coexist on a device.
+Applies to:
+- Windows 10
+- Windows 11
+### Device configuration
+#### Use assignment filters on Endpoint Privilege Management (EPM) policies
+You can use assignment filters to assign a policy based on rules you create. A filter allows you to narrow the assignment scope of a policy, like targeting devices with a specific OS version or a specific manufacturer.
+You can use filters on Endpoint Privilege Management (EPM) policies.
+For more information, see:
+- [Use filters when assigning your apps, policies, and profiles in Intune](filters.md)
+- [List of platforms, policies, and app types supported by filters in Intune](filters-supported-workloads.md)
+Applies to:
+- Windows 10
+- Windows 11
+#### New settings available in the Apple settings catalog
+The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place.
+There are new settings in the Settings Catalog. To see these settings, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type.
+##### iOS/iPadOS
+- **Restrictions**
+ - Allow Live Voicemail
+ - Force Classroom Unprompted Screen Observation
+ - Force Preserve ESIM On Erase
+##### macOS
+- **Full Disk Encryption > FileVault** > Force Enable In Setup Assistant
+- **Restrictions** > Force Classroom Unprompted Screen Observation
+For more information, see:
+- [Use FileVault disk encryption for macOS with Intune](../protect/encrypt-devices-filevault.md)
+- [Create a policy using settings catalog](../configuration/settings-catalog.md)
+#### Import up to 20 custom ADMX and ADML administrative templates
+You can import custom ADMX and ADML administrative templates in Microsoft Intune. Previously, you could import up to 10 files. Now, you can upload up to 20 files.
+Applies to:
+- Windows 10
+- Windows 11
+For more information on this feature, see [Import custom ADMX and ADML administrative templates into Microsoft Intune (public preview)](../configuration/administrative-templates-import-custom.md).
+#### New setting for updating MAC address randomization on Android Enterprise devices
+There's a new **MAC address randomization** setting on Android Enterprise devices (**Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Android Enterprise** for platform > **Fully Managed, Dedicated, and Corporate-Owned Work Profile** > **Wi-Fi** for profile type).
+Starting with Android 10, when connecting to a network, devices present a randomized MAC address instead of the physical MAC address. Using randomized MAC addresses is recommended for privacy, as it's harder to track a device by its MAC address. However, randomized MAC addresses break functionality that relies on a static MAC address, including network access control (NAC).
+Your options:
+- **Use device default**: Intune doesn't change or update this setting. By default, when connecting to a network, devices present a randomized MAC address instead of the physical MAC address. Any updates made by the user to the setting persist.
+- **Use randomized MAC**: Enables MAC address randomization on devices. When devices connect to a new network, devices present a randomized MAC address, instead of the physical MAC address. If the user changes this value on their device, it resets to **Use randomized MAC** on the next Intune sync.
+- **Use device MAC**: Forces devices to present their actual Wi-Fi MAC address instead of a random MAC address. This setting allows devices to be tracked by their MAC address. Only use this value when necessary, such as for network access control (NAC) support. If the user changes this value on their device, it resets to **Use device MAC** on the next Intune sync.
+Applies to:
+- Android 13 and newer
+For more information on the Wi-Fi settings you can configure, see [Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices in Microsoft Intune](../configuration/wi-fi-settings-android-enterprise.md).
+#### Turn Off Copilot in Windows setting in the Windows settings catalog
+The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place.
+There's a new setting in the Settings Catalog. To see this setting, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows** for platform > **Settings catalog** for profile type.
+- **Windows AI > Turn Off Copilot in Windows (User)**
+ - If you enable this policy setting, users can't use Copilot. The Copilot icon won't appear on the taskbar.
+ - If you disable or don't configure this policy setting, users can use Copilot when it's available to them.
+This setting uses the [Policy CSP - WindowsAI](/windows/client-management/mdm/policy-csp-windowsai).
+For more information about configuring Settings Catalog policies in Intune, including user scope vs. device scope, see [Create a policy using settings catalog](../configuration/settings-catalog.md).
+Applies to:
+- Windows 10 and later
+#### Windows Autopilot self-deploying mode is now generally available
+Windows Autopilot self-deploying mode is now generally available and out of preview. Windows Autopilot self-deploying mode enables you to deploy Windows devices with little to no user interaction. Once the device connects to network, the device provisioning process starts automatically: the device joins Microsoft Entra ID, enrolls in Intune, and syncs all device-based configurations targeted to the device. Self-deploying mode ensures that the user can't access desktop until all device-based configuration is applied. The Enrollment Status Page (ESP) is displayed during OOBE so users can track the status of the deployment. For more information, see:
+- [Windows Autopilot self-deploying mode](/autopilot/self-deploying)
+- [Step by step tutorial for Windows Autopilot self-deploying mode in Intune](/autopilot/tutorial/self-deploying/self-deploying-workflow)
+This information is also published in [Windows Autopilot: What's new](/autopilot/whats-new).
+#### Windows Autopilot for pre-provisioned deployment is now generally available
+Windows Autopilot for pre-provisioned deployment is now generally available and out of preview. Windows Autopilot for pre-provisioned deployment is used by organizations that want to ensure devices are business-ready before the user accesses them. With pre-provisioning, admins, partners, or OEMs can access a technician flow from the Out-of-box experience (OOBE) and kick off device setup. Next, the device is sent to the user who completes provisioning in the user phase. Pre-provisioning delivers most the configuration in advance so the end user can get to the desktop faster. For more information, see:
+- [Windows Autopilot for pre-provisioned deployment](/autopilot/pre-provision).
+- [Step by step tutorial for Windows Autopilot for pre-provisioned deployment Microsoft Entra join in Intune](/autopilot/tutorial/pre-provisioning/azure-ad-join-workflow)
+- [Step by step tutorial for Windows Autopilot for pre-provisioned deployment Microsoft Entra hybrid join in Intune](/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-workflow).
+This information is also published in [Windows Autopilot: What's new](/autopilot/whats-new).
+### Device enrollment
+#### ESP setting to install required apps during Windows Autopilot pre-provisioning
+The setting **Only fail selected blocking apps in technician phase** is now generally available to configure in Enrollment Status Page (ESP) profiles. This setting only appears in ESP profiles that have *blocking apps* selected.
+For more information, see [Set up the Enrollment Status Page](../enrollment/windows-enrollment-status.md#create-new-profile).
+#### New local primary account configuration for macOS automated device enrollment
+Configure local primary account settings for Macs enrolling in Intune via Apple automated device enrollment. These settings, supported on devices running macOS 10.11 and later, are available in new and existing enrollment profiles under the new **Account Settings** tab. For this feature to work, the enrollment profile must be configured with user-device affinity and one of the following authentication methods:
+- Setup Assistant with modern authentication
+- Setup Assistant (legacy)
+Applies to:
+- macOS 10.11 and later
+For more information about macOS account settings, see [Create an Apple enrollment profile in Intune](../enrollment/device-enrollment-program-enroll-macos.md#create-an-apple-enrollment-profile).
+#### Await final configuration for macOS automated device enrollment now generally available
+Now generally available, *await final configuration* enables a locked experience at the end of Setup Assistant to ensure that critical device configuration policies are installed on devices. The locked experience works on devices targeted with new and existing enrollment profiles, enrolling via one of these authentication methods:
+- Setup Assistant with modern authentication
+- Setup Assistant (legacy)
+- Without user device affinity
+Applies to:
+- macOS 10.11 and later
+For information about how to enable await final configuration, see [Create an Apple enrollment profile](../enrollment/device-enrollment-program-enroll-macos.md#create-an-apple-enrollment-profile).
+### Device management
+#### AOSP devices check for new tasks and notifications approximately every 15 minutes
+On devices enrolled with Android (AOSP) management, Intune attempts to check for new tasks and notifications approximately every 15 minutes. To use this feature, devices must be using the Intune app version 24.02.4 or newer.
+Applies to:
+- Android (AOSP)
+For more information, see:
+- [How to use Intune in environments without Google Mobile Services](../apps/manage-without-gms.md#some-tasks-can-be-delayed)
+- [Policy refresh intervals in Intune](../configuration/device-profile-troubleshoot.md#policy-refresh-intervals)
+#### New device management experience for Government clouds in Microsoft Intune
+In government clouds, there's a new device management experience in the Intune admin center. The **Devices** area now has a more consistent UI, with more capable controls and an improved navigation structure so you can find what you need faster.
+If you want to try the new experience before your tenant is updated, go to **Devices** > **Overview**, select the **Preview upcoming changes to Devices and provide feedback** notification banner, and select **Try it now**.
+#### Bulk approval of drivers
+Bulk actions are now available for Windows Driver update policies. With bulk actions, multiple driver updates can be approved, paused, or declined at the same time, saving time and effort.
+When you bulk approve drivers, the date for when the drivers become available to applicable devices can also be set, enabling drivers to be installed together.
+Applies to:
+- Windows 10
+- Windows 11
+For more information, see [Bulk driver updates](../protect/windows-driver-updates-policy.md#bulk-driver-updates).
+#### App Control for Business policy limitation is resolved
+A previously documented limitation for App Control for Business policy (WDAC), that limited the number of active policies per device to 32, is resolved by Windows. The issue involves a potential [Boot stop failure when more than 32 policies are active](/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues#boot-stop-failure-blue-screen-occurs-if-more-than-32-policies-are-active) on a device.
+This issue is resolved for devices that run Windows 10 1903 or later with a Windows security update released on or after March 12, 2024. Older versions of Windows can expect to receive this fix in future Windows security updates.
+Applies to:
+- Windows 10 version 1903 and later
+To learn more about App Control for Business policy for Intune, see [Manage approved apps for Windows devices with App Control for Business policy and Managed Installers for Microsoft Intune](../protect/endpoint-security-app-control-policy.md).
+### Tenant administration
+#### Customization pane support for excluding groups
+The Customization pane now supports selecting groups to exclude when assigning policies. You can find this setting in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Tenant administration** > **Customization**.
+For more information, see [Assign policies in Microsoft Intune](../configuration/device-profile-assign.md).
+## Week of January 29, 2024
+### Microsoft Intune Suite
+#### Microsoft Intune Enterprise Application Management
+Enterprise Application Management provides an Enterprise App Catalog of Win32 applications that are easily accessible in Intune. You can add these applications to your tenant by selecting them from the Enterprise App Catalog. When you add an Enterprise App Catalog app to your Intune tenant, default installation, requirements, and detection settings are automatically provided. You can modify these settings as well. Intune hosts Enterprise App Catalog apps in Microsoft storage.
+For more information, see:
+- [Use Intune Suite add-on capabilities](../fundamentals/intune-add-ons.md)
+- [Microsoft Intune Enterprise Application Management](../apps/apps-enterprise-app-management.md)
+- [Add an Enterprise App Catalog app to Microsoft Intune](../apps/apps-add-enterprise-app.md)
+#### Microsoft Intune Advanced Analytics
+Intune Advanced Analytics provides comprehensive visibility of the end-user experience in your organization and optimizes it with data driven insights. It includes near real-time data about your devices with Device query, increased visibility with custom device scopes, a battery health report and a detailed device timeline for troubleshooting device issues, and anomaly detection to help identify potential vulnerabilities or risks across your device estate.
+- **Battery health report**
+ The battery health report provides visibility into the health of batteries in your organization's devices and its influence on user experience. The scores and insights in this report are aimed to help IT admins with asset management and purchase decisions that improve user experience while balancing hardware costs.
+- **Run on-demand device queries on single devices**
+ Intune allows you to quickly gain on-demand information about the state of your device. When you enter a query on a selected device, Intune runs a query in real time.
+ The data returned can then be used to respond to security threats, troubleshoot the device, or make business decisions.
+ Applies to:
+ - Windows devices
+Intune Advanced Analytics is part of the Microsoft Intune Suite. For added flexibility, this new set of capabilities, together with the existing Advanced Analytics features, is also now available as an individual add-on to Microsoft subscriptions that include Intune.
+To use Device query and battery health report in your tenant, or any of the existing Advanced Analytics capabilities, you must have a license for either:
+- The Intune Advanced Analytics add-on
+- The Microsoft Intune Suite add-on
+For more information, see:
+- [Use Intune Suite add-on capabilities](../fundamentals/intune-add-ons.md)
+- [Microsoft Intune Advanced Analytics](../../analytics/advanced-endpoint-analytics.md)
+- [Battery health](../../analytics/battery-health.md)
+- [Device query](../../analytics/device-query.md)
## Week of January 22, 2024 (Service release 2401)
@@ -1542,7 +1875,7 @@ The EpmTools PowerShell module is now available for use with Intune Endpoint Pri
For more information, see [EpmTools PowerShell module](../protect/epm-overview.md#epmtools-powershell-module).
#### Endpoint Privilege Management support to manage elevation rules for child processes
-With Intune Endpoint Privilege Management (EPM) you can manage which files and processes are allowed to *Run as Administrator* on your Windows devices. Now, EPM [elevation rules](../protect/epm-policies.md#create-a-windows-elevation-rules-policy) support a new setting, **Child process behavior**.
+With Intune Endpoint Privilege Management (EPM) you can manage which files and processes are allowed to *Run as Administrator* on your Windows devices. Now, EPM [elevation rules](../protect/epm-policies.md#windows-elevation-rules-policy) support a new setting, **Child process behavior**.
With *Child process behavior*, your rules can manage the elevation context for any child processes created by the managed process. Options include:
@@ -2463,7 +2796,7 @@ This permission is also added to the **Organizational Messages Manager** built-i
You can now delete organizational messages from Microsoft Intune. After you delete a message, it's removed from Intune, and no longer appears in the admin center. You can delete a message anytime, regardless of its status. Intune automatically cancels active messages after you delete them. For more information, see [Delete organizational messages](../remote-actions/organizational-messages-cancel.md#delete-message).
#### Review audit logs for organizational messages
-Use audit logs to track and monitor organizational message events in Microsoft Intune. To access the logs, sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Tenant administration** > **Audit logs**. For more information, see [Audit logs for Intune activities](monitor-audit-logs.md#audit-logs-for-intune-workloads).
+Use audit logs to track and monitor organizational message events in Microsoft Intune. To access the logs, sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Tenant administration** > **Audit logs**. For more information, see [Audit logs for Intune activities](monitor-audit-logs.md#view-the-audit-logs).
## Week of April 10, 2023
diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md
index 0508686e8b0..4c5448c2216 100644
--- a/memdocs/intune/fundamentals/whats-new.md
+++ b/memdocs/intune/fundamentals/whats-new.md
@@ -7,7 +7,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 08/02/2024
+ms.date: 08/23/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -76,18 +76,312 @@ You can use RSS to be notified when this page is updated. For more information,
+## Week of August 19, 2024 (Service release 2408)
+### Microsoft Intune Suite
+#### Easy creation of Endpoint Privilege Management elevation rules from support approval requests and reports
+You can now create Endpoint Privilege Management (EPM) elevation rules directly from a support approved elevation request or from details found in the EPM Elevation report. With this new capability, you won’t need to manually identify specific file detection details for elevation rules. Instead, for files that appear in the Elevation report or a support approved elevation request, you can select that file to open its elevation detail pane, and then select the option to **Create a rule with these file details**.
+When you use this option, you can then choose to add the new rule to one of your existing elevation policies, or create a new policy with only the new rule.
+Applies to:
+- Windows 10
+- Windows 11
+For information about this new capability, see [Windows elevation rules policy](../protect/epm-policies.md) in the *Configure policies for Endpoint Privilege management* article.
+#### Introducing the Resource performance report for physical devices in Advanced Analytics
+We're introducing the Resource performance report for Windows physical devices in Intune Advanced Analytics. The report is included as an Intune-add on under Microsoft Intune Suite.
+The resource performance scores and insights for physical devices are aimed to help IT admins make CPU/RAM asset management and purchase decisions that improve the user experience while balancing hardware costs.
+For more information, see:
+- [Resource Performance Report](../../analytics/resource-performance-report.md)
+- [Microsoft Intune Suite](../fundamentals/intune-add-ons.md)
+### App management
+#### Managed Home Screen for Android Enterprise Fully Managed devices
+Managed Home Screen (MHS) is now supported on Android Enterprise Fully Managed devices. This capability offers organizations the ability to leverage MHS in scenarios where a device is associated with a single user.
+For related information, see:
+- [Configure the Microsoft Managed Home Screen app for Android Enterprise](../apps/app-configuration-managed-home-screen-app.md)
+- [Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune](../configuration/device-restrictions-android-for-work.md)
+- [Configure permissions for the Managed Home Screen (MHS) on Android Enterprise devices using Microsoft Intune](../configuration/oemconfig-managed-home-screen-permissions-android.md)
+#### Updates to the Discovered Apps report
+The **Discovered Apps** report, which provides a list of detected apps that are on Intune enrolled devices for your tenant, now provides publisher data for Win32 apps, in addition to Store apps. Rather than providing publisher information only in the exported report data, we are including it as a column in the **Discovered Apps** report.
+For more information, see [Intune Discovered apps](../apps/app-discovered-apps.md#monitor-discovered-apps-with-intune).
+#### Improvements to Intune Management Extension logs
+We have updated how log activities and events are made for Win32 apps and the Intune Management Extension (IME) logs. A new log file (*AppWorkload.log*) contains all logging information related to app deployment activities conducted by the IME. These improvements provide better troubleshooting and analysis of app management events on the client.
+For more information, see [Intune management extension logs](../apps/intune-management-extension.md#intune-management-extension-logs).
+### Device configuration
+#### New settings available in the Apple settings catalog
+The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see [Create a policy using settings catalog](../configuration/settings-catalog.md).
+There are new settings in the Apple Settings Catalog. To see these settings, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type.
+##### iOS/iPadOS
+**Declarative Device Management (DDM) > Safari Extension Settings**:
+- Managed Extensions
+ - Allowed Domains
+ - Denied Domains
+ - Private Browsing
+ - State
+**Declarative Device Management (DDM) > Software Update Settings**:
+- Automatic Actions
+ - Download
+ - Install OS Updates
+- Deferrals
+ - Combined Period In Days
+- Notifications
+- Rapid Security Response
+ - Enable
+ - Enable Rollback
+- Recommended Cadence
+- Allow ESIM Outgoing Transfers
+- Allow Personalized Handwriting Results
+- Allow Video Conferencing Remote Control
+- Allow Genmoji
+- Allow Image Playground
+- Allow Image Wand
+- Allow iPhone Mirroring
+- Allow Writing Tools
+##### macOS
+**Authentication > Extensible Single Sign On (SSO)**:
+- Platform SSO
+ - Authentication Grace Period
+ - FileVault Policy
+ - Non Platform SSO Accounts
+ - Offline Grace Period
+ - Unlock Policy
+**Authentication > Extensible Single Sign On Kerberos**:
+- Allow Password
+- Allow SmartCard
+- Identity Issuer Auto Select Filter
+- Start In Smart Card Mode
+**Declarative Device Management (DDM) > Disk Management**:
+- External Storage
+- Network Storage
+**Declarative Device Management (DDM) > Safari Extension Settings**:
+- Managed Extensions
+ - Allowed Domains
+ - Denied Domains
+ - Private Browsing
+ - State
+**Declarative Device Management (DDM) > Software Update Settings**:
+- Allow Standard User OS Updates
+- Automatic Actions
+ - Download
+ - Install OS Updates
+ - Install Security Update
+- Deferrals
+ - Major Period In Days
+ - Minor Period In Days
+ - System Period In Days
+- Notifications
+- Rapid Security Response
+ - Enable
+ - Enable Rollback
+- Allow Genmoji
+- Allow Image Playground
+- Allow iPhone Mirroring
+- Allow Writing Tools
+**System Policy > System Policy Control**:
+- Enable XProtect Malware Upload
+#### Enhancements to multi administrative approval
+Multi administrative approval adds the ability to limit application access policies to Windows applications or all non-Windows applications or both. We're adding a new access policy to the multiple administrative approval feature to allow approvals for changes to multiple administrative approval.
+For more information, see [Multi admin approval](../fundamentals/multi-admin-approval.md).
+### Device enrollment
+#### Account-driven Apple User Enrollment now generally available for iOS/iPadOS 15+
+Intune now supports account-driven Apple User Enrollment, the new, and improved version of Apple User Enrollment, for devices running iOS/iPadOS 15 and later. This new enrollment method utilizes just-in-time registration, removing the Company Portal app for iOS as an enrollment requirement. Device users can initiate enrollment directly in the Settings app, resulting in a shorter and more efficient onboarding experience.
+For more information, see [Set up account driven Apple User Enrollment](../enrollment/apple-account-driven-user-enrollment.md) on Microsoft Learn.
+Apple has announced they are ending support for profile-based Apple User Enrollment. As a result, Microsoft Intune will end support for Apple User Enrollment with Company Portal shortly after the release of iOS/iPadOS 18. We recommend enrolling devices with account-driven Apple User Enrollment for similar functionality and an improved user experience.
+#### Use corporate Microsoft Entra account to enable Android Enterprise management options in Intune
+Managing Intune-enrolled devices with Android Enterprise management options previously required you to connect your Intune tenant to your managed Google Play account using an enterprise Gmail account. Now you can use a corporate Microsoft Entra account to establish the connection. This change is happening in new tenants, and doesn't affect tenants that have already established a connection.
+For more information, see [Connect Intune account to Managed Google Play account - Microsoft Intune | Microsoft Learn](../enrollment/connect-intune-android-enterprise.md).
+### Device management
+#### 21 Vianet support for Mobile Threat Defense connectors
+Intune operated by 21Vianet now supports Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices for MTD vendors that also have support in that environment. When an MTD partner is supported and you sign in to a 21Vianet tenant, the supported connectors are available.
+Applies to:
+- Android
+- iOS/iPadOS
+For more information, see:
+- [Intune operated by 21Vianet in China](../fundamentals/china.md)
+- [Mobile Threat Defense integration with Intune](../protect/mobile-threat-defense.md)
+#### New `cpuArchitecture` filter device property for app and policy assignments
+When you assign an app, compliance policy, or configuration profile, you can filter the assignment using different device properties, such as device manufacturer, operating system SKU, and more.
+A new `cpuArchitecture` device filter property is available for Windows and macOS devices. With this property, you can filter app and policy assignments depending on the processor architecture.
+For more information on filters and the device properties you can use, see:
+- [Use filters when assigning your apps, policies, and profiles in Microsoft Intune](filters.md)
+- [Filter properties](filters-device-properties.md)
+- [Supported workloads](filters-supported-workloads.md)
+Applies to:
+- Windows 10
+- Windows 11
+- macOS
+### Device security
+#### Windows platform name change for endpoint security policies
+When you create an endpoint security policy in Intune, you can select the Windows platform. For multiple templates in endpoint security, there are now only two options to choose for the Windows platform: **Windows** and **Windows (ConfigMgr)**.
+Specifically, the platform name changes are:
+| Original | New |
+| --- | --- |
+| Windows 10 and later | Windows |
+| Windows 10 and later (ConfigMgr) | Windows (ConfigMgr) |
+| Windows 10, Windows 11, and Windows Server | Windows |
+| Windows 10, Windows 11, and Windows Server (ConfigMgr) | Windows (ConfigMgr) |
+These changes apply to the following policies:
+- Antivirus
+- Disk encryption
+- Firewall
+- Endpoint Privilege Management
+- Endpoint detection and response
+- Attack surface reduction
+- Account protection
+##### What you need to know
+- This change is only in the user experience (UX) that admins see when they create a new policy. There is no effect on devices.
+- The functionally is the same as the previous platform names.
+- There are no additional tasks or actions for existing policies.
+For more information on endpoint security features in Intune, see [Manage endpoint security in Microsoft Intune](../protect/endpoint-security.md).
+Applies to:
+- Windows
+#### Target Date Time setting for Apple software update enforcement schedules updates using the local time on devices
+You can specify the time that OS updates are enforced on devices in their local time zone. For example, configuring an OS update to be enforced at 5pm schedules the update for 5pm in the device's local time zone. Previously, this setting used the time zone of the browser where the policy was configured.
+This change only applies to new policies that are created in the August 2408 release and later. The **Target Date Time** setting is in the settings catalog at **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type > **Declarative Device Management** > Software Update.
+In a future release, the **UTC** text will be removed from the **Target Date Time** setting.
+For more information on using the settings catalog to configure software updates, see [Managed software updates with the settings catalog](../protect/managed-software-updates-ios-macos.md).
+Applies to:
+- iOS/iPadOS
+- macOS
+### Intune Apps
+#### Newly available protected apps for Intune
+The following protected apps are now available for Microsoft Intune:
+- Singletrack for Intune (iOS) by Singletrack
+- 365Pay by 365 Retail Markets
+- Island Browser for Intune (Android) by Island Technology, Inc.
+- Recruitment.Exchange by Spire Innovations, Inc.
+- Talent.Exchange by Spire Innovations, Inc.
+For more information about protected apps, see [Microsoft Intune protected apps](../apps/apps-supported-intune-apps.md).
+### Tenant administration
+#### Organizational messages now in Microsoft 365 admin center
+The organizational message feature has moved out of the Microsoft Intune admin center and into its new home in the Microsoft 365 admin center. All organizational messages you created in Microsoft Intune are now in the Microsoft 365 admin center, where you can continue to view and manage them. The new experience includes highly requested features such as the ability to author custom messages, and deliver messages on Microsoft 365 apps.
+For more information, see:
+- [Introducing organizational messages (preview) in the Microsoft 365 admin center](https://techcommunity.microsoft.com/t5/microsoft-365-blog/introducing-organizational-messages-preview-in-the-microsoft-365/ba-p/4123890)
+- [Organizational messages in the Microsoft 365 admin center](/microsoft-365/admin/misc/organizational-messages-microsoft-365)
+- [Support tip: Organizational messages is moving to Microsoft 365 admin center - Microsoft Community Hub](https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-organizational-messages-is-moving-to-microsoft-365/ba-p/4148332)
## Week of July 29, 2024
### Microsoft Intune Suite
-#### Endpoint Privilege Management, Advanced Analytics, and Intune Plan 2 is available for GCC High and DoD
+#### Endpoint Privilege Management, Advanced Analytics, and Intune Plan 2 is available for GCC High and DoD
We are excited to announce that the following capabilities from the Microsoft Intune Suite are now supported in U.S. Government Community Cloud (GCC) High and U.S. Department of Defense (DoD) environments.
Add-on capabilities:
- [Endpoint Privilege Management](../protect/epm-overview.md)
-- [Advanced Analytics](../../analytics/advanced-endpoint-analytics.md) - With this release, GCC High and DoD support for Advanced Endpoint Analytics not include the [*Device query*](../../analytics/device-query.md) functionality.
+- [Advanced Analytics](../../analytics/advanced-endpoint-analytics.md) - With this release, GCC High and DoD support for Advanced Endpoint Analytics doesn't include the [*Device query*](../../analytics/device-query.md) functionality.
Plan 2 capabilities:
@@ -100,34 +394,32 @@ For more information, see:
- [Use Microsoft Intune Suite add-on capabilities](../fundamentals/intune-add-ons.md)
- [Microsoft Intune for US Government GCC service description](../fundamentals/intune-govt-service-description.md)
-### Device enrollment
+### Device enrollment
-#### ACME protocol support for iOS/iPadOS and macOS enrollment
-As we prepare to support managed device attestation in Intune, we are starting a phased rollout of an infrastructure change for new enrollments that includes support for the *Automated Certificate Management Environment (ACME) protocol*. Now when new Apple devices enroll, the management profile from Intune receives an ACME certificate instead of a SCEP certificate. ACME provides better protection than SCEP against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management.
+#### ACME protocol support for iOS/iPadOS and macOS enrollment
+As we prepare to support managed device attestation in Intune, we are starting a phased rollout of an infrastructure change for new enrollments that includes support for the *Automated Certificate Management Environment (ACME) protocol*. Now when new Apple devices enroll, the management profile from Intune receives an ACME certificate instead of a SCEP certificate. ACME provides better protection than SCEP against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management.
Existing OS and hardware eligible devices do not get the ACME certificate unless they re-enroll. There is no change to the end user's enrollment experience, and no changes to the Microsoft Intune admin center. This change only impacts enrollment certificates and has no impact on any device configuration policies.
-ACME is supported for Apple Device Enrollment and Apple Configurator enrollment methods. Eligible OS versions include:
-* iOS 16.0 or later
-* iPadOS 16.1 or later
+ACME is supported for Apple Device Enrollment and Apple Configurator enrollment methods. Eligible OS versions include:
-* macOS 13.1 or later
+- iOS 16.0 or later
+- iPadOS 16.1 or later
+- macOS 13.1 or later
## Week of July 22, 2024 (Service release 2407)
-### Microsoft Intune Suite
+### Microsoft Intune Suite
-#### New actions for Microsoft Cloud PKI
+#### New actions for Microsoft Cloud PKI
-The following actions have been added for Microsoft Cloud PKI issuing and root certification authorities (CA):
+The following actions have been added for Microsoft Cloud PKI issuing and root certification authorities (CA):
-* Delete: Delete a CA.
-* Pause: Temporarily suspend use of a CA.
-* Revoke: Revoke a CA certificate.
+- Delete: Delete a CA.
+- Pause: Temporarily suspend use of a CA.
+- Revoke: Revoke a CA certificate.
-You can access all new actions in the Microsoft Intune admin center and Graph API. For more information, see [Delete Microsoft Cloud PKI certification authority](../protect/microsoft-cloud-pki-delete.md).
+You can access all new actions in the Microsoft Intune admin center and Graph API. For more information, see [Delete Microsoft Cloud PKI certification authority](../protect/microsoft-cloud-pki-delete.md).
### App management
@@ -197,7 +489,7 @@ Applies to:
- Android Enterprise Fully managed, dedicated and corporate-owned work profile
-### Device enrollment
+### Device enrollment
#### New support for Red Hat Enterprise Linux
@@ -219,7 +511,7 @@ For more information, see:
#### Just-in-time registration and compliance remediation available for all iOS/iPadOS enrollments
-You can now configure just-in-time (JIT) registration and JIT compliance remediation for all Apple iOS and iPadOS enrollments. These Intune-supported features improve the enrollment experience because they can take the place of the Intune Company Portal app for device registration and compliance checks. We recommend setting up JIT registration and compliance remediation for new enrollments, and to improve the experience for existing enrolled devices. For more information, see [Set up just in time registration in Microsoft Intune](../enrollment/set-up-just-in-time-registration.md).
+You can now configure just-in-time (JIT) registration and JIT compliance remediation for all Apple iOS and iPadOS enrollments. These Intune-supported features improve the enrollment experience because they can take the place of the Intune Company Portal app for device registration and compliance checks. We recommend setting up JIT registration and compliance remediation for new enrollments, and to improve the experience for existing enrolled devices. For more information, see [Set up just in time registration in Microsoft Intune](../enrollment/set-up-just-in-time-registration.md).
### Device management
@@ -1015,7 +1307,7 @@ Applies to
### Microsoft Intune Suite
-#### New elevation type for Endpoint Privilege Management
+#### New elevation type for Endpoint Privilege Management
Endpoint Privilege Management has a new file elevation type, **support approved**. Endpoint Privilege Management is a feature component of the Microsoft Intune Suite and is also available as a standalone [Intune add-on](../fundamentals/intune-add-ons.md).
@@ -1287,337 +1579,6 @@ The following protected apps are now available for Microsoft Intune:
For more information about protected apps, see [Microsoft Intune protected apps](../apps/apps-supported-intune-apps.md).
-## Week of March 3, 2024
-### Device enrollment
-#### Role-based access control changes to enrollment settings for Windows Hello for Business
-We updated Role-based access control (RBAC) in the enrollment area for Windows Hello for Business. Enrollment settings related to Windows Hello for Business are read-only for all roles except the Intune Service Administrator. The Intune Service Administrator can create and edit Windows Hello for Business enrollment settings.
-For more information, see [Role-based access control](../protect/windows-hello.md#role-based-access-control) in the *Windows Hello at device enrollment* article.
-### Device security
-#### New enrollment configuration for Windows Hello for Business
-A new Windows Hello for Business enrollment setting, **Enable enhanced sign in security** is available in the Intune admin center. Enhanced sign-in security is a Windows Hello feature that prevents malicious users from gaining access to a user's biometrics through external peripherals.
-For more information about this setting, see [Create a Windows Hello for Business policy](../protect/windows-hello.md).
-#### HTML formatting supported in noncompliance email notifications
-Intune now supports HTML formatting in noncompliance email notifications for all platforms. You can use supported HTML tags to add formatting such as italics, URL links, and bulleted lists to your organization's messages.
-For more information, see [Create a notification message template](../protect/actions-for-noncompliance.md#create-a-notification-message-template).
-## Week of February 26, 2024
-### Microsoft Intune Suite
-#### New Microsoft Cloud PKI service
-Use the Microsoft Cloud PKI service to simplify and automate certificate lifecycle management for Intune-managed devices. Microsoft Cloud PKI is a feature component of the Microsoft Intune Suite and is also available as a standalone [Intune add-on](../fundamentals/intune-add-ons.md). The cloud-based service provides a dedicated PKI infrastructure for your organization, and doesn't require on-premises servers, connectors, or hardware. Microsoft Cloud PKI automatically issues, renews, and revokes certificates for all OS platforms supporting the SCEP certificate device configuration profile. Issued certificates can be used for certificate-based authentication for Wi-Fi, VPN, and other services supporting certificate-based authentication. For more information, see [Overview of Microsoft Cloud PKI](../protect/microsoft-cloud-pki-overview.md).
-Applies to:
-- Windows
-- Android
-- iOS/iPadOS
-- macOS
-### Intune apps
-#### Newly available protected app for Intune
-The following protected app is now available for Microsoft Intune:
-- Cinebody by Super 6 LLC
-For more information about protected apps, see [Microsoft Intune protected apps](../apps/apps-supported-intune-apps.md).
-## Week of February 19, 2024 (Service release 2402)
-### App management
-#### More app configuration permissions for Android apps
-There are six new permissions that can be configured for an Android app using an app configuration policy. They are:
-- Allow background body sensor data
-- Media Video (read)
-- Media Images (read)
-- Media Audio (read)
-- Nearby Wifi Devices
-- Nearby Devices
-For more information about how to use app config policies for Android apps, see [Add app configuration policies for managed Android Enterprise devices](../apps/app-configuration-policies-use-android.md).
-#### Newly available protected apps for Intune
-The following protected apps are now available for Microsoft Intune:
-- Bob HR by Hi Bob Ltd
-- ePRINTit SaaS by ePRINTit USA LLC
-- Microsoft Copilot by Microsoft Corporation
-For more information about protected apps, see [Microsoft Intune protected apps](../apps/apps-supported-intune-apps.md).
-#### Update to Intune Management Extension on Windows
-To support expanded functionality and bug fixes, use .NET Framework 4.7.2 or higher with the Intune Management Extension on Windows clients. If a Windows client continues to use an earlier version of the .NET Framework, the Intune Management Extension continues to function. The .NET Framework 4.7.2 is available from Windows Update as of July 10, 2018, which is included in Windows 10 1809 (RS5) and newer. Multiple versions of the .NET Framework can coexist on a device.
-Applies to:
-- Windows 10
-- Windows 11
-### Device configuration
-#### Use assignment filters on Endpoint Privilege Management (EPM) policies
-You can use assignment filters to assign a policy based on rules you create. A filter allows you to narrow the assignment scope of a policy, like targeting devices with a specific OS version or a specific manufacturer.
-You can use filters on Endpoint Privilege Management (EPM) policies.
-For more information, see:
-- [Use filters when assigning your apps, policies, and profiles in Intune](filters.md)
-- [List of platforms, policies, and app types supported by filters in Intune](filters-supported-workloads.md)
-Applies to:
-- Windows 10
-- Windows 11
-#### New settings available in the Apple settings catalog
-The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place.
-There are new settings in the Settings Catalog. To see these settings, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type.
-##### iOS/iPadOS
-- **Restrictions**
- - Allow Live Voicemail
- - Force Classroom Unprompted Screen Observation
- - Force Preserve ESIM On Erase
-##### macOS
-- **Full Disk Encryption > FileVault** > Force Enable In Setup Assistant
-- **Restrictions** > Force Classroom Unprompted Screen Observation
-For more information, see:
-- [Use FileVault disk encryption for macOS with Intune](../protect/encrypt-devices-filevault.md)
-- [Create a policy using settings catalog](../configuration/settings-catalog.md)
-#### Import up to 20 custom ADMX and ADML administrative templates
-You can import custom ADMX and ADML administrative templates in Microsoft Intune. Previously, you could import up to 10 files. Now, you can upload up to 20 files.
-Applies to:
-- Windows 10
-- Windows 11
-For more information on this feature, see [Import custom ADMX and ADML administrative templates into Microsoft Intune (public preview)](../configuration/administrative-templates-import-custom.md).
-#### New setting for updating MAC address randomization on Android Enterprise devices
-There's a new **MAC address randomization** setting on Android Enterprise devices (**Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Android Enterprise** for platform > **Fully Managed, Dedicated, and Corporate-Owned Work Profile** > **Wi-Fi** for profile type).
-Starting with Android 10, when connecting to a network, devices present a randomized MAC address instead of the physical MAC address. Using randomized MAC addresses is recommended for privacy, as it's harder to track a device by its MAC address. However, randomized MAC addresses break functionality that relies on a static MAC address, including network access control (NAC).
-Your options:
-- **Use device default**: Intune doesn't change or update this setting. By default, when connecting to a network, devices present a randomized MAC address instead of the physical MAC address. Any updates made by the user to the setting persist.
-- **Use randomized MAC**: Enables MAC address randomization on devices. When devices connect to a new network, devices present a randomized MAC address, instead of the physical MAC address. If the user changes this value on their device, it resets to **Use randomized MAC** on the next Intune sync.
-- **Use device MAC**: Forces devices to present their actual Wi-Fi MAC address instead of a random MAC address. This setting allows devices to be tracked by their MAC address. Only use this value when necessary, such as for network access control (NAC) support. If the user changes this value on their device, it resets to **Use device MAC** on the next Intune sync.
-Applies to:
-- Android 13 and newer
-For more information on the Wi-Fi settings you can configure, see [Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices in Microsoft Intune](../configuration/wi-fi-settings-android-enterprise.md).
-#### Turn Off Copilot in Windows setting in the Windows settings catalog
-The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place.
-There's a new setting in the Settings Catalog. To see this setting, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows** for platform > **Settings catalog** for profile type.
-- **Windows AI > Turn Off Copilot in Windows (User)**
- - If you enable this policy setting, users can't use Copilot. The Copilot icon won't appear on the taskbar.
- - If you disable or don't configure this policy setting, users can use Copilot when it's available to them.
-This setting uses the [Policy CSP - WindowsAI](/windows/client-management/mdm/policy-csp-windowsai).
-For more information about configuring Settings Catalog policies in Intune, including user scope vs. device scope, see [Create a policy using settings catalog](../configuration/settings-catalog.md).
-Applies to:
-- Windows 10 and later
-#### Windows Autopilot self-deploying mode is now generally available
-Windows Autopilot self-deploying mode is now generally available and out of preview. Windows Autopilot self-deploying mode enables you to deploy Windows devices with little to no user interaction. Once the device connects to network, the device provisioning process starts automatically: the device joins Microsoft Entra ID, enrolls in Intune, and syncs all device-based configurations targeted to the device. Self-deploying mode ensures that the user can't access desktop until all device-based configuration is applied. The Enrollment Status Page (ESP) is displayed during OOBE so users can track the status of the deployment. For more information, see:
-- [Windows Autopilot self-deploying mode](/autopilot/self-deploying)
-- [Step by step tutorial for Windows Autopilot self-deploying mode in Intune](/autopilot/tutorial/self-deploying/self-deploying-workflow)
-This information is also published in [Windows Autopilot: What's new](/autopilot/whats-new).
-#### Windows Autopilot for pre-provisioned deployment is now generally available
-Windows Autopilot for pre-provisioned deployment is now generally available and out of preview. Windows Autopilot for pre-provisioned deployment is used by organizations that want to ensure devices are business-ready before the user accesses them. With pre-provisioning, admins, partners, or OEMs can access a technician flow from the Out-of-box experience (OOBE) and kick off device setup. Next, the device is sent to the user who completes provisioning in the user phase. Pre-provisioning delivers most the configuration in advance so the end user can get to the desktop faster. For more information, see:
-- [Windows Autopilot for pre-provisioned deployment](/autopilot/pre-provision).
-- [Step by step tutorial for Windows Autopilot for pre-provisioned deployment Microsoft Entra join in Intune](/autopilot/tutorial/pre-provisioning/azure-ad-join-workflow)
-- [Step by step tutorial for Windows Autopilot for pre-provisioned deployment Microsoft Entra hybrid join in Intune](/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-workflow).
-This information is also published in [Windows Autopilot: What's new](/autopilot/whats-new).
-### Device enrollment
-#### ESP setting to install required apps during Windows Autopilot pre-provisioning
-The setting **Only fail selected blocking apps in technician phase** is now generally available to configure in Enrollment Status Page (ESP) profiles. This setting only appears in ESP profiles that have *blocking apps* selected.
-For more information, see [Set up the Enrollment Status Page](../enrollment/windows-enrollment-status.md#create-new-profile).
-#### New local primary account configuration for macOS automated device enrollment
-Configure local primary account settings for Macs enrolling in Intune via Apple automated device enrollment. These settings, supported on devices running macOS 10.11 and later, are available in new and existing enrollment profiles under the new **Account Settings** tab. For this feature to work, the enrollment profile must be configured with user-device affinity and one of the following authentication methods:
-- Setup Assistant with modern authentication
-- Setup Assistant (legacy)
-Applies to:
-- macOS 10.11 and later
-For more information about macOS account settings, see [Create an Apple enrollment profile in Intune](../enrollment/device-enrollment-program-enroll-macos.md#create-an-apple-enrollment-profile).
-#### Await final configuration for macOS automated device enrollment now generally available
-Now generally available, *await final configuration* enables a locked experience at the end of Setup Assistant to ensure that critical device configuration policies are installed on devices. The locked experience works on devices targeted with new and existing enrollment profiles, enrolling via one of these authentication methods:
-- Setup Assistant with modern authentication
-- Setup Assistant (legacy)
-- Without user device affinity
-Applies to:
-- macOS 10.11 and later
-For information about how to enable await final configuration, see [Create an Apple enrollment profile](../enrollment/device-enrollment-program-enroll-macos.md#create-an-apple-enrollment-profile).
-### Device management
-#### AOSP devices check for new tasks and notifications approximately every 15 minutes
-On devices enrolled with Android (AOSP) management, Intune attempts to check for new tasks and notifications approximately every 15 minutes. To use this feature, devices must be using the Intune app version 24.02.4 or newer.
-Applies to:
-- Android (AOSP)
-For more information, see:
-- [How to use Intune in environments without Google Mobile Services](../apps/manage-without-gms.md#some-tasks-can-be-delayed)
-- [Policy refresh intervals in Intune](../configuration/device-profile-troubleshoot.md#policy-refresh-intervals)
-#### New device management experience for Government clouds in Microsoft Intune
-In government clouds, there's a new device management experience in the Intune admin center. The **Devices** area now has a more consistent UI, with more capable controls and an improved navigation structure so you can find what you need faster.
-If you want to try the new experience before your tenant is updated, go to **Devices** > **Overview**, select the **Preview upcoming changes to Devices and provide feedback** notification banner, and select **Try it now**.
-#### Bulk approval of drivers
-Bulk actions are now available for Windows Driver update policies. With bulk actions, multiple driver updates can be approved, paused, or declined at the same time, saving time and effort.
-When you bulk approve drivers, the date for when the drivers become available to applicable devices can also be set, enabling drivers to be installed together.
-Applies to:
-- Windows 10
-- Windows 11
-For more information, see [Bulk driver updates](../protect/windows-driver-updates-policy.md#bulk-driver-updates).
-#### App Control for Business policy limitation is resolved
-A previously documented limitation for App Control for Business policy (WDAC), that limited the number of active policies per device to 32, is resolved by Windows. The issue involves a potential [Boot stop failure when more than 32 policies are active](/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues#boot-stop-failure-blue-screen-occurs-if-more-than-32-policies-are-active) on a device.
-This issue is resolved for devices that run Windows 10 1903 or later with a Windows security update released on or after March 12, 2024. Older versions of Windows can expect to receive this fix in future Windows security updates.
-Applies to:
-- Windows 10 version 1903 and later
-To learn more about App Control for Business policy for Intune, see [Manage approved apps for Windows devices with App Control for Business policy and Managed Installers for Microsoft Intune](../protect/endpoint-security-app-control-policy.md).
-### Tenant administration
-#### Customization pane support for excluding groups
-The Customization pane now supports selecting groups to exclude when assigning policies. You can find this setting in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Tenant administration** > **Customization**.
-For more information, see [Assign policies in Microsoft Intune](../configuration/device-profile-assign.md).
-## Week of January 29, 2024
-### Microsoft Intune Suite
-#### Microsoft Intune Enterprise Application Management
-Enterprise Application Management provides an Enterprise App Catalog of Win32 applications that are easily accessible in Intune. You can add these applications to your tenant by selecting them from the Enterprise App Catalog. When you add an Enterprise App Catalog app to your Intune tenant, default installation, requirements, and detection settings are automatically provided. You can modify these settings as well. Intune hosts Enterprise App Catalog apps in Microsoft storage.
-For more information, see:
-- [Use Intune Suite add-on capabilities](../fundamentals/intune-add-ons.md)
-- [Microsoft Intune Enterprise Application Management](../apps/apps-enterprise-app-management.md)
-- [Add an Enterprise App Catalog app to Microsoft Intune](../apps/apps-add-enterprise-app.md)
-#### Microsoft Intune Advanced Analytics
-Intune Advanced Analytics provides comprehensive visibility of the end-user experience in your organization and optimizes it with data driven insights. It includes near real-time data about your devices with Device query, increased visibility with custom device scopes, a battery health report and a detailed device timeline for troubleshooting device issues, and anomaly detection to help identify potential vulnerabilities or risks across your device estate.
-- **Battery health report**
- The battery health report provides visibility into the health of batteries in your organization's devices and its influence on user experience. The scores and insights in this report are aimed to help IT admins with asset management and purchase decisions that improve user experience while balancing hardware costs.
-- **Run on-demand device queries on single devices**
- Intune allows you to quickly gain on-demand information about the state of your device. When you enter a query on a selected device, Intune runs a query in real time.
- The data returned can then be used to respond to security threats, troubleshoot the device, or make business decisions.
- Applies to:
- - Windows devices
-Intune Advanced Analytics is part of the Microsoft Intune Suite. For added flexibility, this new set of capabilities, together with the existing Advanced Analytics features, is also now available as an individual add-on to Microsoft subscriptions that include Intune.
-To use Device query and battery health report in your tenant, or any of the existing Advanced Analytics capabilities, you must have a license for either:
-- The Intune Advanced Analytics add-on
-- The Microsoft Intune Suite add-on
-For more information, see:
-- [Use Intune Suite add-on capabilities](../fundamentals/intune-add-ons.md)
-- [Microsoft Intune Advanced Analytics](../../analytics/advanced-endpoint-analytics.md)
-- [Battery health](../../analytics/battery-health.md)
-- [Device query](../../analytics/device-query.md)
## What's new archive
diff --git a/memdocs/intune/fundamentals/windows-holographic-for-business.md b/memdocs/intune/fundamentals/windows-holographic-for-business.md
index e715d71f882..65aea3b98de 100644
--- a/memdocs/intune/fundamentals/windows-holographic-for-business.md
+++ b/memdocs/intune/fundamentals/windows-holographic-for-business.md
@@ -6,7 +6,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 10/17/2023
+ms.date: 08/19/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -28,29 +28,31 @@ ms.collection:
# Manage and use different device management features on Windows Holographic and HoloLens devices with Intune
-Microsoft Intune includes many features to help manage devices that run Windows Holographic for Business, such as the [Microsoft HoloLens](/hololens/). Using Intune, you can confirm that devices are compliant with your organization's rules, and you can customize the device by adding a VPN or WiFi profile. Another key feature is to use the device as a Kiosk, and run a specific app, or a specific set of apps.
+Microsoft Intune includes many features to help manage devices that run Windows Holographic for Business, like the [Microsoft HoloLens](/hololens/). Using Intune, you can confirm that devices are compliant with your organization's rules, and you can customize the device by adding a VPN or WiFi profile. Another key feature is to use the device as a Kiosk, and run a specific app, or a specific set of apps.
The tasks in this article help you manage, customize, and secure your devices running Windows Holographic for Business, including software updates and using Windows Hello for Business.
To use Windows Holographic devices with Intune, create an [Edition Upgrade](../configuration/edition-upgrade-configure-windows-10.md) profile. This upgrade profile upgrades the devices from Windows Holographic to Windows Holographic for Business. For the Microsoft HoloLens, you can buy the Commercial Suite to get the required license for the upgrade. For more information, go to [Upgrade devices running Windows Holographic to Windows Holographic for Business](../configuration/holographic-upgrade.md).
+This article describes the different features and services you can use to manage devices running Windows Holographic for Business.
## Microsoft Entra ID
-Microsoft Entra ID is a great resource to help manage and control your devices running Windows Holographic for Business. Using Intune and Microsoft Entra ID, you can:
+Microsoft Entra ID helps manage and control your devices running Windows Holographic for Business. When you use Intune and Microsoft Entra ID, you can:
-- **[Join devices to Microsoft Entra ID](/azure/active-directory/devices/azureadjoin-plan)**: In Microsoft Entra ID, you can add your work-owned Windows 10/11 devices, including devices running Windows Holographic for Business. This feature allows Microsoft Entra ID to control the device. It helps confirm that users are accessing the company resources from devices that meet your security and compliance standards.
+- **[Join devices to Microsoft Entra ID](/entra/identity/devices/device-join-plan)**: In Microsoft Entra ID, you can add your work-owned Windows 10/11 devices, including devices running Windows Holographic for Business. This feature allows Microsoft Entra ID to control the device. It helps confirm that users are accessing the company resources from devices that meet your security and compliance standards.
- [Device management in Microsoft Entra ID](/azure/active-directory/devices/overview) provides more details.
+ For information, go to [Device identity in Microsoft Entra ID](/entra/identity/devices/overview).
- **[Bulk enrollment for Windows devices](../enrollment/windows-bulk-enroll.md)**: You can join large numbers of new Windows devices to Microsoft Entra ID and Intune. This feature is called bulk enrollment, and uses provisioning packages. These packages join the devices running Windows Holographic for Business to your Microsoft Entra tenant, and enrolls them in Intune.
## Company Portal app
-**[Configure the Company Portal app](../apps/company-portal-app.md)**
+**[Configure the Company Portal app](../apps/company-portal-app.md)**.
Intune provides the Company Portal app for users to access company data, enroll devices, install apps, contact their IT department, and more. You can customize the Company Portal app for your devices running Windows Holographic for Business.
-Using the Company Portal app, you can also run the following actions:
+In the Company Portal app, end users can run the following actions:
- [Remove a device from Intune](../user-help/unenroll-your-device-from-intune-windows.md) using the Settings app or the Company Portal app
- [Rename a device](../user-help/rename-your-device-cpapp.md)
@@ -59,30 +61,29 @@ Using the Company Portal app, you can also run the following actions:
## Compliance policy
-**[Create a device compliance policy](../protect/compliance-policy-create-windows.md)**
+**[Create a device compliance policy](../protect/compliance-policy-create-windows.md)**.
-Compliance policies are rules and settings that devices must meet to be compliant. Use these policies with Conditional Access to block access to company resources for devices that are not-compliant. In Intune, create compliance policies to allow or block access for devices running Windows Holographic for Business. For example, you can create a policy that requires BitLocker be enabled.
+Compliance policies are rules and settings that devices must meet to be compliant. Use these policies with Conditional Access to block access to company resources for devices that are noncompliant. In Intune, create compliance policies to allow or block access for devices running Windows Holographic for Business. For example, you can create a policy that requires BitLocker.
-See also **[Get started with compliance policies](../protect/device-compliance-get-started.md)**.
+For more information, go to **[Get started with compliance policies](../protect/device-compliance-get-started.md)**.
## Deploy and manage apps
-**[Add apps to Intune](../apps/apps-add.md)**
+**[Add apps to Intune](../apps/apps-add.md)**.
Using Intune, you can add apps to your devices running Windows Holographic for Business. There are many ways to deploy apps, including:
- [Add Microsoft Store apps](../apps/store-apps-windows.md)
-- [Add apps you create](../apps/lob-apps-windows.md)
+- [Add line-of-business (LOB) you create](../apps/lob-apps-windows.md)
- [Assign apps to groups](../apps/apps-deploy.md)
-Microsoft Intune can deploy Universal Windows Apps (UWP) to Microsoft HoloLens devices running Windows Holographic for Business. You can directly upload your app packages in the Intune admin center, or deploy them from the Microsoft Store for Business. For more information about related areas, go to the following articles:
+Microsoft Intune can deploy Universal Windows Apps (UWP) to Microsoft HoloLens devices running Windows Holographic for Business. You can directly upload and deploy your app packages using the Intune admin center. For more information, go to:
- To deploy Line-of-Business (LOB) apps using the Intune admin center, go to [How to add Windows line-of-business apps to Microsoft Intune](../apps/lob-apps-windows.md).
> [!NOTE]
> Intune allows a maximum package size to 8 GB. This package size is only available for the LOB apps uploaded to Intune.
-- To deploy apps using the Microsoft Store for Business, go to [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](../apps/windows-store-for-business.md).
- To learn about app management with Microsoft Intune, go to [What is app management in Microsoft Intune](../apps/app-management.md).
- To learn more about developing apps for Microsoft HoloLens, go to [Mixed reality apps for Microsoft HoloLens](https://www.microsoft.com/hololens/apps).
@@ -99,41 +100,41 @@ When you manage devices running Windows Holographic for Business, the following
- **[Retire](../remote-actions/devices-wipe.md#retire)**: The **Retire** action removes the device from Intune. It also removes managed app data, settings, and email profiles assigned by Intune. The user's personal data stays on the device.
-- **[Sync devices to get the latest policies and actions](../remote-actions/device-sync.md)**: The **Sync** action forces the device to immediately check in with Intune. When a device checks in, the device immediately receives any pending actions or policies that are assigned. This feature helps you validate and troubleshoot policies you've assigned, without waiting for the next scheduled check-in.
+- **[Sync devices to get the latest policies and actions](../remote-actions/device-sync.md)**: The **Sync** action forces the device to immediately check in with Intune. When a device checks in, the device receives any pending actions or policies that are assigned. This feature helps you validate and troubleshoot policies you assigned, without waiting for the next scheduled check-in.
-**[What is Microsoft Intune device management?](../remote-actions/device-management.md)** is a good resource to learn about managing devices using the Intune admin center.
+For information about managing devices using the Intune admin center, go to [What is Microsoft Intune device management?](../remote-actions/device-management.md).
## Device categories and groups
-**[Categorize devices into groups](../enrollment/device-group-mapping.md)**
+**[Categorize devices into groups](../enrollment/device-group-mapping.md)**.
-Using Intune, you can create device categories to automatically add devices to groups based on categories that you create, such as Sales, Accounting, Human Resources, and so on. The idea is to make it easier to manage your devices running Windows Holographic for Business.
+Using Intune, you can create device categories to automatically add devices to groups based on categories that you create, like Sales, Accounting, and Human Resources. The idea is to make it easier to manage your devices running Windows Holographic for Business.
## Device configuration profiles
-**[Get started with configuration profiles](../configuration/device-profiles.md), and [profile overview](../configuration/device-profile-create.md)**
+**[Get started with configuration profiles](../configuration/device-profiles.md) and [profile overview](../configuration/device-profile-create.md)**.
-Intune includes settings and features that you can enable or disable on different devices within your organization. These settings and features are managed using profiles. For example, you can create a profile uses Microsoft Defender Smart Screen on your devices running Windows Holographic for Business.
+Intune includes settings and features that you can enable or disable on different devices within your organization. These settings and features are managed using configuration profiles. For example, you can create a profile that uses Microsoft Defender Smart Screen on your devices running Windows Holographic for Business.
In your profiles, you can use OMA-URI to customize some settings, create device restrictions, and configure a virtual private network (VPN) and Wi-Fi.
### [Custom device settings](../configuration/custom-settings-windows-holographic.md)
-To configure OMA-URI (Open Mobile Alliance Uniform Resource Identifier) settings, you can create a custom profile in Intune. Use the OMA-URI settings to control different features on your Windows Holographic for Business devices, such as enabling VPN, or checking for updates on Microsoft Update.
+To configure OMA-URI (Open Mobile Alliance Uniform Resource Identifier) settings, you can create a custom profile in Intune. Use the OMA-URI settings to control different features on your Windows Holographic for Business devices. Typically, custom profiles are used to configure settings that aren't built-in to Intune.
-See a [HoloLens 2 devices example](../configuration/custom-profile-hololens.md) that uses the [Windows Defender Application Control (WDAC) CSP](/windows/client-management/mdm/applicationcontrol-csp) to allow or block apps from opening on HoloLens 2 devices.
+The [HoloLens 2 devices example](../configuration/custom-profile-hololens.md) uses the [Windows Defender Application Control (WDAC) CSP](/windows/client-management/mdm/applicationcontrol-csp) to allow or block apps from opening on HoloLens 2 devices.
### [Configure kiosk mode](../configuration/kiosk-settings-holographic.md)
-Using the shared or guest PC features available in Intune, you can configure Windows Holographic for Business devices to run as a kiosk. These devices can run one app (single-app kiosk mode), or run multiple apps (multi-app kiosk mode).
+Using the shared or guest PC features available in Intune, you can configure Windows Holographic for Business devices to run as a kiosk. These devices can run one app (single-app kiosk mode), or run many apps (multi-app kiosk mode).
### [Device restrictions](../configuration/device-restrictions-windows-holographic.md)
-Device restrictions let you control different settings and features on your devices. For example, you can require a password, install apps from [Microsoft Store](https://www.microsoft.com/store/apps/windows?icid=CNavAppsWindowsApps), enable Bluetooth, and more. These restrictions are created in an Intune profile. This profile can be applied to multiple devices running Windows Holographic for Business.
+Device restrictions let you control different settings and features on your devices. For example, you can require a password, install apps from [Microsoft Store](https://www.microsoft.com/store/apps/windows?icid=CNavAppsWindowsApps), and enable Bluetooth. These restrictions are created in an Intune configuration profile. This profile can be applied to multiple devices running Windows Holographic for Business.
### [Configure VPN](../configuration/vpn-settings-configure.md)
-Virtual private networks (VPNs) give your users secure remote access to your company network. In Intune, you can create a VPN profile that includes specific settings for your devices running Windows Holographic for Business. For example, you can create a VPN profile so all Windows Holographic for Business devices use Citrix VPN as the connection type.
+Virtual private networks (VPNs) give your users secure remote access to your organization network. In Intune, you can create a VPN profile that includes specific settings for your devices running Windows Holographic for Business. For example, you can create a VPN profile so all Windows Holographic for Business devices use Citrix VPN as the connection type.
> [!NOTE]
> When assigning a VPN policy to Windows Holographic for Business devices, assign the profile to the device scope. Currently, Windows Holographic only supports the device scope. When the VPN profile is installed in the device context, it applies to all users on the device. If a user profile is deployed, it's treated as a device profile.
@@ -144,28 +145,28 @@ You can also create a Wi-Fi profile in Intune to assign wireless network setting
## Shared multi-user devices
-[Shared devices](../configuration/shared-user-device-settings-windows-holographic.md)
+Devices that run Windows Holographic for Business, like the Microsoft HoloLens, can have multiple users. Intune includes settings to control different features on these shared devices, like power management, using the local storage, and account management. The configuration profiles can also be applied to devices with different operating systems.
-Devices that run Windows Holographic for Business, such as the Microsoft HoloLens, can have multiple users. Intune includes settings to control different features on these shared devices, such as power management, using the local storage, and account management. The configuration profiles can also be applied to devices with different operating systems.
+For more information, go to [Shared devices](../configuration/shared-user-device-settings-windows-holographic.md).
## Software updates
-**[Manage software updates](../protect/windows-update-for-business-configure.md)**
+**[Manage software updates](../protect/windows-update-for-business-configure.md)**.
-Intune includes a feature called update rings for Windows client devices. These update rings include a group of settings that determine how updates are installed. For example, you can create a maintenance window to install updates, or choose to restart after updates are installed. An update ring can be applied to multiple devices running Windows Holographic for Business.
+Intune has different feature that focus on updating Windows client devices. These options include that determine how updates are installed. For example, you can create a maintenance window to install updates, or choose to restart after updates are installed. Updates can be applied to multiple devices running Windows Holographic for Business.
## Terms and conditions
-**[Set your company's terms and conditions for user access](../enrollment/terms-and-conditions-create.md)**
+**[Set your company's terms and conditions for user access](../enrollment/terms-and-conditions-create.md)**.
Before users enroll devices and access your company apps, including email, you can require that users accept your company's terms and conditions. In Intune, define how the terms and conditions are shown in the Company Portal app, and also assign these terms and conditions to devices running Windows Holographic for Business.
## Windows Hello for Business
-**[Use Windows Hello for Business](../protect/windows-hello.md)**
+**[Use Windows Hello for Business](../protect/windows-hello.md)**.
Hello for Business is an alternative sign-in method that uses a Microsoft Entra account to replace a password, smart card, or a virtual smart card. With Hello for Business, your Windows Holographic for Business devices can sign in with a PIN with a minimum length set by you.
-## Next steps
+## Related content
[Set up Intune](deployment-plan-setup.md).
diff --git a/memdocs/intune/includes/android-device-administrator-support.md b/memdocs/intune/includes/android-device-administrator-support.md
index 8a9ae2157a7..6338e8f11ff 100644
--- a/memdocs/intune/includes/android-device-administrator-support.md
+++ b/memdocs/intune/includes/android-device-administrator-support.md
@@ -14,4 +14,3 @@ ms.collection:
> Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on December 31, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable. If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends. For more information, see [Ending support for Android device administrator on GMS devices](https://techcommunity.microsoft.com/t5/intune-customer-success/microsoft-intune-ending-support-for-android-device-administrator/ba-p/3915443).
diff --git a/memdocs/intune/includes/tenant-attach-antivirus-prerequisites.md b/memdocs/intune/includes/tenant-attach-antivirus-prerequisites.md
index e5b2a298be0..9d33aafa36f 100644
--- a/memdocs/intune/includes/tenant-attach-antivirus-prerequisites.md
+++ b/memdocs/intune/includes/tenant-attach-antivirus-prerequisites.md
@@ -4,7 +4,7 @@ description: include file
author: brenduns
ms.service: microsoft-intune
ms.topic: include
-ms.date: 04/08/2022
+ms.date: 08/19/2024
ms.author: brenduns
ms.custom: include file
@@ -15,7 +15,7 @@ Manage [Antivirus settings for Configuration Manager devices](../protect/antivir
**Policy path**:
-- Endpoint security > Antivirus > Windows 10, Windows 11, and Windows Server (ConfigMgr)
+- Endpoint security > Antivirus > Windows (ConfigMgr)
diff --git a/memdocs/intune/includes/tenant-attach-asr-prerequisites.md b/memdocs/intune/includes/tenant-attach-asr-prerequisites.md
index 3654a123006..5b5e943db0b 100644
--- a/memdocs/intune/includes/tenant-attach-asr-prerequisites.md
+++ b/memdocs/intune/includes/tenant-attach-asr-prerequisites.md
@@ -4,7 +4,7 @@ description: Include file
author: brenduns
ms.service: microsoft-intune
ms.topic: include
-ms.date: 04/08/2024
+ms.date: 08/19/2024
ms.author: brenduns
ms.custom: include file
@@ -17,7 +17,7 @@ Manage [attack surface reduction settings for Configuration Manager devices](../
**Policy path**:
-- Endpoint security > Attach surface reduction > Windows 10 and later (ConfigMgr)
+- Endpoint security > Attach surface reduction > Windows (ConfigMgr)
@@ -26,7 +26,6 @@ Manage [attack surface reduction settings for Configuration Manager devices](../
- Exploit Protection(ConfigMgr)(preview)
- Web Protection (ConfigMgr)(preview)
**Required version of Configuration Manager**:
- Configuration Manager current branch version 2006 or later
diff --git a/memdocs/intune/includes/tenant-attach-edr-prerequisites.md b/memdocs/intune/includes/tenant-attach-edr-prerequisites.md
index 79e36497fba..c413d8108cd 100644
--- a/memdocs/intune/includes/tenant-attach-edr-prerequisites.md
+++ b/memdocs/intune/includes/tenant-attach-edr-prerequisites.md
@@ -4,16 +4,16 @@ description: include file
author: brenduns
ms.service: microsoft-intune
ms.topic: include
-ms.date: 05/29/2024
+ms.date: 08/19/2024
ms.author: brenduns
ms.custom: include file
#### Endpoint detection and response
-To manage Endpoint detection and response policy settings for Configuration Manager devices when you use tenant attach.
+To manage Endpoint detection and response policy settings for Configuration Manager devices when you use tenant attach.
-**Platform**: *Windows 10, Windows 11, and Windows Server (ConfigMgr)*
+**Platform**: *Windows (ConfigMgr)*
**Profile**: *Endpoint detection and response (ConfigMgr)*
diff --git a/memdocs/intune/includes/tenant-attach-firewall-prerequisites.md b/memdocs/intune/includes/tenant-attach-firewall-prerequisites.md
index fbc65ad53b8..d467815f96d 100644
--- a/memdocs/intune/includes/tenant-attach-firewall-prerequisites.md
+++ b/memdocs/intune/includes/tenant-attach-firewall-prerequisites.md
@@ -4,7 +4,7 @@ description: include file
author: brenduns
ms.service: microsoft-intune
ms.topic: include
-ms.date: 11/14/2023
+ms.date: 08/19/2024
ms.author: brenduns
ms.custom: include file
@@ -17,7 +17,7 @@ Manage [Firewall policy settings for Configuration Manager devices](../protect/e
**Policy path**:
-- Endpoint security > Firewall > Windows 10 and later
+- Endpoint security > Firewall
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/images/dfci-profile-expanded.png b/memdocs/intune/industry/education/tutorial-school-deployment/images/dfci-profile-expanded.png
deleted file mode 100644
index 3386f7673a3..00000000000
Binary files a/memdocs/intune/industry/education/tutorial-school-deployment/images/dfci-profile-expanded.png and /dev/null differ
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/images/enroll-ppkg.png b/memdocs/intune/industry/education/tutorial-school-deployment/images/enroll-ppkg.png
deleted file mode 100644
index 58d20dc3483..00000000000
Binary files a/memdocs/intune/industry/education/tutorial-school-deployment/images/enroll-ppkg.png and /dev/null differ
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/images/intune-education-groups.png b/memdocs/intune/industry/education/tutorial-school-deployment/images/intune-education-groups.png
deleted file mode 100644
index 87f4546e88b..00000000000
Binary files a/memdocs/intune/industry/education/tutorial-school-deployment/images/intune-education-groups.png and /dev/null differ
diff --git a/memdocs/intune/media/icons/i-article.png b/memdocs/intune/media/icons/i-article.png
deleted file mode 100644
index 5ebf820b048..00000000000
Binary files a/memdocs/intune/media/icons/i-article.png and /dev/null differ
diff --git a/memdocs/intune/protect/advanced-threat-protection-manage-android.md b/memdocs/intune/protect/advanced-threat-protection-manage-android.md
index a42e045d19d..16b89cd4a5a 100644
--- a/memdocs/intune/protect/advanced-threat-protection-manage-android.md
+++ b/memdocs/intune/protect/advanced-threat-protection-manage-android.md
@@ -1,13 +1,13 @@
# required metadata
-title: Configure Defender for Endpoint Web protection on Android devices in Intune - Azure
-description: Use Intune policy to manage Microsoft Defender for Endpoint web protection settings on Android devices managed by Microsoft Intune.
+title: Configure Defender for Endpoint Web protection on Android devices in Microsoft Intune
+description: Use Intune policy to manage Microsoft Defender for Endpoint web protection settings on Android devices managed by Microsoft Intune.
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 10/09/2023
+ms.date: 08/22/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -32,13 +32,13 @@ ms.collection:
When you integrate [Microsoft Defender for Endpoint](../protect/advanced-threat-protection-configure.md) with Microsoft Intune, you can use device configuration profiles to modify some Defender for Endpoint settings on Android devices.
-By default, Microsoft Defender for Endpoint for Android includes and enables the [Web protection](/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview) feature that can help to secure devices against web threats and protect users from phishing attacks.
+By default, Microsoft Defender for Endpoint for Android includes and enables the Microsoft Defender for Endpoint [Web protection](/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview) feature that can help to secure devices against web threats and protect users from phishing attacks.
-While this protection is enabled by default, there are valid reasons to disable it on some Android devices. For example, you might decide to use only the Defender for Endpoint app scan feature or to prevent web protection from using your VPN while it scans for harmful URLs.
+While enabled by default, there are valid reasons to disable it on some Android devices. For example, you might decide to use only the Defender for Endpoint app scan feature or to prevent web protection from using your VPN while it scans for harmful URLs.
With Intune device configuration policy, you can turn off all or part of the web protection feature. The method you use and the capabilities you can disable depend on how the Android device is enrolled with Intune:
-- **Android device administrator**. Use a configuration profile to set custom OMA-URI settings on the device that disable the entire web protection feature or that disable only the use of VPNs. For general information about custom settings for Android devices, see [Custom settings](../configuration/custom-settings-android.md).
+- **Android device administrator**. Use a configuration profile to set custom OMA-URI settings on the device that disable the entire web protection feature or that disable only the use of VPNs. For general information about custom settings for Android devices, see [Use custom settings for Android devices in Microsoft Intune](../configuration/custom-settings-android.md).
- **Android Enterprise personally owned work profile**. Use an app configuration profile and the configuration designer to disable web protection. This method and enrollment type support disabling all web protection capabilities but don't support disabling only the use of VPNs. For general information about app configuration policies, see [Use the configuration designer](../apps/app-configuration-policies-use-android.md#use-the-configuration-designer).
@@ -80,13 +80,13 @@ To configure web protection on devices, use the following procedures to create a
- **Disable only the use of VPN by web protection**:
- **Name**: Enter a unique name for this OMA-URI setting so you can find it easily. For example, **Disable Microsoft Defender for Endpoint web protection VPN**.
- **Description**: (Optional) Enter a description that provides an overview of the setting and any other important details.
- - **OMA-URI**: Enter `./Vendor/MSFT/DefenderATP/Vpn`
+ - **OMA-URI**: Enter `./Vendor/MSFT/DefenderATP/Vpn`
- **Data type**: Select **Integer** in the drop-down list.
- **Value**: To disable the VPN-based scan, set *Value* to **0**. To enable the VPN-based scan, enter **1**, which is the default.
Select **Add** to save the OMA-URI settings configuration, and then select **Next** to continue.
-6. In **Assignments**, specify the groups that will receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
+6. In **Assignments**, specify the groups that receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
7. In **Review + create**, when you're done, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.
@@ -126,7 +126,7 @@ To configure web protection on devices, use the following procedures to create a
Select **Next** to continue.
-8. In **Assignments**, specify the groups that will receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
+8. In **Assignments**, specify the groups that receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
9. In **Review + create**, when you're done, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.
@@ -149,14 +149,14 @@ To configure web protection on devices, use the following procedures to create a
Select **Next** to continue.
-2. In **Assignments**, specify the groups that will receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
+2. In **Assignments**, specify the groups that receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
3. In **Review + create**, when you're done, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you
## Next steps
-- [Monitor compliance for risk levels](../protect/advanced-threat-protection-monitor.md)
+- [Monitor device compliance status for risk levels](../protect/advanced-threat-protection-monitor.md)
- [Use security tasks with Defender for Endpoints Vulnerability Management to remediate problems on devices](../protect/atp-manage-vulnerabilities.md)
- Learn more from the Microsoft Defender for Endpoint documentation:
diff --git a/memdocs/intune/protect/checkpoint-sandblast-mobile-mobile-threat-defense-connector.md b/memdocs/intune/protect/checkpoint-sandblast-mobile-mobile-threat-defense-connector.md
index 6ec9f1793c7..01fc7edc2a6 100644
--- a/memdocs/intune/protect/checkpoint-sandblast-mobile-mobile-threat-defense-connector.md
+++ b/memdocs/intune/protect/checkpoint-sandblast-mobile-mobile-threat-defense-connector.md
@@ -8,7 +8,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 11/17/2023
+ms.date: 08/22/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -49,12 +49,12 @@ You can configure Conditional Access policies based on Check Point Harmony Mobil
- Microsoft Intune Plan 1 subscription
-- Check Point Harmony Mobile Threat Defense subscription
+- Check Point Harmony Mobile Threat Defense subscription
- See the [CheckPoint Harmony website](https://www.checkpoint.com/harmony).
## How do Intune and Check Point Harmony Mobile help protect your company resources?
-Check Point Harmony Mobile app for Android and iOS/iPadOS captures file system, network stack, device and application telemetry where available, then sends the telemetry data to the Check Point Harmony cloud service to assess the device's risk for mobile threats.
+Check Point Harmony Mobile app for Android and iOS/iPadOS captures file system, network stack, and device and application telemetry where available, then sends the telemetry data to the Check Point Harmony cloud service to assess the device's risk for mobile threats.
The Intune device compliance policy includes a rule for Check Point Harmony Mobile Threat Defense, which is based on the Check Point Harmony risk assessment. When this rule is enabled, Intune evaluates device compliance with the policy that you enabled. If the device is found noncompliant, users are blocked access to corporate resources like Exchange Online and SharePoint Online. Users also receive guidance from the Harmony Mobile Protect app installed in their devices to resolve the issue and regain access to corporate resources.
diff --git a/memdocs/intune/protect/conditional-access-integrate-jamf.md b/memdocs/intune/protect/conditional-access-integrate-jamf.md
index 6c64bf34fa8..788ab26e6a8 100644
--- a/memdocs/intune/protect/conditional-access-integrate-jamf.md
+++ b/memdocs/intune/protect/conditional-access-integrate-jamf.md
@@ -38,7 +38,7 @@ ms.collection:
> **Jamf macOS device support for Conditional Access is being deprecated**.
-> Beginning on September 1, 2024, the platform that Jamf Pro’s Conditional Access feature is built on will no longer be supported.
+> Beginning on January 31, 2025, the platform that Jamf Pro’s Conditional Access feature is built on will no longer be supported.
> If you use Jamf Pro’s Conditional Access integration for macOS devices, follow Jamf’s documented guidelines to migrate your devices to Device Compliance integration at [***Migrating from macOS Conditional Access to macOS Device Compliance – Jamf Pro Documentation***](https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Conditional_Access.html#ariaid-title6).
diff --git a/memdocs/intune/protect/data-intune-sends-to-google.md b/memdocs/intune/protect/data-intune-sends-to-google.md
index 7b18d18e3e0..3891bcf4399 100644
--- a/memdocs/intune/protect/data-intune-sends-to-google.md
+++ b/memdocs/intune/protect/data-intune-sends-to-google.md
@@ -50,5 +50,6 @@ The following table lists the data that Microsoft Intune sends to Google when de
| Application Data | Originated in Intune when saving application policy. | | Application Name string. Example: app:com.microsoft.windowsintune.companyportal |
| Enterprise Service Account | Originated in Google upon Intune request. | Used for authentication between Intune and Google for transactions involving this customer. | There are several parts:
**Enterprise Id**: documented previously.
**UPN**: generated UPN used in authentication on behalf of customer.
Example: w49d77900526190e26708c31c9e8a0@pfwp-commicrosoftonedfmdm2.google.com.iam.gserviceaccount.com
**Key**: Base64 encoded blob used in auth requests, stored encrypted in the service, but this is what the blob looks like:
Unique Identifier to represent the customer's key
Example: a70d4d53eefbd781ce7ad6a6495c65eb15e74f1f |
| Registration Token | Originated in Google upon device enrollment. | Used to identify device when sending push notifications to the Company Portal app. | |
+| User Principal Name (UPN) | Only the UPN of the user signed-in to the Intune console initiating the [process to connect Google and Intune](../enrollment/connect-intune-android-enterprise.md) is sent as a pre-filled hint. | Used to prefill the admin email address field of the Google enterprise signup form. | |
To stop using Android enterprise device management with Microsoft Intune and delete the data, you must disable both Microsoft Intune Android enterprise device management and also delete your Google account. Refer to Google account how to perform account management.
diff --git a/memdocs/intune/protect/device-protect.md b/memdocs/intune/protect/device-protect.md
index 97b6e1672de..144fc42c2ce 100644
--- a/memdocs/intune/protect/device-protect.md
+++ b/memdocs/intune/protect/device-protect.md
@@ -8,7 +8,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 10/05/2023
+ms.date: 08/23/2024
ms.topic: overview
ms.subservice: protect
ms.service: microsoft-intune
@@ -37,7 +37,7 @@ Microsoft Intune can help you keep your managed devices secure and up to date wh
This article highlights many of Intune's built-in capabilities and partner technologies you can integrate with Intune. As you learn more about them, you can bring several together for more comprehensive solutions on your journey towards a zero-trust environment.
-From the Microsoft Intune admin center, Intune [supports managed devices](../fundamentals/supported-devices-browsers.md#intune-supported-operating-systems) that run Android, iOS/iPad, Linux, macOS, and Windows 10 and Windows 11.
+From the Microsoft Intune admin center, Intune [supports managed devices](../fundamentals/supported-devices-browsers.md#intune-supported-operating-systems) that run Android, iOS/iPad, Linux, macOS, and Windows.
When you use Configuration Manager to manage on-premises devices, you can extend Intune policies to those devices by configuring [tenant attach](../protect/tenant-attach-intune.md) or [co-management](../../configmgr/comanage/overview.md).
@@ -59,8 +59,6 @@ Deploy Intune's *endpoint security*, *device configuration*, and *device complia
Following are a few of the security settings and tasks you can manage through available policies:
-- **Device encryption** – Manage [BitLocker](../protect/encrypt-devices.md) on Windows 10 devices, and [FileVault](../protect/encrypt-devices-filevault.md) on macOS.
- **Authentication methods** – Configure how your devices authenticate to your organization's resources, email, and applications.
- [Use certificates for authentication](../protect/certificates-configure.md) to applications, your organization's resources, and for signing and encryption of email using S/MIME. You can also set up [derived credentials](../protect/derived-credentials.md) when your environment requires the use of smartcards.
@@ -68,9 +66,9 @@ Following are a few of the security settings and tasks you can manage through av
- Configure settings that help limit risk, like:
- Require multi-factor-authentication (MFA) to add an extra layer of authentication for users.
- Set PIN and password requirements that must be met before gaining access to resources.
- - Enable [Windows Hello for Business](../protect/windows-hello.md) for Windows 10 devices.
+ - Enable [Windows Hello for Business](../protect/windows-hello.md) for Windows devices.
-- **Virtual private networks (VPNs)** – With VPN profiles, assign VPN settings to devices so they can easily connect to your organization's network. Intune supports several [VPN connection types](../configuration/vpn-settings-configure.md#vpn-connection-types) and apps that include both built-in capabilities for some platforms and both first and third-party VPN apps for devices.
+- **Device encryption** – Manage [BitLocker](../protect/encrypt-devices.md) on Windows devices, and [FileVault](../protect/encrypt-devices-filevault.md) on macOS.
- **Software updates** – Manage how and when devices get software updates. The following are supported:
@@ -79,19 +77,26 @@ Following are a few of the security settings and tasks you can manage through av
- [Zebra LifeGuard Over-the-Air (LG OTA)](../protect/zebra-lifeguard-ota-integration.md) - Manage firmware updates for supported Zebra devices through the Intune admin center.
- [iOS](../protect/software-updates-ios.md) - Manage device operating system versions, and when devices check for and install updates.
- [macOS](../protect/software-updates-macos.md) - Manage software updates for macOS devices that enrolled as supervised devices.
- - [Windows 10](../protect/windows-update-for-business-configure.md), you can manage the Windows Update experience for devices. You can configure when devices scan or install updates, hold a set of your managed devices at specific feature versions, and more.
+ - [Windows](../protect/windows-update-for-business-configure.md)- To manage the Windows Update experience for devices, you can configure when devices scan or install updates, hold a set of your managed devices at specific feature versions, and more.
+- **Security baselines** – Deploy [security baselines](../protect/security-baselines.md) to establish a core security posture on your Windows devices. Security baselines are preconfigured groups of Windows settings that come recommended by the relevant product teams. You can use baselines as provided or edit instances of them to meet your security goals for targeted groups of devices.
+- **Virtual private networks (VPNs)** – With VPN profiles, assign VPN settings to devices so they can easily connect to your organization's network. Intune supports several [VPN connection types](../configuration/vpn-settings-configure.md#vpn-connection-types) and apps that include both built-in capabilities for some platforms and both first and third-party VPN apps for devices.
-- **Security baselines** – Deploy [security baselines](../protect/security-baselines.md) to establish a core security posture on your Windows 10 devices. Security baselines are preconfigured groups of Windows settings that come recommended by the relevant product teams. You can use baselines as provided or edit instances of them to meet your security goals for targeted groups of devices.
+- **Windows Local Administrator Password Solution (LAPS)** - With [Windows LAPS policy](../protect/windows-laps-overview.md), you can:
+ - Enforce password requirements for local admin accounts
+ - Back up a local admin account from devices to your Active Directory (AD) or Microsoft Entra
+ - Schedule rotation of those account passwords to help keep them safe.
## Protect data through policies
Intune-managed apps and Intune's [app protection policies](../apps/app-protection-policy.md) can help stop data leaks and keep your organization's data safe. These protections can apply to devices that are enrolled with Intune and to devices that aren't.
-- **Intune-managed apps** (or *managed apps* for short), are apps that have been integrated with the [Intune App SDK](../developer/app-sdk.md) or wrapped by the [Intune App Wrapping Tool](../developer/apps-prepare-mobile-application-management.md). These apps can be managed using Intune app protection policies. To view a list of publicly available managed apps, see [Intune protected apps](../apps/apps-supported-intune-apps.md).
+- **Intune-managed apps** (or *managed apps* for short), are apps that integrate the [Intune App SDK](../developer/app-sdk.md) or are wrapped by the [Intune App Wrapping Tool](../developer/apps-prepare-mobile-application-management.md). These apps can be managed using Intune app protection policies. To view a list of publicly available managed apps, see [Intune protected apps](../apps/apps-supported-intune-apps.md).
Users can use managed apps to work with both your organization's data, and their own personal data. However, when app protection policies require the use of a managed app, the managed app is the only app that can be used to access your organization's data. App protection rules don't apply to a user's personal data.
-- **App protection policies** are rules that ensure an organization's data remains safe or contained in a managed app. The rules identify the managed app that must be used and define what can be done with the data while the app is in use.
+- **App protection policies** are rules that ensure an organization's data remains safe or contained in a managed app. The rules identify the managed app that must be used, and define what can be done with the data while the app is in use.
The following are examples of protections and restrictions you can set with app protection policies and managed apps:
@@ -103,7 +108,7 @@ The following are examples of protections and restrictions you can set with app
From the Microsoft Intune admin center, you can run [device actions](../remote-actions/device-management.md#available-remote-actions) that help keep a selected device protected. You can run a subset of these actions as [bulk device actions](../remote-actions/bulk-device-actions.md) to affect multiple devices at the same time. And several [remote actions from Intune](../../configmgr/comanage/quickstart-remote-actions.md) can also be used with co-managed devices.
-Device actions aren't policy and take effect a single time when invoked. They apply either immediately if the device is accessible on-line, or when the device next boots up or checks in with Intune. Considered these actions as supplemental to the use of policies that configure and maintain security configurations for a population of devices.
+Device actions aren't policy and take effect a single time when invoked. They apply either immediately if the device is accessible on-line, or when the device next boots up or checks in with Intune. Considered these actions as supplemental to the use of policies that configure and maintain security configurations for a population of devices.
Following are examples of actions you can run that help secure devices and data:
@@ -111,7 +116,7 @@ Following are examples of actions you can run that help secure devices and data:
- BitLocker key rotation (Windows only)
- Disable Activation Lock (iOS only)
-- Full or Quick scan (Windows 10 only)
+- Full or Quick scan (Windows only)
- Remote lock
- Retire (which removes your organization's data from the device while leaving personal data intact)
- Update Microsoft Defender Security Intelligence
@@ -124,18 +129,18 @@ Following are examples of actions you can run that help secure devices and data:
- Sync (force a device to immediately check in with Intune to find new policies or pending actions)
## Integrate with other products and partner technologies
Intune supports integration with partner apps from both first-party and third-party sources, which expand on its built-in capabilities. You can also integrate Intune with several Microsoft technologies.
### Compliance partners
-Learn about using [device compliance partners](../protect/device-compliance-partners.md) with Intune. When you manage a device with a mobile device management partner other than Intune, you can integrate that compliance data with Microsoft Entra ID. When integrated, Conditional Access policies can use the partner data along-side compliance data from Intune.
+Learn about using [device compliance partners](../protect/device-compliance-partners.md) with Intune. When you manage a device with a mobile device management partner other than Intune, you can integrate that compliance data with Microsoft Entra ID. When integrated, Conditional Access policies can use the partner data alongside compliance data from Intune.
### Configuration Manager
You can use many Intune policies and device actions to [protect the devices you manage with Configuration Manager](../protect/endpoint-security-manage-devices.md). To support those devices, configure [co-management](../../configmgr/comanage/overview.md) or [tenant attach](../../configmgr/tenant-attach/device-sync-actions.md). You can also [use both together](../../configmgr/comanage/faq.yml#should-i-use-co-management-or-tenant-attach-) with Intune.
-- With *Co-management*, you can concurrently manage a Windows 10 device with both Configuration Manager and Intune. You install the Configuration Manager client and enroll the device to Intune. The device communicates with both services.
+- With *Co-management*, you can concurrently manage a Windows device with both Configuration Manager and Intune. You install the Configuration Manager client and enroll the device to Intune. The device communicates with both services.
- With *Tenant attach*, you set up synchronization between your Configuration Manager site and your Intune tenant. This synchronization provides you with a single view for all devices that you manage with Microsoft Intune.
@@ -144,7 +149,7 @@ After a connection between Intune and Configuration Manager is established, devi
Some of the protections you can apply include:
- Deploy certificates to devices by using Intune *Simple Certificate Enrollment Protocol* (SCEP) or *private and public key pair* (PKCS) certificate profiles.
-- Use compliance policy.
+- Use compliance policy.
- Use endpoint security policies, like *Antivirus*, *Endpoint detection and response*, and *Firewall* rules.
- Apply security baselines.
- Manage Windows Updates.
@@ -158,7 +163,7 @@ Use threat-level data with policies for device compliance, app protection, and C
With an integrated MTD app:
- For [enrolled devices](../protect/mtd-device-compliance-policy-create.md):
- - Use Intune to deploy and then manage the MTD app on devices.
+ - Use Intune to deploy and then manage the MTD app on devices.
- Deploy device compliance policies that use the devices reported threat level to evaluate compliance.
- Define Conditional Access policies that consider a devices threat level.
- Define app protection policies to determine when to block or allow access to data, based on the threat level of the device.
@@ -177,17 +182,17 @@ On its own, Microsoft Defender for Endpoint provides several security focused be
- **Support for Microsoft Tunnel** - On Android devices, Microsoft Defender for Endpoint is the client application you use with [Microsoft Tunnel](../protect/microsoft-tunnel-overview.md), a VPN gateway solution for Intune. When used as the Microsoft Tunnel client app, you don't need a subscription for Microsoft Defender for Endpoint.
- **Security tasks** – With [security tasks](../protect/atp-manage-vulnerabilities.md), Intune admins can take advantage of Microsoft Defender for Endpoint's [threat and vulnerability management](/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. How it works:
- Your Defender for Endpoint team identifies at-risk-devices and create the security tasks for Intune in the Defender for Endpoint security center.
- - Those tasks show up in Intune with mitigation advice that Intune admins can use to mitigate the risk.
+ - Those tasks show up in Intune with mitigation advice that Intune admins can use to mitigate the risk.
- When a task is resolved in Intune, that status passes back to the Defender for Endpoint security center where the results of the mitigation can be evaluated.
- **Endpoint security policies** – The following Intune endpoint security policies require integration with Microsoft Defender for Endpoint. When you use [tenant attach](../protect/tenant-attach-intune.md), you can deploy these policies to devices you manage with either Intune or Configuration Manager.
- - [Antivirus policy](../protect/endpoint-security-antivirus-policy.md) - Manage the settings for *Microsoft Defender Antivirus* and the *Windows Security experience* on supported devices, like Windows 10 and macOS.
+ - [Antivirus policy](../protect/endpoint-security-antivirus-policy.md) - Manage the settings for *Microsoft Defender Antivirus* and the *Windows Security experience* on supported devices, like Windows and macOS.
- [Endpoint detection and response policy](../protect/endpoint-security-edr-policy.md) – Use this policy to configure endpoint detection and response (EDR), which is a capability of Microsoft Defender for Endpoint.
### Conditional Access
Conditional Access is a Microsoft Entra capability that [works with Intune](../protect/conditional-access.md) to help protect devices. For devices that register with Microsoft Entra ID, Conditional Access policies can use device and compliance details from Intune to enforce access decisions for users and devices.
@@ -220,4 +225,4 @@ For more information, see [Endpoint Privilege Management](../protect/epm-overvie
## Next steps
-Plan to use Intune's capabilities to support your journey towards a zero-trust environment by protecting your data and securing devices. Beyond the previous in-line links to learn more about those capabilities, learn about [data security and sharing in Intune](../protect/privacy-data-secure-share.md).
+Plan to use Intune's capabilities to support your journey towards a zero-trust environment by protecting your data and securing devices. Beyond the previous in-line links to learn more about those capabilities, learn about [data security and sharing in Intune](../protect/privacy-data-secure-share.md).
diff --git a/memdocs/intune/protect/endpoint-security-account-protection-policy.md b/memdocs/intune/protect/endpoint-security-account-protection-policy.md
index e2eac6d23e7..728137004e5 100644
--- a/memdocs/intune/protect/endpoint-security-account-protection-policy.md
+++ b/memdocs/intune/protect/endpoint-security-account-protection-policy.md
@@ -7,7 +7,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 07/18/2024
+ms.date: 08/19/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: protect
@@ -57,8 +57,9 @@ For guidance on assigning the right level of permissions and rights to manage In
## Account protection profiles
-**Windows 10/11 profiles**:
+Platform: **Windows**:
- **Account protection** – Settings for account protection policies help you protect user credentials. The account protection policy is focused on settings for Windows Hello for Business that include both *device-scoped* and *user-scoped* settings, and Credential Guard, which is part of Windows identity and access management.
- *Windows Hello for Business* replaces passwords with strong two-factor authentication on PCs and mobile devices.
diff --git a/memdocs/intune/protect/endpoint-security-antivirus-policy.md b/memdocs/intune/protect/endpoint-security-antivirus-policy.md
index cbc611ff74b..846d315fe68 100644
--- a/memdocs/intune/protect/endpoint-security-antivirus-policy.md
+++ b/memdocs/intune/protect/endpoint-security-antivirus-policy.md
@@ -7,7 +7,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 06/17/2024
+ms.date: 08/19/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: protect
@@ -56,8 +56,8 @@ Applies to:
- Any supported version of macOS
- For Intune to manage antivirus settings on a device, Microsoft Defender for Endpoint must be installed on that device. See. [Microsoft Defender for Endpoint for macOS](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac) (In the Microsoft Defender for Endpoint documentation)
-- **Windows 10, Windows 11, and Windows Server**
- - No additional prerequisites are required.
+- **Windows**
+ - No additional prerequisites are required.
**Support for Configuration Manager clients**:
@@ -98,13 +98,13 @@ Prerequisites to support tamper protection for devices managed by Intune:
Profiles for *Antivirus* policy that support tamper protection for [devices managed by Microsoft Intune](#devices-managed-by-microsoft-intune):
-- Platform: **Windows 10, Windows 11, and Windows Server**
+- Platform: **Windows**
- Profile: **Windows Security experience**
> [!NOTE]
- > Beginning on April 5, 2022, the *Windows 10 and later* platform was replaced by the *Windows 10, Windows 11, and Windows Server* platform.
+ > Beginning on April 5, 2022, the *Windows 10 and later* platform was replaced by the *Windows 10, Windows 11, and Windows Server* platform that is now named more simply as *Windows*.
- > The *Windows 10, Windows 11, and Windows Server* platform supports devices communicating with Intune through Microsoft Intune or Microsoft Defender for Endpoint. These profiles also add support for the Windows Server platform which is not supported through Microsoft Intune natively.
+ > The *Windows* platform supports devices communicating with Intune through Microsoft Intune or Microsoft Defender for Endpoint. These profiles also add support for the Windows Server platform which is not supported through Microsoft Intune natively.
> Profiles for this new platform use the settings format as found in the Settings Catalog. Each new profile template for this new platform includes the same settings as the older profile template it replaces. With this change you can no longer create new versions of the old profiles. Your existing instances of the old profile remain available to use and edit.
@@ -121,7 +121,7 @@ Prerequisites to support managing tamper protection with these profiles:
Profiles for *Antivirus* policy that support tamper protection for [devices managed by Configuration Manager](#devices-managed-by-configuration-manager):
-- Platform: **Windows 10, Windows 11, and Windows Server (ConfigMgr)**
+- Platform: **Windows (ConfigMgr)**
- Profile: **Windows Security experience (preview)**
## Antivirus profiles
@@ -140,13 +140,13 @@ The following profiles are supported for devices you manage with Intune:
-- Platform: **Windows 10, Windows 11, and Windows Server**
+- Platform: **Windows**
Profiles for this platform can be used with devices enrolled with Intune, and devices managed through [Security Management for Microsoft Defender for Endpoint](../protect/mde-security-integration.md).
> [!NOTE]
- > Beginning on April 5, 2022, the *Windows 10 and later* platform was replaced by the *Windows 10, Windows 11, and Windows Server* platform.
+ > Beginning on April 5, 2022, the *Windows 10 and later* platform was replaced by the *Windows 10, Windows 11, and Windows Server* platform that is now named more simply as *Windows*.
- > The *Windows 10, Windows 11, and Windows Server* platform supports devices communicating with Intune through Microsoft Intune or Microsoft Defender for Endpoint. These profiles also add support for the Windows Server platform which is not supported through Microsoft Intune natively.
+ > The *Windows* platform supports devices communicating with Intune through Microsoft Intune or Microsoft Defender for Endpoint. These profiles also add support for the Windows Server platform which is not supported through Microsoft Intune natively.
> Profiles for this new platform use the settings format as found in the Settings Catalog. Each new profile template for this new platform includes the same settings as the older profile template it replaces. With this change you can no longer create new versions of the old profiles. Your existing instances of the old profile remain available to use and edit.
@@ -242,7 +242,7 @@ The information for this report is based on details available from the following
[Configure Endpoint security policies](../protect/endpoint-security-policy.md#create-an-endpoint-security-policy)
-View details for the Windows settings in the deprecated profiles for the *Windows 10 and later* platform:
+View details for the Windows settings in the deprecated profiles for the deprecated *Windows 10 and later* platform:
- [Antivirus policy settings](../protect/antivirus-microsoft-defender-settings-windows.md)
- [Antivirus exclusions](../protect/antivirus-microsoft-defender-settings-windows.md#microsoft-defender-antivirus-exclusions)
diff --git a/memdocs/intune/protect/endpoint-security-asr-policy.md b/memdocs/intune/protect/endpoint-security-asr-policy.md
index 8a683b61d0a..a8e0ed0adf9 100644
--- a/memdocs/intune/protect/endpoint-security-asr-policy.md
+++ b/memdocs/intune/protect/endpoint-security-asr-policy.md
@@ -7,7 +7,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 06/17/2024
+ms.date: 08/19/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: protect
@@ -87,7 +87,7 @@ The available profiles for attack surface reduction policy depend on the platfor
### Devices managed by Intune
-**Platform: Windows 10, Windows 11, and Windows Server**:
+**Platform: Windows**:
Profiles for this platform are supported on Windows 10 and Windows 11 devices enrolled with Intune.
@@ -127,10 +127,6 @@ Available profiles for this platform include:
- [Deploy and manage device control with Microsoft Intune](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune)
- [Device control walkthroughs](/microsoft-365/security/defender-endpoint/device-control-walkthroughs)
-**Platform: Windows 10 and later**:
-Profiles for this platform are supported on Windows 10 and Windows 11 devices enrolled with Intune. Profiles include:
- **App and browser isolation** – Manage settings for Windows Defender Application Guard (Application Guard), as part of Defender for Endpoint. Application Guard helps to prevent old and newly emerging attacks and can isolate enterprise-defined sites as untrusted while defining what sites, cloud resources, and internal networks are trusted.
To learn more, see [Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) in the Microsoft Defender for Endpoint documentation.
@@ -155,7 +151,7 @@ Profiles for this platform are supported on Windows 10 and Windows 11 devices en
### Devices managed by Defender for Endpoint security settings management
-When you use the [Security Management for Microsoft Defender for Endpoint](../protect/mde-security-integration.md) scenario to support devices managed by Defender that aren't enrolled with Intune, you can use the *Windows 10, Windows 11, and Windows Server* platform to manage settings on devices that run Windows 10, Windows 11, and Windows Server. For more information, see [ASR rules supported operating systems](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#asr-rules-supported-operating-systems) in the Windows Threat protection documentation.
+When you use the [Security Management for Microsoft Defender for Endpoint](../protect/mde-security-integration.md) scenario to support devices managed by Defender that aren't enrolled with Intune, you can use the *Windows* platform to manage settings on devices that run Windows 10, Windows 11, and Windows Server. For more information, see [ASR rules supported operating systems](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#asr-rules-supported-operating-systems) in the Windows Threat protection documentation.
Profiles supported for this scenario include:
@@ -174,7 +170,7 @@ Profiles supported for this scenario include:
### Reusable settings groups for Device control profiles
-In public preview, Device control profiles support use of [reusable settings groups](../protect/reusable-settings-groups.md) to help manage settings for the following settings groups on devices for the *Windows 10, Windows 11, and Windows Server* platform:
+In public preview, Device control profiles support use of [reusable settings groups](../protect/reusable-settings-groups.md) to help manage settings for the following settings groups on devices for the *Windows* platform:
- Printer device:
The following device control profile settings are available for *printer device*:
diff --git a/memdocs/intune/protect/endpoint-security-disk-encryption-policy.md b/memdocs/intune/protect/endpoint-security-disk-encryption-policy.md
index 28af8ff3fe7..2b471c34208 100644
--- a/memdocs/intune/protect/endpoint-security-disk-encryption-policy.md
+++ b/memdocs/intune/protect/endpoint-security-disk-encryption-policy.md
@@ -7,7 +7,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 06/17/2024
+ms.date: 08/19/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: protect
@@ -64,11 +64,11 @@ For guidance on assigning the right level of permissions and rights to manage In
> [!NOTE]
- > Beginning on June 19, 2023, the BitLocker profile for Windows 10 and later was updated to use the settings format as found in the Settings Catalog. The new profile format includes the same settings as the older profile. With this change you can no longer create new versions of the old profiles. Your existing instances of the old profile remain available to use and edit.
+ > Beginning on June 19, 2023, the BitLocker profile for Windows was updated to use the settings format as found in the Settings Catalog. The new profile format includes the same settings as the older profile. With this change you can no longer create new versions of the old profiles. Your existing instances of the old profile remain available to use and edit.
> With the new profile format, we no longer publish a dedicated list of settings as found in the profile. Instead, use the *Learn more* link in the UI while viewing information for a setting, to open [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) in the Windows documentation, where the setting is detailed in full.
- >
- > You can continue to find a list of settings from the original BitLocker profile at [BitLocker settings](../protect/endpoint-security-disk-encryption-profile-settings.md#bitlocker) in the Intune documentation.
+ >
+ > You can continue to find a list of settings in the original BitLocker profiles created before June 19, 2023, at [BitLocker settings](../protect/endpoint-security-disk-encryption-profile-settings.md#bitlocker) in the Intune documentation.
To create a BitLocker profile, see [Use BitLocker disk encryption for Windows](../protect/encrypt-devices.md).
diff --git a/memdocs/intune/protect/endpoint-security-disk-encryption-profile-settings.md b/memdocs/intune/protect/endpoint-security-disk-encryption-profile-settings.md
index ef087ec691d..cc5ffd585c8 100644
--- a/memdocs/intune/protect/endpoint-security-disk-encryption-profile-settings.md
+++ b/memdocs/intune/protect/endpoint-security-disk-encryption-profile-settings.md
@@ -7,7 +7,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 05/13/2024
+ms.date: 08/19/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: protect
@@ -33,6 +33,14 @@ ms.reviewer: aanavath
View the settings you can configure in profiles for *Disk Encryption* policy in the Endpoint security node of Intune as part of an [Endpoint security policy](../protect/endpoint-security-policy.md).
+> [!NOTE]
+> Beginning on June 19, 2023, the BitLocker profile for Windows was updated to use the settings format as found in the Settings Catalog. The new profile format includes the same settings as the older profile, but due to the new format, settings names in the Intune admin center have updated. With this change you can no longer create new versions of the old profile. Your existing instances of the old profile remain available to use and edit.
+> The settings details in this article apply only to BitLocker profiles created before June 19, 2023.
+> With the new profile format, we no longer publish a dedicated list of settings as found in the profile. Instead, use the *Learn more* link in the UI while viewing information for a setting, to open [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) in the Windows documentation, where the setting is detailed in full.
Applies to:
- macOS
diff --git a/memdocs/intune/protect/endpoint-security-edr-policy.md b/memdocs/intune/protect/endpoint-security-edr-policy.md
index e09707b4a75..1bdb6ee5708 100644
--- a/memdocs/intune/protect/endpoint-security-edr-policy.md
+++ b/memdocs/intune/protect/endpoint-security-edr-policy.md
@@ -7,7 +7,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 06/17/2024
+ms.date: 08/19/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -149,7 +149,7 @@ The EDR onboarding status tab includes:
To learn more about Defender for Endpoint settings that are available for macOS, see [Set preferences for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-preferences#device-tags) in the Defender documentation.
-**Windows** - To manage EDR for Windows devices, select the **Windows 10, Windows 11, and Windows Server** platform. The following profile is available:
+**Windows** - To manage EDR for Windows devices, select the **Windows** platform. The following profile is available:
- **Endpoint detection and response** - Intune deploys the policy to devices in your assigned groups. This profile supports use with:
@@ -158,9 +158,9 @@ The EDR onboarding status tab includes:
> [!NOTE]
- > Beginning on April 5, 2022, the *Windows 10 and later* platform was replaced by the *Windows 10, Windows 11, and Windows Server* platform.
+ > Beginning on April 5, 2022, the *Windows 10 and later* platform was replaced by the *Windows 10, Windows 11, and Windows Server* platform that is now named more simply as *Windows*.
- > The *Windows 10, Windows 11, and Windows Server* platform supports devices communicating through Microsoft Intune or Microsoft Defender for Endpoint. These profiles also add support for the Windows Server platform which is not supported through Microsoft Intune natively.
+ > The *Windows* platform supports devices communicating through Microsoft Intune or Microsoft Defender for Endpoint. These profiles also add support for the Windows Server platform which is not supported through Microsoft Intune natively.
> Profiles for this new platform use the settings format as found in the Settings Catalog. Each new profile template for this new platform includes the same settings as the older profile template it replaces. With this change you can no longer create new versions of the old profiles. Your existing instances of the old profile remain available to use and edit.
@@ -230,7 +230,7 @@ To enable tenant attach when co-management isn’t enabled, you’ll need to sig
The following are supported for devices you manage with Intune:
-- Platform: **Windows 10, Windows 11, and Windows Server** - Intune deploys the policy to devices in your Microsoft Entra groups.
+- Platform: **Windows** - Intune deploys the policy to devices in your Microsoft Entra groups.
- Profile: **Endpoint detection and response**
## Use a preconfigured EDR policy
@@ -258,11 +258,11 @@ To create the policy:
2. On the **Create a profile** page, specify one of the following combinations, and then select **Create**:
- For devices managed by Intune:
- - Platform = **Windows 10, Windows 11, and Windows Server**
+ - Platform = **Windows**
- Profile = **Endpoint detection and response**
- For devices managed through the [tenant attach scenario](../protect/tenant-attach-intune.md):
- - Platform = **Windows 10, Windows 11, and Windows Server (ConfigMgr)**
+ - Platform = **Windows (ConfigMgr)**
- Profile = **Endpoint detection and response (ConfigMgr)**
@@ -305,11 +305,11 @@ This option is found near the top of the page, above the Windows Devices onboard
- Intune - Intune deploys the policy to devices in your assigned groups. When you create the policy, select:
- - Platform: **Linux**, **macOS**, or **Windows 10, Windows 11, and Windows Server**
+ - Platform: **Linux**, **macOS**, or **Windows**
- Profile: **Endpoint detection and response**
- Configuration Manager - Configuration Manager deploys the policy to devices in your Configuration Manager collections. When you create the policy, select:
- - Platform: **Windows 10, Windows 11, and Windows Server (ConfigMgr)**
+ - Platform: **Windows (ConfigMgr)**
- Profile: **Endpoint detection and response (ConfigMgr)**
4. Select **Create**.
@@ -380,12 +380,12 @@ You can view details about the EDR policies you use in the endpoint deployment a
For policy details, in the admin center, go to **Endpoint security** > **Endpoint deployment and response** > **Summary** tab, and select the policy for which you want to view compliance details:
-- For policies that target the **Linux**, **macOS**, or **Windows 10, Windows 11, and Windows Server** platforms (Intune), Intune displays an overview of compliance to the policy. You can also select the chart to view a list of devices that received the policy, and drill-in to individual devices for more details.
+- For policies that target the **Linux**, **macOS**, or **Windows** platforms (Intune), Intune displays an overview of compliance to the policy. You can also select the chart to view a list of devices that received the policy, and drill-in to individual devices for more details.
- For Windows devices, the chart for **Windows devices onboarded to Defender for Endpoint** displays the count of devices that have successfully onboarded to Microsoft Defender for Endpoint and that have yet to onboard.
To ensure you have full representation of your devices in this chart, deploy the onboarding profile to all your devices. Devices that onboard to Microsoft Defender for Endpoint by external means, like Group Policy or PowerShell, are counted as **Devices without the Defender for Endpoint sensor**.
-- For policies that target the **Windows 10, Windows 11, and Windows Server (ConfigMgr)** platform (Configuration Manager), Intune displays an overview of compliance to the policy that doesn't support drill-in to view additional details. The view is limited because the admin center receives limited status details from Configuration Manager, which manages the deployment of the policy to Configuration Manager devices.
+- For policies that target the **Windows (ConfigMgr)** platform (Configuration Manager), Intune displays an overview of compliance to the policy that doesn't support drill-in to view additional details. The view is limited because the admin center receives limited status details from Configuration Manager, which manages the deployment of the policy to Configuration Manager devices.
To view details for individual devices, go to **Endpoint security** > **Endpoint deployment and response** > **EDR Onboarding Status** tab, and select a device from the list to view additional device-specific details.
diff --git a/memdocs/intune/protect/endpoint-security-edr-profile-settings.md b/memdocs/intune/protect/endpoint-security-edr-profile-settings.md
index 01f5a1b9e5c..43af6d82078 100644
--- a/memdocs/intune/protect/endpoint-security-edr-profile-settings.md
+++ b/memdocs/intune/protect/endpoint-security-edr-profile-settings.md
@@ -35,7 +35,7 @@ ms.reviewer: mattcall
> The information in this article applies only to the settings in the Endpoint detection and response profile for the *Windows 10 and later* platform for endpoint security Endpoint detection and response policy.
-> Beginning on April 5, 2022, the *Windows 10 and later* platform was replaced by the *Windows 10, Windows 11, and Windows Server* platform. Although you can no longer create a new instance of this older profile, you can continue to edit and use an existing instances of this profile. The settings details in this article apply only to the deprecated profiles.
+> Beginning on April 5, 2022, the *Windows 10 and later* platform was replaced by the *Windows 10, Windows 11, and Windows Server* platform that is now named more simply as *Windows*. Although you can no longer create a new instance of this older profile, you can continue to edit and use an existing instances of this profile. The settings details in this article apply only to the deprecated profiles.
View the settings you can configure in profiles for [Endpoint detection and response policy](../protect/endpoint-security-edr-policy.md) in the endpoint security node of Intune.
diff --git a/memdocs/intune/protect/endpoint-security-firewall-policy.md b/memdocs/intune/protect/endpoint-security-firewall-policy.md
index 1655e3f33d2..5546622d8eb 100644
--- a/memdocs/intune/protect/endpoint-security-firewall-policy.md
+++ b/memdocs/intune/protect/endpoint-security-firewall-policy.md
@@ -68,14 +68,14 @@ For guidance on assigning the right level of permissions and rights to manage In
- **macOS firewall** – Enable and configure settings for the built-in firewall on macOS.
-**Platform: Windows 10, Windows 11, and Windows Server**:
+**Platform: Windows**:
For information about configuring settings in the following profiles, see the [Firewall configuration service provider (CSP)](/windows/client-management/mdm/firewall-csp).
> [!NOTE]
-> Beginning on April 5, 2022, the *Windows 10 and later* platform was replaced by the *Windows 10, Windows 11, and Windows Server* platform.
+> Beginning on April 5, 2022, the *Windows 10 and later* platform was replaced by the *Windows 10, Windows 11, and Windows Server* platform that is now named more simply as *Windows*.
-> The *Windows 10, Windows 11, and Windows Server* platform supports devices communicating through Microsoft Intune or Microsoft Defender for Endpoint. These profiles also add support for the Windows Server platform which is not supported through Microsoft Intune natively.
+> The *Windows* platform supports devices communicating through Microsoft Intune or Microsoft Defender for Endpoint. These profiles also add support for the Windows Server platform which is not supported through Microsoft Intune natively.
> Profiles for this new platform use the settings format as found in the Settings Catalog. Each new profile template for this new platform includes the same settings as the older profile template it replaces. With this change you can no longer create new versions of the old profiles. Your existing instances of the old profile remain available to use and edit.
@@ -94,7 +94,8 @@ For guidance on assigning the right level of permissions and rights to manage In
In public preview, Windows Firewall rule profiles support use of [reusable settings groups](../protect/reusable-settings-groups.md) for the following platforms:
-- *Windows 10 and Windows 11*
+- Windows 10
+- Windows 11
The following firewall rule profile settings are available in reusable settings groups:
@@ -210,6 +211,6 @@ Additional common firewall rule issues:
[Configure Endpoint security policies](../protect/endpoint-security-policy.md#create-an-endpoint-security-policy)
-View details for the settings in the deprecated Firewall profiles for the *Windows 10 and later* platform:
+View details for the settings in the deprecated Firewall profiles for the deprecated *Windows 10 and later* platform:
- [Firewall profile settings](../protect/endpoint-security-Firewall-profile-settings.md).
diff --git a/memdocs/intune/protect/endpoint-security-firewall-profile-settings-tenant-attach.md b/memdocs/intune/protect/endpoint-security-firewall-profile-settings-tenant-attach.md
index 72948e1e01e..d685e997615 100644
--- a/memdocs/intune/protect/endpoint-security-firewall-profile-settings-tenant-attach.md
+++ b/memdocs/intune/protect/endpoint-security-firewall-profile-settings-tenant-attach.md
@@ -7,7 +7,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 11/14/2023
+ms.date: 08/19/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: protect
diff --git a/memdocs/intune/protect/endpoint-security-firewall-profile-settings.md b/memdocs/intune/protect/endpoint-security-firewall-profile-settings.md
index 025b6ffd977..640a73ee494 100644
--- a/memdocs/intune/protect/endpoint-security-firewall-profile-settings.md
+++ b/memdocs/intune/protect/endpoint-security-firewall-profile-settings.md
@@ -7,7 +7,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 03/26/2024
+ms.date: 08/19/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: protect
@@ -41,7 +41,7 @@ Applies to:
> [!NOTE]
-> Beginning on April 5, 2022, the Firewall profiles for the *Windows 10 and later* platform were replaced by the *Windows 10, Windows 11, and Windows Server* platform and new instances of those same profiles. Profiles created after that date use a new settings format as found in the Settings Catalog. With this change you can no longer create new versions of the old profile and they are no longer being developed. Although you can no longer create new instances of the older profile, you can continue to edit and use instances of it that you previously created.
+> Beginning on April 5, 2022, the Firewall profiles for the *Windows 10 and later* platform were replaced by the *Windows* platform and new instances of those same profiles. Profiles created after that date use a new settings format as found in the Settings Catalog. With this change you can no longer create new versions of the old profile and they are no longer being developed. Although you can no longer create new instances of the older profile, you can continue to edit and use instances of it that you previously created.
> For profiles that use the new settings format, Intune no longer maintains a list of each setting by name. Instead, the name of each setting, its configuration options, and its explanatory text you see in the Microsoft Intune admin center are taken directly from the settings authoritative content. That content can provide more information about the use of the setting in its proper context. When viewing a settings information text, you can use its *Learn more* link to open that content.
@@ -508,7 +508,7 @@ Specifies the local and remote addresses to which this rule applies:
Manage local address ranges for this rule. You can:
- **Add** one or more addresses as a comma-separated list of local addresses that are covered by the rule.
- - **Import** a .csv file that contains a list of addresses to use as local address ranges.
+ - **Import** a .csv file containing a list of local IP addresses ranges using the 'LocalAddressRanges' header.
- **Export** your current list of local address ranges as a .csv file.
Valid entries (tokens) include the following options:
@@ -529,7 +529,7 @@ Specifies the local and remote addresses to which this rule applies:
Manage remote address ranges for this rule. You can:
- **Add** one or more addresses as a comma-separated list of remote addresses that are covered by the rule.
- - **Import** a .csv file that contains a list of addresses to use as remote address ranges.
+ - **Import** a .csv file containing a list of remote IP addresses ranges using the 'RemoteAddressRanges' header.
- **Export** your current list of remote address ranges as a .csv file.
Valid entries (tokens) include the following and aren't case-sensitive:
diff --git a/memdocs/intune/protect/endpoint-security-firewall-rule-tool.md b/memdocs/intune/protect/endpoint-security-firewall-rule-tool.md
deleted file mode 100644
index d98be6d111d..00000000000
--- a/memdocs/intune/protect/endpoint-security-firewall-rule-tool.md
+++ /dev/null
@@ -1,41 +0,0 @@
-# required metadata
-title: Endpoint security firewall rule migration tool for Microsoft Intune
-description: Learn about the endpoint security firewall rule migration tool for Microsoft Intune.
-author: brenduns
-ms.author: brenduns
-manager: dougeby
-ms.date: 06/07/2024
-ms.topic: overview
-ms.service: microsoft-intune
-ms.subservice: protect
-ms.localizationpriority: high
-# optional metadata
-ms.suite: ems
-search.appverid: MET150
-ms.custom: intune-azure
-- tier3
-- M365-identity-device-management
-- ContentEnagagementFY24
-- sub-secure-endpoints
-# Endpoint security firewall rule migration tool overview
-> In June 2024, a change to MSGraph affected the operation of the Intune endpoint security Firewall Rule migration tool. With this change, the tool is unable to successfully create new firewall rule profiles and is therefore no longer supported or offered for download. Compounding the issue, the tool was capable of creating profiles for only the *Windows 10 and later* platform, a platform that has deprecated and [replaced by a new platform for firewall rule profiles](../protect/endpoint-security-firewall-policy.md) that supports the current Intune settings format.
->The challenges affecting the tool are not issues that can be resolved in the short term.
-> We are evaluating options to offer a new tool for firewall rule migration. However, it is not yet known if or when a new tool could be available. Should we be able to provide a new tool, we will announce its availability in the [What’s New in Microsoft Intune](../fundamentals/whats-new.md) article at that time.
diff --git a/memdocs/intune/protect/epm-policies.md b/memdocs/intune/protect/epm-policies.md
index fc5f4fa49d7..1753d2f5700 100644
--- a/memdocs/intune/protect/epm-policies.md
+++ b/memdocs/intune/protect/epm-policies.md
@@ -5,7 +5,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 06/18/2024
+ms.date: 08/21/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -63,6 +63,7 @@ Use *Windows elevation settings policy* when you want to:
- **Default elevation response** - Set a default response for an *elevation request* of any file that isn't managed by a *Windows elevation rule policy*. For this setting to have an effect, no rule can exist for the application **AND** an end user must *explicitly request* elevation through the *Run with elevated access* right-click menu. By default, this option isn't configured. If no setting is delivered, the EPM components fall back to their built-in default, which is to **deny all requests**.
Options include:
- **Deny all requests** - This option blocks the *elevate request* action for files that aren't defined in a Windows elevation rules policy.
- **Require user confirmation** - When user confirmation is required, you can choose from the same validation options as found for Windows elevation rules policy.
- **Require support approval** - When support approval is required, an administrator must approve elevation requests without a matching rule prior to the elevation being required.
@@ -74,6 +75,7 @@ Use *Windows elevation settings policy* when you want to:
- **Validation options** - Set validation options when the default elevation response is defined as *Require user confirmation*.
Options include:
- **Business justification** - This option requires the end user to provide a justification before completing an elevation that is facilitated by the default elevation response.
- **Windows authentication** - This option requires the end user to authenticate before completing an elevation that is facilitated by the default elevation response.
@@ -85,12 +87,14 @@ Use *Windows elevation settings policy* when you want to:
Diagnostic data is used by Microsoft to measure the health of the EPM client components. Usage data is used to show you elevations that happen within your tenant. For more information about the types of data and how it's stored, see [Data collection and privacy for Endpoint Privilege Management](../protect/epm-data-collection.md).
Options include:
- **Yes** - This option sends data to Microsoft based on the *Reporting Scope* setting.
- **No** - This option does not send data to Microsoft.
- **Reporting Scope** - This setting controls the amount of data being sent to Microsoft when *Send elevation data for reporting* is set to *Yes*. By default, *Diagnostic data and all endpoint elevations* is selected.
Options include:
- **Diagnostic data and managed elevations only** - This option sends diagnostic data to Microsoft about the health of the client components **AND** data about elevations being facilitated by Endpoint Privilege Management.
- **Diagnostic data and all endpoint elevations** - This option sends diagnostic data to Microsoft about the health of the client components **AND** data about *all* elevations happening on the endpoint.
- **Diagnostic data only** - This option sends only the diagnostic data to Microsoft about the health of the client components.
@@ -107,12 +111,16 @@ The following types of files are supported:
Each elevation rule instructs EPM on how to:
- **Identify the file using**:
- *File name (including extension).* The rule also supports optional conditions like a minimum build version, product name, or internal name. Optional conditions are used to further validate the file when elevation is attempted.
- *Certificate.* Certificates can be added directly to a rule, or by using a reusable settings group. When a certificate is used in a rule, it's also required to be valid. We recommend the use of reusable settings groups as they can be more efficient and simplify a future change to the certificate. For more information, see the next section [Reusable settings groups](#reusable-settings-group).
- **Validate the file**:
- *File hash.* A file hash is required for automatic rules. For user confirmed rules, you can choose to either use a certificate or a file hash, in which case the file hash becomes optional.
- *Certificate.* If a certificate is provided Windows API's are used to validate the certificate and revocation status.
- *Additional Properties.* Any additional properties specified in the rules must match.
- **Configure the files elevation type.** Elevation type identifies what happens when an elevation request is made for the file. By default, this option is set to *User confirmed*, which is our recommendation for elevations.
- **User confirmed** (Recommended): A user confirmed elevation always requires the user to click on a confirmation prompt to run the file. There are more user confirmations you can add. One requires users to authenticate using their organization credentials. Another option requires the user to enter a business justification. While the text entered for a justification is up to the user, EPM can collect and report it when the device is configured to report elevation data as part of its Windows elevation settings policy.
@@ -155,7 +163,7 @@ A device must have an elevation settings policy that enables support for EPM bef
### Create a Windows elevation settings policy
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Endpoint security** > **Endpoint Privilege Management** > select the **Policies** tab > and then select **Create Policy**.
- Set the *Platform* to **Windows 10 and later**, *Profile* to **Windows elevation settings policy**, and then select **Create**.
+ Set the *Platform* to **Windows**, *Profile* to **Windows elevation settings policy**, and then select **Create**.
2. On **Basics**, enter the following properties:
@@ -188,9 +196,7 @@ A device must have an elevation settings policy that enables support for EPM bef
4. On the **Scope tags** page, select any desired scope tags to apply, then select **Next**.
-5. For **Assignments**, select the groups that receive the policy. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
- Select **Next**.
+5. For **Assignments**, select the groups that receive the policy. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md). Select **Next**.
6. For **Review + create**, review your settings and then select **Create**. When you select *Create*, your changes are saved, and the profile is assigned. The policy is also shown in the policy list.
@@ -203,10 +209,65 @@ Deploy a *Windows elevation rules policy* to users or devices to deploy one or m
- Specifies if the elevation type of the file as automatic (silently) or requiring user confirmation. With user confirmation, you can add additional user actions that must be completed before the file is run.
In addition to this policy, a device must also be assigned a Windows elevation settings policy that enables Endpoint Privilege Management.
-### Create a Windows elevation rules policy
+Use either of the following methods to create new elevation rules, which are added to elevation rules policy:
+- [**Automatically configure elevation rules**](#automatically-configure-elevation-rules-for-windows-elevation-rules-policy) – Use this method to save time when creating an elevation rule by auto-populating the file detection details that Intune has already collected. The file details are identified by Intune from either The *[Elevation report](../protect/epm-reports.md#elevation-report)* or from a *[support approved](../protect/epm-support-approved.md)* elevation requests record.
+ With this method, you:
+ - Select the file for which you want to create an elevation rule from the Elevation report or *support approved* elevation request.
+ - Choose to add the new elevation rule to an existing elevation rules policy or create a new elevation rules policy that includes the new rule.
+ - When added to an existing policy, the new rule is immediately available to the policies assigned groups.
+ - When a new policy is created, you must edit that policy to assign groups before it becomes available for use.
+- [**Manually configure elevation rules**](#manually-configure-elevation-rules-for-windows-elevation-rules-policy) – This method requires you to have identified the file details you want to use for detection and to manually enter them as part of the rule creation workflow. For information about detection criteria, see [Defining rules for use with Endpoint Privilege Management](../protect/epm-guidance-for-creating-rules.md#defining-rules-for-use-with-endpoint-privilege-management).
+ With this method, you:
+ - Manually determine the file details to use and then add them to the elevation rule for file identification.
+ - Configure all aspects of the policy during policy creation, including assigning the policy to groups for use.
+### Automatically configure elevation rules for Windows elevation rules policy
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Endpoint security** > **Endpoint Privilege Management**. To select a file to use for an elevation rule, choose one of the following starting paths:
+ **Start from a Report:**
+ 1. Select the **Reports** tab and then the **Elevation report** tile. Locate the file you want to create a rule for in the *File* column.
+ 2. Select the linked name of the file to open that files **Elevation detail** pane.
+ **Start from a support approved elevation request:**
+ 1. Select the **Elevation request** tab.
+ 2. From the *File* column, select the file that you want to use for the elevation rule, which opens that files **Elevation detail** pane.
+ The status of the elevation request doesn’t matter. You can use a pending request or one that was previously approved or denied.
+2. On the **Elevation detail** pane, review the file details. This information is used by the elevation rule to identify the correct file. When ready, select **Create a rule with these file details**.
+ :::image type="content" source="./media/epm-policies/elevation-detail-pane.png" alt-text="Image from the admin center UI of a file selected from the Elevation report." lightbox="./media/epm-policies/elevation-detail-pane.png":::
+3. Select a policy option for the new elevation rule you're creating:
+ **Create a new policy:**
+ This option creates a new policy that includes an elevation rule for the file you selected.
+ 1. For the rule, configure the **Type** and **Child process behavior**, and then select **OK** to create the policy.
+ 2. When prompted, provide a **Policy name** for the new policy and confirm creation of what will be a new and unassigned elevation rules policy.
+ 3. After the policy is created, you can edit the policy to assign it and add additional configurations if needed.
+ **Add to an existing policy:**
+ With this option, use the drop-down list and select an existing elevation policy to which the new elevation rule is added.
+ 1. For the rule, configure the elevation **Type** and **Child process behavior**, and then select **OK**. The policy is updated with the new rule.
+ 2. After the rule is added to the policy, you can edit the policy to gain access to the rule and then modify it to make additional configurations if needed.
+ :::image type="content" source="./media/epm-policies/create-a-rule.png" alt-text="Image from the admin center UI of the create a rule pane." lightbox="./media/epm-policies/create-a-rule.png":::
+### Manually configure elevation rules for Windows elevation rules policy
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Endpoint security** > **Endpoint Privilege Management** > select the **Policies** tab > and then select **Create Policy**.
- Set the *Platform* to **Windows 10 and later**, *Profile* to **Windows elevation rules policy**, and then select **Create**.
+ Set the *Platform* to **Windows**, *Profile* to **Windows elevation rules policy**, and then select **Create**.
2. On **Basics**, enter the following properties:
@@ -229,8 +290,10 @@ In addition to this policy, a device must also be assigned a Windows elevation s
- **Elevation type**: By default, this option is set to *User confirmed*, which is the elevation type we recommend for most files.
- **User confirmed**: We recommend this option for most rules. When a file is run, the user receives a simple prompt to confirm their intent to run the file. The rule can also include other prompts that are available from the *Validation* drop down:
- *Business justification*: Require the user to enter a justification for running the file. There's no required format for the entry. The user input is saved and can be reviewed through logs if the *Reporting scope* includes collection of endpoint elevations.
- *Windows authentication*: This option requires the user to authenticate using their organization credentials.
- **Automatic**: This elevation type automatically runs the file in question with elevated permissions. Automatic elevation is transparent to the user, without prompting for confirmation or requiring justification or authentication by the user.
@@ -255,9 +318,10 @@ In addition to this policy, a device must also be assigned a Windows elevation s
- **Use a certificate file in reusable settings** (Default): This option uses a certificate file that has been added to a reusable settings group for Endpoint Privilege Management. You must [create a reusable settings group](#reusable-settings-groups) before you can use this option.
- To identify the *Certificate*, select *Add or remove a certificate*, and then select the reusable group that contains the correct certificate. Then, specify the *Certificate type* of *Publisher* or *Certificate authority*.
+ To identify the *Certificate*, select *Add or remove a certificate*, and then select the reusable group that contains the correct certificate. Then, specify the *Certificate type* of *Publisher* or *Certificate authority*.
- **Upload a certificate file**: Add a certificate file directly to the elevation rule. For *File upload*, specify a **.cer** file that can validate the integrity of the file that this rule applies to. Then, specify the *Certificate type* of *Publisher* or *Certificate authority*.
- **Not configured**: Use this option when you don't want to use a certificate to validate the integrity of the file. When no certificate is used, you must provide a *file hash*.
- **File hash**: The file hash is required when Signature source is set to *Not configured*, and optional when set to use a certificate.
@@ -270,8 +334,7 @@ In addition to this policy, a device must also be assigned a Windows elevation s
4. On the **Scope tags** page, select any desired scope tags to apply, then select **Next**.
-5. For **Assignments**, select the groups that receive the policy. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
- Select **Next**.
+5. For **Assignments**, select the groups that receive the policy. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md). Select **Next**.
6. In **Review + create**, review your settings and then select **Create**. When you select *Create*, your changes are saved, and the profile is assigned. The policy is also shown in the policy list.
@@ -314,7 +377,7 @@ If a device receives two rules targeting the same application, both rules are co
- Rules deployed to a user take precedence over rules deployed to a device.
- Rules with a hash defined are always deemed the most *specific* rule.
- If more than one rule applies (with no hash defined), the rule with the most defined attributes wins (most *specific*).
-- If applying the above logic results in more than one rule, the following order determines the elevation behavior: User Confirmed, Support Approved, and then Automatic.
+- If applying the proceeding logic results in more than one rule, the following order determines the elevation behavior: User Confirmed, Support Approved, and then Automatic.
> [!NOTE]
> If a rule does not exist for an elevation and that elevation was requested through the *Run with elevated access* right-click context menu, then the *Default Elevation Behavior* will be used.
diff --git a/memdocs/intune/protect/epm-support-approved.md b/memdocs/intune/protect/epm-support-approved.md
index 2f27e4b4763..241a511c097 100644
--- a/memdocs/intune/protect/epm-support-approved.md
+++ b/memdocs/intune/protect/epm-support-approved.md
@@ -101,7 +101,7 @@ For more information about all the permissions for managing EPM, see [Role-based
## Create policy for support approved file elevations
-To create support-approved elevation policy, use the same workflow for creating other EPM elevation rule policies. See [Create a Windows elevation rules policy](../protect/epm-policies.md#create-a-windows-elevation-rules-policy) in *Configure policies for Endpoint Privilege Management*.
+To create support-approved elevation policy, use the same workflow for creating other EPM elevation rule policies. See [Windows elevation rules policy](../protect/epm-policies.md#windows-elevation-rules-policy) in *Configure policies for Endpoint Privilege Management*.
## Manage pending elevation requests
@@ -112,22 +112,22 @@ Use the following procedure as guidance for reviewing and managing elevation req
1. The elevation request details include the following information:
1. **General details**:
- 1. **File** - The name of the file that was requested for elevation.
- 1. **Publisher** - The name of the publisher that signed the file that was requested for elevation. The name of the publisher is a link that retrieves the certificate chain for the file for download.
- 1. **Device** - The device where the elevation was requested from. The device name is a link that opens the device object in the admin center.
- 1. **Intune compliant** - The Intune compliance state of the device.
+ - **File** - The name of the file that was requested for elevation.
+ - **Publisher** - The name of the publisher that signed the file that was requested for elevation. The name of the publisher is a link that retrieves the certificate chain for the file for download.
+ - **Device** - The device where the elevation was requested from. The device name is a link that opens the device object in the admin center.
+ - **Intune compliant** - The Intune compliance state of the device.
1. **Request details**:
- 1. **Status** - Status of the request. Requests start as *Pending* and can be either *approved* or *denied* by an administrator.
- 1. **By** - The account of the administrator who *approved* or *denied* the request.
- 1. **Last modified** - The last time the request entry was modified.
- 1. **User's justification** - The justification provided by the user for the elevation request.
- 1. **Approval expiration** - The time that the approval expires. Until this expiry time is reached, elevation of the approved file is allowed.
- 1. **Admin's reason** - Justification provided by the admin when an *approval* or *denial* is completed.
+ - **Status** - Status of the request. Requests start as *Pending* and can be either *approved* or *denied* by an administrator.
+ - **By** - The account of the administrator who *approved* or *denied* the request.
+ - **Last modified** - The last time the request entry was modified.
+ - **User's justification** - The justification provided by the user for the elevation request.
+ - **Approval expiration** - The time that the approval expires. Until this expiry time is reached, elevation of the approved file is allowed.
+ - **Admin's reason** - Justification provided by the admin when an *approval* or *denial* is completed.
1. **File information** - Specifics of the metadata for the file that was requested for approval.
- :::image type="content" source="./media/epm-support-approved/sample-request-detail.png" alt-text="Image that displays the detail of an elevation request." lightbox="./media/epm-support-approved/sample-request-detail.png":::
+ :::image type="content" source="./media/epm-support-approved/sample-request-detail.png" alt-text="Image that displays the detail of an elevation request." lightbox="./media/epm-support-approved/sample-request-detail.png":::
1. After an admin reviews a request, they can select **Approve** or **Deny**. With either selection, they're presented with the **justification** dialog where they can provide a *Reason* with detail about their decision. Providing a reason is optional. The following displays the approval dialog:
diff --git a/memdocs/intune/protect/jamf-managed-device-compliance-with-entra-id.md b/memdocs/intune/protect/jamf-managed-device-compliance-with-entra-id.md
index 861146c4765..71023dfbca6 100644
--- a/memdocs/intune/protect/jamf-managed-device-compliance-with-entra-id.md
+++ b/memdocs/intune/protect/jamf-managed-device-compliance-with-entra-id.md
@@ -39,7 +39,7 @@ The process to establish integration between Jamf Pro and Microsoft Intune is ev
> **Jamf macOS device support for Conditional Access is being deprecated**.
-> Beginning on September 1, 2024, the platform that Jamf Pro's Conditional Access feature is built on will no longer be supported.
+> Beginning on January 31, 2025, the platform that Jamf Pro's Conditional Access feature is built on will no longer be supported.
> If you use Jamf Pro's Conditional Access integration for macOS devices, follow Jamf's documented guidelines to migrate your devices to Device Compliance integration at [***Migrating from macOS Conditional Access to macOS Device Compliance – Jamf Pro Documentation***](https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Conditional_Access.html#ariaid-title6).
diff --git a/memdocs/intune/protect/managed-software-updates-ios-macos.md b/memdocs/intune/protect/managed-software-updates-ios-macos.md
index 400322ad431..b74d79f5da1 100644
--- a/memdocs/intune/protect/managed-software-updates-ios-macos.md
+++ b/memdocs/intune/protect/managed-software-updates-ios-macos.md
@@ -7,7 +7,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 06/17/2024
+ms.date: 08/21/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -125,23 +125,27 @@ Managed software updates have precedence over other policies that configure soft
:::image type="content" source="./media/managed-software-updates-ios-macos/ddm-software-update-category.png" alt-text="Screenshot that shows the settings catalog software update settings for Apple devices in Microsoft Intune.":::
-1. Configure the settings:
+7. Configure the settings:
- **Details URL**: Enter a web page URL that has more information on the update. Typically, this URL is a web page hosted by your organization that users can select if they need organization-specific help with the update.
- **Target Build Version**: Enter the target build version to update the device to, like `20A242`. The build version can include a supplemental version identifier, like `20A242a`.
If the build version you enter isn't consistent with the **Target OS Version** value you enter, then the **Target OS Version** value takes precedence.
- - **Target Date Time (UTC)**: Select or manually enter the date and the time that specifies when to force the installation of the software update.
+ - **Target Date Time**: Select or manually enter the date and the time that specifies when to force the installation of the software update.
+ > [!NOTE]
+ > In a future release, the **UTC** text is being removed from the **Target Date Time** setting in the settings catalog UI.
- The **Target Date Time (UTC)** setting schedules the update using the UTC timezone. This will take the configured time and convert it to UTC before sending the policy to be scheduled in the device's local timezone. For example, an Admin located in Eastern US configures an update to install at 2PM. The Eastern US timezone is 5 hours behind UTC, so the time would be converted to 5 hours after 2PM (EST) which is 7PM (UTC). Then, the policy will schedule the update to happen at 7PM in the local timezone of devices that receive the policy.
+ The **Target Date Time** setting schedules the update using the local timezone of the device. For example, an admin configures an update to install at 2PM. The policy schedules the update to happen at 2PM in the local timezone of devices that receive the policy.
- If the user doesn't trigger the software update before this time, then a one-minute countdown prompt is shown to the user. When the countdown ends, the device force installs the update and forces a restart.
- If the device is powered off when the deadline is met, when the device powers back on, there's a one hour grace period. When the grace period ends, the device force installs the update and forces a restart.
- > If you create a policy using this setting before the January 2024 release, then this setting shows *Invalid Date* for the value. The updates are still scheduled correctly and use the values you originally configured, even though it shows *Invalid Date*.
- > To configure a new date and time, you can delete the *Invalid Date* values, and select a new date and time. Or, you can create a new policy. If you create a new policy, to help avoid future confusion, remove the values in the original policy.
+ > If you create a policy using this setting before the January 2024 release, then this setting shows **Invalid Date** for the value. The updates are still scheduled correctly and use the values you originally configured, even though it shows **Invalid Date**.
+ >
+ > To configure a new date and time, you can delete the **Invalid Date** values, and select a new date and time. Or, you can create a new policy. If you create a new policy, to help avoid future confusion, remove the values in the original policy.
- **Target OS Version**: Select or manually enter the target OS version to update the device to. This value is the OS version number, like `16.1`. You can also include a supplemental version identifier, like `16.1.1`.
@@ -162,7 +166,7 @@ Managed software updates have precedence over other policies that configure soft
## Monitoring managed software updates
-Managed software updates use the same reporting as device configuration policies. For more information, go to [Monitor device configuration policies.](../configuration/device-profile-monitor.md).
+Managed software updates use the same reporting as device configuration policies. For more information, go to [Monitor device configuration policies](../configuration/device-profile-monitor.md).
> A policy that reports Success only means that the configuration successfully installed on the device. Monitor the OS version of targeted devices to ensure that they update. After devices have updated to a later OS version than configured in the policy, the policy will report error as the device sees this as an attempt to downgrade. It's recommended to remove the older OS version policy from devices in this state.
diff --git a/memdocs/intune/protect/media/actions-for-noncompliance/actions-for-noncompliance-1.png b/memdocs/intune/protect/media/actions-for-noncompliance/actions-for-noncompliance-1.png
deleted file mode 100644
index 7cc5dc7d816..00000000000
Binary files a/memdocs/intune/protect/media/actions-for-noncompliance/actions-for-noncompliance-1.png and /dev/null differ
diff --git a/memdocs/intune/protect/media/actions-for-noncompliance/actions-for-noncompliance-2.png b/memdocs/intune/protect/media/actions-for-noncompliance/actions-for-noncompliance-2.png
deleted file mode 100644
index 8144f8161d3..00000000000
Binary files a/memdocs/intune/protect/media/actions-for-noncompliance/actions-for-noncompliance-2.png and /dev/null differ
diff --git a/memdocs/intune/protect/media/actions-for-noncompliance/actions-for-noncompliance-4.png b/memdocs/intune/protect/media/actions-for-noncompliance/actions-for-noncompliance-4.png
deleted file mode 100644
index 8e16af2dde5..00000000000
Binary files a/memdocs/intune/protect/media/actions-for-noncompliance/actions-for-noncompliance-4.png and /dev/null differ
diff --git a/memdocs/intune/protect/media/compliance-policy-monitor/idc-10.png b/memdocs/intune/protect/media/compliance-policy-monitor/idc-10.png
deleted file mode 100644
index 2cbc2d26108..00000000000
Binary files a/memdocs/intune/protect/media/compliance-policy-monitor/idc-10.png and /dev/null differ
diff --git a/memdocs/intune/protect/media/compliance-policy-monitor/idc-8.png b/memdocs/intune/protect/media/compliance-policy-monitor/idc-8.png
deleted file mode 100644
index dd0b397872b..00000000000
Binary files a/memdocs/intune/protect/media/compliance-policy-monitor/idc-8.png and /dev/null differ
diff --git a/memdocs/intune/protect/media/encrypt-devices-filevault/force-enable-in-setup-assistant.png b/memdocs/intune/protect/media/encrypt-devices-filevault/force-enable-in-setup-assistant.png
deleted file mode 100644
index 51f45b6ec16..00000000000
Binary files a/memdocs/intune/protect/media/encrypt-devices-filevault/force-enable-in-setup-assistant.png and /dev/null differ
diff --git a/memdocs/intune/protect/media/endpoint-security-firewall-rule-tool/downloadtool.png b/memdocs/intune/protect/media/endpoint-security-firewall-rule-tool/downloadtool.png
deleted file mode 100644
index 05ab5af4147..00000000000
Binary files a/memdocs/intune/protect/media/endpoint-security-firewall-rule-tool/downloadtool.png and /dev/null differ
diff --git a/memdocs/intune/protect/media/epm-policies/create-a-rule.png b/memdocs/intune/protect/media/epm-policies/create-a-rule.png
new file mode 100644
index 00000000000..d9c381426f2
Binary files /dev/null and b/memdocs/intune/protect/media/epm-policies/create-a-rule.png differ
diff --git a/memdocs/intune/protect/media/epm-policies/elevation-detail-pane.png b/memdocs/intune/protect/media/epm-policies/elevation-detail-pane.png
new file mode 100644
index 00000000000..3914dc6c11e
Binary files /dev/null and b/memdocs/intune/protect/media/epm-policies/elevation-detail-pane.png differ
diff --git a/memdocs/intune/protect/media/microsoft-cloud-pki-delete/image-10.png b/memdocs/intune/protect/media/microsoft-cloud-pki-delete/image-10.png
deleted file mode 100644
index 8d0a7692fe8..00000000000
Binary files a/memdocs/intune/protect/media/microsoft-cloud-pki-delete/image-10.png and /dev/null differ
diff --git a/memdocs/intune/protect/media/microsoft-cloud-pki/cloud-pki-byoca-certificate-flow.png b/memdocs/intune/protect/media/microsoft-cloud-pki/cloud-pki-byoca-certificate-flow.png
deleted file mode 100644
index a860cc56ad6..00000000000
Binary files a/memdocs/intune/protect/media/microsoft-cloud-pki/cloud-pki-byoca-certificate-flow.png and /dev/null differ
diff --git a/memdocs/intune/protect/media/microsoft-cloud-pki/cloud-pki-byoca-workflow.png b/memdocs/intune/protect/media/microsoft-cloud-pki/cloud-pki-byoca-workflow.png
deleted file mode 100644
index 903a0df199f..00000000000
Binary files a/memdocs/intune/protect/media/microsoft-cloud-pki/cloud-pki-byoca-workflow.png and /dev/null differ
diff --git a/memdocs/intune/protect/media/microsoft-cloud-pki/create-cloud-pki-basics.png b/memdocs/intune/protect/media/microsoft-cloud-pki/create-cloud-pki-basics.png
deleted file mode 100644
index d83aca0180a..00000000000
Binary files a/memdocs/intune/protect/media/microsoft-cloud-pki/create-cloud-pki-basics.png and /dev/null differ
diff --git a/memdocs/intune/protect/microsoft-cloud-pki-configure-byoca.md b/memdocs/intune/protect/microsoft-cloud-pki-configure-byoca.md
index 9437ecbfcd9..d8698c2357b 100644
--- a/memdocs/intune/protect/microsoft-cloud-pki-configure-byoca.md
+++ b/memdocs/intune/protect/microsoft-cloud-pki-configure-byoca.md
@@ -349,5 +349,8 @@ Create an SCEP certificate profile for each OS platform you're targeting, like y
- **Extended Key Usage**: Microsoft Cloud PKI doesn't support the **Any Purpose** option.
+ > [!NOTE]
+ > Make sure the EKU(s) you select is configured on the Cloud PKI issuing certificate authority (CA). If you select an EKU that isn't present on the Cloud PKI issuing CA, then an error occurs with the SCEP profile. And, a certificate isn't issued to the device.
- **SCEP Server URLs**: Don't combine NDES/SCEP URLs with Microsoft Cloud PKI issuing CA SCEP URLs.
1. Assign and review the profile. When you're ready to finalize everything, select **Create**.
diff --git a/memdocs/intune/protect/microsoft-cloud-pki-configure-ca.md b/memdocs/intune/protect/microsoft-cloud-pki-configure-ca.md
index 93f2424886d..688c965017a 100644
--- a/memdocs/intune/protect/microsoft-cloud-pki-configure-ca.md
+++ b/memdocs/intune/protect/microsoft-cloud-pki-configure-ca.md
@@ -246,7 +246,10 @@ Just like you did for the trusted certificate profiles, create an SCEP certifica
1. Configure the remaining settings, following these best practices:
- **Subject name format**: Ensure the variables specified are available on the user or device object in Microsoft Entra ID. For example, if the target user of this profile doesn't have an email address attribute but the email address in this profile is filled in, the certificate won't be issued. An error also appears in the SCEP certificate profile report.
- - **Extended Key Usage**: Microsoft Cloud PKI doesn't support the **Any Purpose** option.
+ - **Extended Key Usage** (EKU): Microsoft Cloud PKI doesn't support the **Any Purpose** option.
+ > [!NOTE]
+ > Make sure the EKU(s) you select is configured on the Cloud PKI issuing certificate authority (CA). If you select an EKU that isn't present on the Cloud PKI issuing CA, then an error occurs with the SCEP profile. And, a certificate isn't issued to the device.
- **SCEP Server URLs**: Don't combine NDES and SCEP URLs with Microsoft Cloud PKI issuing CA SCEP URLs.
diff --git a/memdocs/intune/protect/microsoft-cloud-pki-delete.md b/memdocs/intune/protect/microsoft-cloud-pki-delete.md
index 503ad4fe533..44d76241484 100644
--- a/memdocs/intune/protect/microsoft-cloud-pki-delete.md
+++ b/memdocs/intune/protect/microsoft-cloud-pki-delete.md
@@ -34,7 +34,7 @@ ms.collection:
Delete an issuing and root certification authority (CA) from the Microsoft Cloud PKI service in Microsoft Intune. You can use the following actions in the Microsoft Intune admin center to manage certification authorities (CAs) in your tenant:
* Pause CA - Pause the CA to stop use of it.
-* Revoke CA - Revoke the CA and its active leaf certificates.
+* Revoke CA - Revoke all active leaf certificates and then revoke the CA.
* Delete CA - Delete and remove the CA from Microsoft Intune.
A root CA can't be deleted until all anchored issuing CAs are deleted. If you change your mind after you pause a CA, you can unpause it to resume use. However, revoking and deleting a CA are permanent actions and can't be undone.
diff --git a/memdocs/intune/protect/microsoft-tunnel-prerequisites.md b/memdocs/intune/protect/microsoft-tunnel-prerequisites.md
index 84e293c8d3a..f16f3120c2d 100644
--- a/memdocs/intune/protect/microsoft-tunnel-prerequisites.md
+++ b/memdocs/intune/protect/microsoft-tunnel-prerequisites.md
@@ -379,7 +379,7 @@ You can configure Podman to use the proxy to download (pull) updated images for
`systemctl edit --force mstunnel_monitor`
-2. Add the following four lines to the file. Replace each instance of *[address]* with your proxy DN or address, and then save the file:
+2. Add the following three lines to the file. Replace each instance of *[address]* with your proxy DN or address, and then save the file:
diff --git a/memdocs/intune/protect/mobile-threat-defense.md b/memdocs/intune/protect/mobile-threat-defense.md
index e9e88b32ab2..bcfbcf3977c 100644
--- a/memdocs/intune/protect/mobile-threat-defense.md
+++ b/memdocs/intune/protect/mobile-threat-defense.md
@@ -8,7 +8,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 04/22/2024
+ms.date: 08/21/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: protect
@@ -20,7 +20,7 @@ ms.assetid: ac77b590-a7ec-45a0-9516-ebf5243b6210
-ms.reviewer: aanavath
+ms.reviewer: demerson
ms.suite: ems
search.appverid: MET150
@@ -41,9 +41,18 @@ Intune can integrate data from a Mobile Threat Defense (MTD) vendor as an inform
Intune can use this same data as a source for unenrolled devices using Intune app protection policies. As such, admins can use this information to help protect corporate data within a [Microsoft Intune protected app](../apps/apps-supported-intune-apps.md), and issue a block or selective wipe.
-> [!NOTE]
-> Intune for GCC High only supports the Mobile Threat Defense (MTD) connector for Android and iOS devices with MTD vendors that also have support in this environment. You will see connectors enabled for those specific vendors when you log in with a GCC-H tenant. Learn more about [Microsoft Intune for US Government GCC High support](/enterprise-mobility-security/solutions/ems-intune-govt-service-description).
+## Government cloud support
+Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices are available in the following sovereign clouds, provided that the MTD partners also support these environments. Upon logging into your tenant, you'll be able to view the available connectors in that specific environment:
+- U.S. Government Community Cloud (GCC) High
+- 21Vianet
+Learn more about Intune and government clouds:
+- [Microsoft Intune for US Government GCC High support](/enterprise-mobility-security/solutions/ems-intune-govt-service-description)
+- [Microsoft Intune for US Government GCC High and DoD service description](../fundamentals/intune-govt-service-description.md)
+- [Microsoft Intune operated by 21Vianet in China](../fundamentals/china.md)
## Protect corporate resources
@@ -64,7 +73,7 @@ Once you add a Mobile Threat Defense connector to your tenant, the status displa
| Connector status | Definition | Device threat messages blocked? | AppSync request messages blocked? |
| **Unavailable**| Connector is/was deprovisioned. The MTD partner needs to talk to Intune to provision it once more. | Yes (starting 2308) | Yes (starting 2308) |
-| **Not Set Up**| Connector setup isn't complete. There may be additional steps or permissions required within Intune or the MTD partner for this status to change to **Available** | Yes (starting 2309) | Yes (starting 2309) |
+| **Not Set Up**| Connector setup isn't complete. There may be additional steps or permissions required within Intune or the MTD partner for this status to change to **Available** | Yes (starting 2309) | Yes (starting 2309) |
| **Available**| Connector setup is complete. At least one platform toggle must be turned on for this status to change to **Enabled**. | No | No |
| **Enabled**| Connector setup is complete, and at least one platform toggle is currently turned on for this connector. | No | No |
| **Unresponsive**| Connector isn't responsive. If the connector status continues to be unresponsive for the days defined in **Number of days until partner is unresponsive**, Intune ignores the compliance state.| No | No |
@@ -135,5 +144,4 @@ Learn how to protect access to company resource based on device, network, and ap
- [Trellix Mobile Security](trellix-mobile-threat-defense-connector.md)
- [Trend Micro Mobile Security as a Service](trend-micro-mobile-threat-defense-connector.md)
- [Windows Security Center](../apps/protect-mam-windows.md) *(Supports integration with Windows MAM)*
-- [Zimperium](zimperium-mobile-threat-defense-connector.md)
+- [Zimperium](zimperium-mobile-threat-defense-connector.md)
\ No newline at end of file
diff --git a/memdocs/intune/protect/mtd-device-compliance-policy-create.md b/memdocs/intune/protect/mtd-device-compliance-policy-create.md
index 862aa70957f..b01e390470e 100644
--- a/memdocs/intune/protect/mtd-device-compliance-policy-create.md
+++ b/memdocs/intune/protect/mtd-device-compliance-policy-create.md
@@ -8,7 +8,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 11/01/2023
+ms.date: 08/22/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -52,13 +52,13 @@ With integration complete and the partner policy in place, you can then create I
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Select **Endpoint security** > **Device Compliance** > **Create policy**.
+2. Select **Endpoint security** > **Device compliance** > **Create policy**.
3. Select the **Platform**:
- For most platforms, the *Profile type* is automatically set. If not automatically set, select the appropriate Profile type.
- To continue, select **Create**.
-4. On **Basics**, specify a device compliance policy **Name**, and **Description** (optional). Select **Next** to continue.
+4. On **Basics**, specify a device compliance policy **Name**, and **Description** (optional). Select **Next** to continue.
5. On **Compliance settings**, expand and configure **Device Health**. Choose a threat-level from the drop-down list for **Require the device to be at or under the Device Threat Level**.
@@ -74,7 +74,7 @@ With integration complete and the partner policy in place, you can then create I
6. On the **Actions for noncompliance** tab, specify a sequence of actions to apply automatically to devices that don't meet this compliance policy.
- You can add multiple actions and configure schedules and other details for some actions. For example, you might change the schedule of the default action *Mark device noncompliant* to occur after one day. You can then add an action to send an email to the user when the device isn't compliant to warn them of that status. You can also add actions that lock or retire devices that remain noncompliant.
+ You can add multiple actions and configure schedules and other details for some actions. For example, you might change the schedule of the default action *Mark device noncompliant* to occur after one day. You can then add an action to send an email to the user when the device isn't compliant to warn them of that status. You can also add actions that lock or retire devices that remain noncompliant.
For information about the actions you can configure, see [Add actions for noncompliant devices](actions-for-noncompliance.md), including how to create notification emails to send to your users.
@@ -88,7 +88,7 @@ With integration complete and the partner policy in place, you can then create I
## Monitoring risk score sent by Mobile Threat Defense partner
-Your Mobile Threat Defense partner can send a risk score for each device for which the MTD app is installed. You can view this under **Reports** > **Device compliance** > **Reports** > **Device Compliance**. Make sure **Device threat level** is selected when opening the **Columns** tab, this may require you to hit **Generate** first.
+Your Mobile Threat Defense partner can send a risk score for each device for which the MTD app is installed. You can view this under **Reports** > **Device compliance** > **Reports** > **Device Compliance**. Make sure **Device threat level** is selected when opening the **Columns** tab, this may require you to hit **Generate** first.
diff --git a/memdocs/intune/protect/network-access-control-integrate.md b/memdocs/intune/protect/network-access-control-integrate.md
index b8d93c11321..49d1995a26f 100644
--- a/memdocs/intune/protect/network-access-control-integrate.md
+++ b/memdocs/intune/protect/network-access-control-integrate.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 07/24/2023
+ms.date: 08/21/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -36,7 +36,7 @@ ms.collection:
Intune integrates with network access control (NAC) partners to help organizations secure corporate data when devices try to access on-premises resources.
-> A new NAC service (CR service) was released in July 2021 and many of our NAC partners are transitioning to this new service. While we have extended the timeline for supporting the legacy NAC service through **March 31, 2024**, we recommend you to migrate to the new CR service to avoid service disruption.Currently, the following NAC partner product supports the new NAC service:
+> The *compliance retrieval service* was released in July 2021 and replaced the previous Intune NAC service. Microsoft Intune is providing support for the legacy Intune NAC service through March 31, 2024. Our NAC partners are transitioning to the compliance retrieval service and include:
> - ExtremeCloud Universal ZTNA
> - Extreme Networks ExtremeCloud IQ-Site Engine version 24.2
@@ -52,7 +52,7 @@ Intune integrates with network access control (NAC) partners to help organizatio
> - Forescout eyeExtend Microsoft Module v1.0.1 and later
> - Portnox Cloud
-> Contact your NAC partner if you have questions on the impact of this transition. For more information, see our [blog post on the new compliance retrieval service](https://aka.ms/new-compliance-retrieval-api/).
+> We will be deprecating the Intune NAC service in the future, so we recommend that you migrate to the compliance retrieval service to avoid service disruption. Contact your NAC solution provider if you have questions about the compliance retrieval service or impact to your tenant. For more information and updates about the compliance retrieval service and NAC partners, see [Microsoft Tech Community: New Microsoft Intune service for network access control](https://techcommunity.microsoft.com/t5/intune-customer-success/new-microsoft-intune-service-for-network-access-control/ba-p/2544696).
## How do Intune and NAC solutions help protect your organization resources?
@@ -98,16 +98,16 @@ The following list is an overview on how NAC integration works when integrated w
## Enable NAC
-To enable use of NAC and the *compliance retrieval service* that became available in July 2021, reference your NAC product's most recent documentation for enabling NAC integration with Intune. This integration might require you to make changes after you upgrade to their new NAC product or version.
+To enable use of NAC and the compliance retrieval service, reference your NAC product's most recent documentation for enabling NAC integration with Intune. This integration might require you to make changes after you upgrade to a new NAC product or version.
The compliance retrieval service requires certificate-based authentication and the use of the *Intune device ID* as the subject alternative name of the certificates. For Simple Certificate Enrollment Protocol (SCEP) and Private and public key pair (PKCS) certificates, you can add an attribute of the **URI** type with a value defined by your NAC provider. For example, your NAC provider's instructions might say to include `IntuneDeviceId://{{DeviceID}}`as the **Subject alternative name**.
Other NAC products might require you include a device ID when using NAC with iOS VPN profiles.
-> [!NOTE]
-> We have now added support for querying devices based on Mac addresses for customers who are unable to use certificate-based authentication. However, our recommendation is to use certificate-based authentication with Intune device id wherever possible.
+> [!TIP]
+> We recommend using certificate-based authentication with the Intune device ID wherever possible. If you're unable to use certificate-based authentication, Intune supports querying devices based on MAC addresses.
-To learn more about certificate profiles, see: [Use SCEP certificate profiles with Microsoft Intune](../protect/certificates-profile-scep.md) and [Use a PKCS certificate profile to provision devices with certificates in Microsoft Intune](../protect/certificates-pfx-configure.md)
+For more information about certificate profiles, see [Use SCEP certificate profiles with Microsoft Intune](../protect/certificates-profile-scep.md) and [Use a PKCS certificate profile to provision devices with certificates in Microsoft Intune](../protect/certificates-pfx-configure.md).
## Data shared with NAC partners
diff --git a/memdocs/intune/protect/reusable-settings-groups.md b/memdocs/intune/protect/reusable-settings-groups.md
index 7e00b3964d5..ad90f4b98ec 100644
--- a/memdocs/intune/protect/reusable-settings-groups.md
+++ b/memdocs/intune/protect/reusable-settings-groups.md
@@ -7,7 +7,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 04/08/2024
+ms.date: 08/19/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -62,11 +62,11 @@ The following profiles support use of reusable settings groups:
**Endpoint security policy**
- **Firewall** > **Windows Firewall rules**:
- - Platforms: Windows 10, Windows 11, and Windows Server
+ - Platforms: Windows
- Windows versions: Devices must run Windows 10 20H2 or later, or Windows 11
- **Attack surface reduction** > **Device control**:
- - Platforms: Windows 10, Windows 11, and Windows Server
+ - Platforms: Windows
**Endpoint Privilege Management**
diff --git a/memdocs/intune/protect/security-baselines-configure.md b/memdocs/intune/protect/security-baselines-configure.md
index 38b6690fae9..fe4712dd0c4 100644
--- a/memdocs/intune/protect/security-baselines-configure.md
+++ b/memdocs/intune/protect/security-baselines-configure.md
@@ -181,9 +181,9 @@ With the information from the export, you can rapidly reconfigure the new baseli
:::image type="content" source="./media/security-baselines-configure/csv-export-of-baseline-configuration.png" alt-text="Screen shot that shows an export of the Microsoft Edge baseline profile as a .csv file." lightbox="./media/security-baselines-configure/csv-export-of-baseline-configuration.png":::
- In the preceding image, there are three columns of information. The information identifies the settings in the new profile, and the configuration for each of them that you had in the old profile.
+ In the preceding image, there are three columns of information. The information identifies the settings in the old profile, and the configuration for each of them that you had in the old profile.
- - **DefinitionId** – This column displays the settings registry name. The information after the underscore ( _ ) identifies the settings name as it appears in the new baseline profile and format, but without spaces in the name. This value is also the name of the CSP setting that this baseline setting manages.
+ - **DefinitionId** – This column displays the settings registry name. The information after the underscore ( _ ) identifies the settings name as it appears in the old baseline profile and format, but without spaces in the name. This value is also the name of the CSP setting that this baseline setting manages.
For example, our modified setting of *Enable site isolation for every site* appears in this export as *admx--microsoftedge_SitePerProcess*. The last portion, *SitePerProcess*, helps identify the setting.
diff --git a/memdocs/intune/protect/security-baselines-monitor.md b/memdocs/intune/protect/security-baselines-monitor.md
index 9358b2cdccc..9884caaf3bc 100644
--- a/memdocs/intune/protect/security-baselines-monitor.md
+++ b/memdocs/intune/protect/security-baselines-monitor.md
@@ -1,18 +1,18 @@
# required metadata
-title: Check for the success or failure of security baselines in Microsoft Intune
-description: Monitor the device and per-setting results of security baselines you deploy with Microsoft Intune, and identify when multiple baselines that apply to the same device result in conflicts.
+title: Monitor security baselines deployed by Microsoft Intune
+description: Monitor device and per-setting results of security baselines you deploy with Microsoft Intune, and identify conflicts for devices.
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 10/09/2023
+ms.date: 08/22/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
ms.localizationpriority: high
# optional metadata
@@ -55,7 +55,7 @@ For more information about the feature, see [Security baselines in Intune](secur
> The following information applies to profile versions released in May 2023 or later. To view information for profile versions released prior to May 2023, see [Monitor profiles for baseline versions released before May 2023](#monitor-profiles-for-baseline-versions-released-before-may-2023), later in this article.
-When you select a security baseline profile that you’ve deployed, you can gain insights into the security state of devices that received that baseline. To view these insights, sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Security baselines** and select a security baseline type like the *Microsoft 365 Apps for Enterprise Security Baseline*. Then, from the *Profiles* pane, select the profile instance for which you want to view details to open the profiles dashboard view.
+When you select a security baseline profile that you've deployed, you can gain insights into the security state of devices that received that baseline. To view these insights, sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Security baselines** and select a security baseline type like the *Microsoft 365 Apps for Enterprise Security Baseline*. Then, from the *Profiles* pane, select the profile instance for which you want to view details to open the profiles dashboard view.
:::image type="content" source="./media/security-baselines-monitor/view-baseline-policy-details.png" alt-text="View the dashboard for a security baseline profile.":::
@@ -84,7 +84,7 @@ You can filter this report view for specific *Assignment status* values, and the
If you select the name of a device from the *Device name* column, Intune displays the *Profile Settings* view where you can view that devices status results for each setting in the security baseline. Next, from the Profile Settings page, you can select a setting to view more details, which is useful when a device reports a result for any setting other than *Succeeded*.
-In the following image, we have drilled in on EAGLE003, the only device to show success for the baseline, and then selected the setting *Add-on Management*:
+In the following image, we drill in on EAGLE003, the only device to show success for the baseline, and then selected the setting *Add-on Management*:
:::image type="content" source="./media/security-baselines-monitor/drill-in-for-setting-details-pane.png" alt-text="View a devices' reported status for each setting in the baseline.":::
@@ -92,7 +92,7 @@ On the settings Setting Details pane, we can see each profile that is assigned t
For this device, there's only one source profile that manages the Add-on-management setting. If there were other profiles that configured this setting, those profiles would also be listed as a Source Profile.
-Should this setting have been in conflict, this view can help you identify the other profiles so you can then reconcile a consistent configuration, or later baseline profile assignments to remove the conflict.
+Should this setting be in conflict, this view can help you identify the other profiles so you can then reconcile a consistent configuration, or later baseline profile assignments to remove the conflict.
### Device assignment status report
diff --git a/memdocs/intune/protect/trellix-mobile-threat-defense-connector.md b/memdocs/intune/protect/trellix-mobile-threat-defense-connector.md
index 9f2f4284fbf..f4cf2248900 100644
--- a/memdocs/intune/protect/trellix-mobile-threat-defense-connector.md
+++ b/memdocs/intune/protect/trellix-mobile-threat-defense-connector.md
@@ -8,7 +8,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 10/18/2023
+ms.date: 08/23/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
diff --git a/memdocs/intune/protect/trellix-mtd-connector-integration.md b/memdocs/intune/protect/trellix-mtd-connector-integration.md
index b1e33572b89..f30f57b5bfd 100644
--- a/memdocs/intune/protect/trellix-mtd-connector-integration.md
+++ b/memdocs/intune/protect/trellix-mtd-connector-integration.md
@@ -8,7 +8,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 10/18/2023
+ms.date: 08/23/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
diff --git a/memdocs/intune/remote-actions/devices-wipe.md b/memdocs/intune/remote-actions/devices-wipe.md
index 96a3d2c617e..1abf5f91df7 100644
--- a/memdocs/intune/remote-actions/devices-wipe.md
+++ b/memdocs/intune/remote-actions/devices-wipe.md
@@ -7,7 +7,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 06/27/2024
+ms.date: 08/15/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: remote-actions
@@ -35,9 +35,9 @@ By using the **Retire** or **Wipe** actions, you can remove devices from Intune
## Wipe
-The **Wipe** device action restores a device to its factory default settings. The user data is kept if you choose the **Retain enrollment state and user account** checkbox. Otherwise, all data, apps, and settings are removed.
+The **Wipe** device action restores a device to its factory default settings. The user data is kept if you choose the **Wipe device, but keep enrollment state and associated user account** checkbox. Otherwise, all data, apps, and settings are removed.
-|Wipe action|**Retain enrollment state and user account**|Removed from Intune management|Description|
+|Wipe action|**Wipe device, but keep enrollment state and associated user account**|Removed from Intune management|Description|
|**Wipe**| Not checked | Yes | Wipes all user accounts, data, MDM policies, and settings. Resets the operating system to its default state and settings.|
|**Wipe**| Checked | No | Wipes all MDM Policies. Keeps user accounts and data. Resets user settings back to default. Resets the operating system to its default state and settings.|
@@ -208,7 +208,7 @@ If you want to remove devices from the Intune admin center, you can delete them
| OS | Enrollment Type | Action triggered |
| Android | Device administrator | RETIRE - All Profiles are deleted, Company Portal (CP) app is signed out. |
-| Android | Personally-owned devices with work profile | RETIRE - All Profiles are deleted, CP app is deleted. |
+| Android | Personally owned devices with work profile | RETIRE - All Profiles are deleted, CP app is deleted. |
| Android | Corporate-owned devices with work profile | WIPE |
| Android | Dedicated devices | WIPE |
| Android | Dedicated w/ Entra ID Shared Mode | WIPE |
diff --git a/memdocs/intune/remote-actions/organizational-messages-cancel.md b/memdocs/intune/remote-actions/organizational-messages-cancel.md
deleted file mode 100644
index 15e5aa44440..00000000000
--- a/memdocs/intune/remote-actions/organizational-messages-cancel.md
+++ /dev/null
@@ -1,59 +0,0 @@
-# required metadata
-title: Cancel or delete organizational message | Microsoft Intune
-description: Cancel or delete an organizational message in the Microsoft Intune admin center.
-author: Lenewsad
-ms.author: lanewsad
-manager: dougeby
-ms.date: 04/02/2024
-ms.topic: how-to
-ms.service: microsoft-intune
-ms.subservice: fundamentals
-ms.localizationpriority: medium
-# optional metadata
-ms.suite: ems
-search.appverid: MET150
-ms.custom: intune-azure
-- tier2
-- M365-identity-device-management
-# Cancel or delete organizational messages
-*Applies to Windows 11*
-Cancel or delete an organizational message that you no longer need in Microsoft Intune.
-## Cancel message
-Cancel an active or scheduled organizational message. Cancelling stops active messages from being sent to additional surfaces and devices. It stops scheduled messages from being sent at all.
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Go to **Tenant administration** > **Organizational messages**.
-2. Select the **Message** tab.
-3. Find your message in the table and scroll to the end of the row.
-3. Select the (**...**) context menu > **Cancel**.
-## Delete message
-Delete an organizational message from Microsoft Intune. Deleted messages are removed from your inventory and are no longer visible in the admin center. You can delete a message anytime, regardless of its status. This action is permanent and can't be undone.
-Intune automatically cancels active messages after you delete them, and stops the delivery of future messages. Messages that were delivered and cached prior to deletion could still appear to device users.
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Go to **Tenant administration** > **Organizational messages**.
-2. Select the **Message** tab.
-3. Find your message in the table and scroll to the end of the row.
-3. Select the (**...**) context menu > **Delete**.
-This action requires the *Organizational Messages/Delete* permission. Be sure to assign the permission to the custom admin roles in your tenant that need it. For more information about adding permissions to custom roles, see [Custom role permissions](../fundamentals/create-custom-role.md#custom-role-permissions).
-## Learn more about organizational messages
-For frequently asked questions, known issues, and limitations, see [Overview of organizational messages](organizational-messages-overview.md).
\ No newline at end of file
diff --git a/memdocs/intune/remote-actions/organizational-messages-create.md b/memdocs/intune/remote-actions/organizational-messages-create.md
deleted file mode 100644
index b703cac8d1d..00000000000
--- a/memdocs/intune/remote-actions/organizational-messages-create.md
+++ /dev/null
@@ -1,187 +0,0 @@
-# required metadata
-title: Create organizational messages | Microsoft Intune
-description: Create and manage organizational messages in the Microsoft Intune admin center.
-author: Lenewsad
-ms.author: lanewsad
-manager: dougeby
-ms.date: 04/02/2024
-ms.topic: how-to
-ms.service: microsoft-intune
-ms.subservice: fundamentals
-ms.localizationpriority: medium
-# optional metadata
-ms.suite: ems
-search.appverid: MET150
-ms.custom: intune-azure
-- tier2
-- M365-identity-device-management
-# Create organizational messages
-*Applies to Windows 11*
-Create, edit, and monitor [organizational messages](organizational-messages-overview.md) in the Microsoft Intune admin center. You can send important messages and call-to-actions to employees on Windows 11 devices managed by Microsoft Intune.
-This article describes how to create the following types of organizational messages:
- * Taskbar messages
- * Notification area messages
- * Get Started app messages
-## Before you begin
-Complete these steps before creating a message.
-### Review overview and prerequisites
-Make sure your tenant is set up to support organizational messages.
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Go to **Tenant administration** > **Organizational messages**.
-3. Spend some time in the **Overview** tab to learn about messaging options and prerequisites.
-### Confirm license requirements
-Confirm that your tenant has the license required to support organizational messages. This step only has to be done once. You must be assigned the [Organization/Update permission](../fundamentals/create-custom-role.md#custom-role-permissions) or be a Microsoft Entra Global Administrator to complete this step.
-1. Go to the **Message** tab.
-2. Review and verify that your tenant meets all licensing requirements. Select **I confirm that my organization owns the appropriate license and I understand the Windows device requirements.**
-3. Select **Confirm**.
-## Step 1: Create a message
-# [Taskbar](#tab/taskbar)
-Create and configure a message for the taskbar area.
-1. Go to the **Message** tab and select **Create**.
-2. For **Message type**, select **Taskbar**.
-3. For **Message theme**, select the type of message you want to create. Your options:
- * **Mandatory update**: Prompt employees to install a mandatory update.
- * **Security update**: Prompt employees to review information about an important security update.
- * **Important action**: Prompt employees to review an important action they need to take.
- * **Important information**: Prompt employees to review important information from your organization.
- * **Key meeting**: Prompt employees to review highlights from a recent meeting.
- * **Latest video**: Prompt employees to review important video updates.
- * **Leadership updates**: Prompt employees to review important updates from leadership.
- * **Team updates**: Prompt employees to review important updates from their team.
- * **Planned outage**: Prompt employees to review information about an upcoming outage.
-4. Select **OK**.
-5. On the **Message** page, select **Add a logo**, and then choose an image file. For requirements, see [Logo requirements](organizational-messages-prerequisites.md#logo-requirements).
-6. **Provide a link for the message**: To include a URL link in your message:
- 1. Enter your custom URL. Example: `www.contoso.com/SoftwareUpdate`
- 2. Select the full generated link to make sure it works.
-7. **Choose language to preview**: Select a language to preview the localized version of your message. The message is shown to employees in the [display language](https://support.microsoft.com/windows/manage-the-input-and-display-language-settings-in-windows-12a10cb4-8626-9b77-0ccb-5013e0c7c7a2) they've selected on their device. Organizational messages are supported in 15 languages. If the employee's preferred language isn't supported, the message will appear in their preferred fallback language.
-8. **Preview the message in dark theme**: Turn on the toggle to view how your message appears in dark theme. Check to make sure your logo shows up correctly in both light and dark theme.
-9. Select **Next: Schedule** to continue to scheduling options.
-# [Notification area](#tab/notification)
-Create and configure a message for the notification area.
-1. Go to the **Message** tab and select **Create**.
-2. For **Message type**, select **Notification area**.
-3. For **Message theme**, select the type of message you want to create. Your options:
- * **Organizational HR training**: Prompt users to complete HR training.
- * **Organizational skills training**: Prompt users to complete skill-specific training.
- * **Organizational training**: Prompt users to complete training provided by your organization.
- * **Organizational update**: Prompt users to install an update from your organization.
- * **Update browser**: Prompt users to update their browser.
- * **Update device**: Prompt users to update their device.
-3. Select **OK**.
-4. On the **Message** page, select **Add a logo**, and then choose an image file. For requirements, see [Logo requirements](organizational-messages-prerequisites.md#logo-requirements).
-5. **Provide a link for the message**: To include a URL link in your message:
- 1. Enter your custom URL. Example: `www.contoso.com/SoftwareUpdate`
- 2. Select the full generated link to make sure it works.
-6. **Choose language to preview**: Select a language to preview the localized version of your message. The message is shown to employees in the [display language](https://support.microsoft.com/windows/manage-the-input-and-display-language-settings-in-windows-12a10cb4-8626-9b77-0ccb-5013e0c7c7a2) they've selected on their device. Organizational messages are supported in 15 languages. If the employee's preferred language isn't supported, the message will appear in their preferred fallback language.
-7. **Preview the message in dark theme**: Turn on the toggle to view how your message appears in dark theme. Check to make sure your logo shows up correctly in both light and dark theme.
-8. Select **Next: Schedule** to continue to scheduling options.
-# [Get Started app](#tab/get-started)
-Create and configure a message for the Get Started app.
-1. Go to the **Message** tab and select **Create**.
-2. For **Message type**, select **Get Started app**.
-3. Select **OK**.
-4. On the **Message** page, select **Add a logo**, and then choose an image file. For requirements, see [Logo requirements](organizational-messages-prerequisites.md#logo-requirements).
-5. Choose **Select messages**. You must select two messages to show to users.
- 1. Select **Add your first message**.
- 2. Choose a theme for your message. Options include:
- * **Review benefits**
- * **Review organization**
- * **Get started with device**
- 3. **Provide a link for the message**: To include a URL link in your message:
- 1. Enter your custom URL. Example: `www.contoso.com/SoftwareUpdate`
- 2. Select the full generated link to make sure it works.
- 4. Select **OK**.
- 5. Select **Add your second message**. Options include:
- * **Organizational training**
- * **Organization policies**
- * **Help resources**
- * **Update VPN**
- 6. Provide a link for the message like you did for the first one. Select the generated link to make sure it works.
- 7. Select **OK**.
-6. **Choose language to preview**: Select a language to preview the localized version of your message. The message is shown to employees in the [display language](https://support.microsoft.com/windows/manage-the-input-and-display-language-settings-in-windows-12a10cb4-8626-9b77-0ccb-5013e0c7c7a2) they've selected on their device. Organizational messages are supported in 15 languages. If the employee's preferred language isn't supported, the message will be shown to them in their preferred fallback language.
-7. **Preview the message in dark theme**: Turn on the toggle to view how your message appears in dark theme. Check to make sure your logo shows up correctly in both light and dark theme.
-8. Select **Next: Schedule** to continue to scheduling options.
-## Step 2: Schedule a message
-# [Taskbar / Notification area](#tab/taskbar+notification)
-On the **Schedule** page, schedule the delivery of your message.
-1. Configure the delivery time window. Your options:
- * **First day to show message**: Select when to first show the message. To ensure that delivery begins when you want it to, configure this setting 24 hours before you want the message to appear.
- * **Last day to show message**: Select the last day to show the message. This date must be at least 7 days after the start date.
-2. Select **Next: Assignments** to continue to assignment options.
-# [Get Started app](#tab/get-started)
-On the **Schedule** page, schedule the delivery of your message.
-1. Configure the **Message repeat frequency**. Select how often you want the message to reappear after employees dismiss it. The message will initially go away when the employee dismisses it or completes the call-to-action, but will reappear at the frequency you select here. Your options:
- * **Once a week**
- * **Once every two weeks**
- * **Once a month**
-2. Turn on the **Always on** toggle to make messages visible in the Get Started app.
-3. Select **Next: Assignments** to continue to assignment options.
-## Step 3: Add scope tags
-Optionally, add scope tags to control which administrators can see, edit, cancel, or delete messages in Intune. Choose **Select scope tags** to add scope tags to the message. Select **Remove** to delete scope tags from the message.
-For more information about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT in Intune](../fundamentals/scope-tags.md).
-> Intune only enforces scope tags and scope groups for messages created in Intune, and for admins with Intune roles.
-## Step 4: Assign message
-Assign the message to Microsoft Entra registered users in your organization. You can assign the message to Microsoft Entra user groups, not Microsoft Entra device groups. If a group includes both users and devices, Intune will only send the message to the users.
-1. To include groups in the assignment, you have two options:
- * **Add groups**: Select this option to individually choose from a list of Microsoft Entra groups.
- * **Include all users**: Select the option to assign the message to all Microsoft Entra registered users.
-2. If needed, exclude Microsoft Entra groups from the assignment. Under **Exclude**, select **Add groups** and choose the Microsoft Entra groups to leave out.
-3. Select **Next: Review + Create** to review and finalize your message.
-## Step 5: Review and create message
-Review your message, scheduling details, and assignments before creating your message. When you're ready to send the message, select **Create**.
-Return to **Organizational messages** and select the **Message** tab to view or edit your new message.
-## Edit scheduled message
-You can edit the properties of a message that's in a scheduled state.
-1. Go to **Organizational messages** > **Messages**.
-2. Select the name of the message you want to edit.
-2. A summary of the message opens, and shows the message properties. Next to **Summary**, select **Edit**.
-3. Make changes to the properties.
-4. Select **Save**.
-## Next steps
-* Monitor and track the status and user engagement details for scheduled organizational messages. For more information, see [View reporting details for organizational messages](organizational-messages-reporting.md).
-* [Cancel or delete an organizational message](organizational-messages-cancel.md) that's no longer needed.
-* For frequently asked questions, known issues, and limitations, see [Overview of organizational messages](organizational-messages-overview.md).
diff --git a/memdocs/intune/remote-actions/organizational-messages-overview.md b/memdocs/intune/remote-actions/organizational-messages-overview.md
deleted file mode 100644
index 598c1693172..00000000000
--- a/memdocs/intune/remote-actions/organizational-messages-overview.md
+++ /dev/null
@@ -1,93 +0,0 @@
-# required metadata
-title: Overview of organizational messages in Microsoft Intune | Microsoft Docs
-description: Learn more about the features and capabilities of organizational messages.
-author: Lenewsad
-ms.author: lanewsad
-manager: dougeby
-ms.date: 04/02/2024
-ms.topic: conceptual
-ms.service: microsoft-intune
-ms.subservice: fundamentals
-ms.localizationpriority: medium
-# optional metadata
-ms.suite: ems
-search.appverid: MET150
-ms.custom: intune-azure
-- tier2
-- M365-identity-device-management
-# Organizational messages in Microsoft Intune
-*Applies to Windows 11*
-Use organizational messages to send important messages to employees on Intune-managed Windows 11 devices. Organizational messages can be used to communicate in remote and hybrid work scenarios and is intended to help employees:
-* Acclimate to new roles.
-* Learn more about their workplace.
-* Stay informed of new and required updates and trainings.
-Organizational messages appear in highly visible places in Windows 11, including the Get Started app, notification area, and just above the taskbar. This article provides an overview of organizational messages, with known issues, limitations, and FAQs.
-## How it works
-Microsoft Intune provides you with pre-written messages in templates designed for the taskbar area, notification area, and Get Started app. You can add a custom destination URL in the message to link employees to additional resources or the next step in their onboarding process. You must include a logo so that employees recognize and know the message is from you.
-Messages are assigned to Microsoft Entra users and scheduled in the admin center. After you create a message, you can track the delivery status and user engagement data for it, and cancel the message if it's no longer needed.
-## Message types
-You can create the following types of messages:
-* Taskbar messages: These messages appear just above the desktop taskbar. Taskbar messages are disruptive and good to use when you need to deliver an important notification, like a critical software update. A device user can dismiss the message, but it reappears at the frequency you configure in Intune until they go to the included URL.
-* Notification area messages: These messages appear in the Notification Center. They typically pop up and then disappear, and are good for linking employees to informational resources, such as new and available trainings or optional updates. The message reappears at the frequency you configure in Intune until the user goes to the included URL. The device user's Windows 11 Focus Assist settings may disrupt the visibility of notification area messages.
-* Get Started app messages: These messages appear in the Get Started app. The device user sees this message after they enroll their device, and then open the Get Started app. Use this type of message to welcome new employees and link them to resources like benefits information, essential employee trainings, device tips, policies, and support information. The message keeps showing up at the frequency you configure in Intune until the user goes to the included URL.
-## Prerequisites
-For all tenant, role, and policy requirements for organizational messages see [Prerequisites](organizational-messages-prerequisites.md).
-## Known issues and limitations
-Organizational messages have the following known issues and limitations:
-* Assigning messages to devices and mixed groups isn't supported. If an assigned group includes both users and devices, Intune will only send the message to the users.
-* If you recently onboarded your tenant to Microsoft Entra ID, it can take 36 to 64 hours before you're able to use the organizational messages feature.
-* When you create an organizational message for the Get Started app, Microsoft Intune automatically sets the delivery end date to 12/31/2035, which is shown in the profile summary. The message will be delivered to targeted groups until that date or until you cancel the message.
-* Message priority isn't supported. If you schedule multiple messages of the same type for the same time window, targeted employees will receive the messages in a random order.
-## Frequently asked questions
-This section answers frequently asked questions (FAQ) for organizational messages.
-### Can I customize message text?
-No, we'll generate the message based on the theme you select. You can add a custom URL to the message to link people to more detailed information.
-### What do I need to do if I don't have the correct permissions?
-Contact someone in your organization who is a Microsoft Entra Global Administrator, Intune Administrator, or Intune Role Administrator and ask them to assign one of the following roles:
- * Microsoft Entra Global Administrator
- * Intune Administrator
- * Organizational messages manager (Microsoft Intune role)
- * Organizational messages writer (Microsoft Entra role)
-### Why do I need to update other policies before I create a message?
-The required policies described in [Prerequisites](organizational-messages-prerequisites.md) control access to the taskbar, notification area, and Get Started app. If the settings are blocked or not configured as described, employees will not receive the messages.
-### Can I control the order in which messages are delivered?
-You can schedule messages to arrive at different times on a device by selecting a unique delivery window for each message. If you schedule the same time for multiple messages, the messages will arrive in random order.
-### Where can I share an idea for organizational messages or suggest an improvement?
-In the Microsoft Intune admin center, select the **Feedback** icon that's next to your account name at the top of the page. Rate your experience and then describe your experience or idea. If you're okay with getting a response from Microsoft, select **Microsoft can email you about your feedback.**
-For other support options, see [How to get support in Microsoft Intune admin center](../../get-support.md).
-## Next steps
-Complete the [prerequisites for organizational messages](organizational-messages-prerequisites.md) to enable the feature in your tenant.
diff --git a/memdocs/intune/remote-actions/organizational-messages-prerequisites.md b/memdocs/intune/remote-actions/organizational-messages-prerequisites.md
deleted file mode 100644
index d086719c441..00000000000
--- a/memdocs/intune/remote-actions/organizational-messages-prerequisites.md
+++ /dev/null
@@ -1,132 +0,0 @@
-# required metadata
-title: Prerequisites for organizational messages | Microsoft Intune
-description: Find out what's required to use organizational messages in Microsoft Intune.
-author: Lenewsad
-ms.author: lanewsad
-manager: dougeby
-ms.date: 04/02/2024
-ms.topic: how-to
-ms.service: microsoft-intune
-ms.subservice: fundamentals
-ms.localizationpriority: medium
-# optional metadata
-ms.suite: ems
-search.appverid: MET150
-ms.custom: intune-azure
-- tier2
-- M365-identity-device-management
-# Organizational messages prerequisites
-*Applies to Windows 11*
-This article describes the tenant, message, and configuration requirements for organizational messages. Employees will not receive messages until you complete all prerequisites.
-## Version requirements
-Organizational messages are supported on devices running [Windows 11, version 22H2 or later](https://blogs.windows.com/windowsexperience/2022/09/20/how-to-get-the-windows-11-2022-update/).
-## Licensing requirements
-The organizational message feature is included with the following licenses:
-* Microsoft 365 E3
-* Microsoft 365 E5
-* Windows 10/11 Enterprise E3 with Microsoft Intune Plan 1
-* Windows 10/11 Enterprise E5 with Microsoft Intune Plan 1
-For more information about license options, see [Microsoft Intune licensing](../fundamentals/licenses.md).
-## Role-based access control requirements
-To create organizational messages in Microsoft Intune, you must be assigned one of these roles:
-* Organizational Messages Manager, a Microsoft Intune built-in role
-* Organizational Messages Writer, a Microsoft Entra built-in role
-* Intune Administrator, a Microsoft Entra built-in role
-You can also create a custom role for people managing organization messages by using role-based access control (RBAC). For more information about how to use built-in roles and custom roles, see [RBAC with Microsoft Intune](../fundamentals/role-based-access-control.md).
-## Logo requirements
-Logos must meet these requirements:
-* PNG file
-* Transparent background
-* Size requirements:
- * Taskbar messages: 64 x 64 pixels
- * Notification area messages: 48 x 48 pixels
- * Get Started app messages: 50 pixels long x 50 - 100 pixels wide
-## Policy requirements
-There are certain experience and Windows Spotlight policies in Microsoft Intune that block the delivery of organizational messages. This section describes how to adjust all settings so that delivery is always allowed and works as intended.
-### Organizational messages delivery policy
-> This policy is required for devices running [Windows 11, version 22H2, build 10.0.22621.900](https://support.microsoft.com/help/5020044) and later. If you don't enable this policy, these devices can't receive organizational messages. The policy isn't required on devices running earlier builds.
-Enable the delivery of organizational messages in all new and existing policies that are targeted at users and devices receiving organizational messages.
- 1. Go to **Settings catalog** > **Experience** > **Enable delivery of organizational messages (User)**.
- 2. For **Enable delivery of organizational messages**, switch the toggle to **Enabled**.
-### Windows Spotlight policy
- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and configure the Windows Spotlight policies using a Microsoft Intune [device restrictions profile template](../configuration/device-restrictions-configure.md) or the [settings catalog](../configuration/settings-catalog.md). Make sure to adjust these policies in all new and existing policies that are targeted at users and devices receiving organizational messages.
-> [!NOTE]
-> If you use the Windows 10/11 MDM security baseline, you will need to change the **Windows Spotlight** policy to **Not configured**. The Windows Spotlight policy controls organizational messages and messages coming from Microsoft. To continue blocking messages from Microsoft as defined in the Windows 10/11 MDM security baseline, [configure the Microsoft messaging policy](organizational-messages-prerequisites.md#microsoft-messaging-policy).
-#### Template profiles
-Go to **Devices** > **By platform** > **Windows** > **Manage devices** > **Configuration**, and in a new or existing template profile, select **Device restrictions** > **Windows Spotlight**.
-* To allow taskbar messages:
- * **Windows Spotlight**: Select **Not configured**.
- * **Windows Tips**: Select **Not configured**.
-* To allow notification area messages:
- * **Windows Spotlight**: Select **Not configured**.
- * **Windows Spotlight in action center**: Select **Not configured**.
-* To allow Get Started app messages:
- * **Windows Spotlight**: Select **Not configured**.
-#### Settings catalog profiles
-In a new or existing Windows configuration profile, select **Settings catalog** > **Add settings**. Use the **Settings picker** to add the settings to your profile. Then adjust the setting toggles as needed under **Configuration settings**.
-All of these settings are in the settings catalog, in the **Experience** category.
-* To allow taskbar messages:
- * Add **Allow Windows Spotlight (User)**: Switch the toggle to **Allow**.
- * Add **Allow Windows Tips**: Switch the toggle to **Allow**.
-* To allow notification area messages:
- * Add **Allow Windows Spotlight (User)**: Switch the toggle to **Allow**.
- * Add **Allow Windows Spotlight on Action Center (User)**: Switch the toggle to **Allow**.
-* To allow Get Started app messages:
- * Add **Allow Windows Spotlight (User)**: Switch the toggle to **Allow**.
- * Add **Disable Cloud Optimized Content**: Switch the toggle to **Disabled**.
-#### Policy CSP
-The configuration service provider (CSP) policies available for Windows 11 include:
-* [Experience/AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight)
-* [Experience/AllowWindowsTips](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowstips)
-* [Experience/AllowWindowsSpotlightOnActionCenter](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlightonactioncenter)
-* [Experience/DisableCloudOptimizedContent](/windows/client-management/mdm/policy-csp-experience#experience-disablecloudoptimizedcontent)
-### Microsoft messaging policy
-If you currently block messages that come from Microsoft, you can continue to do so while also allowing organizational messages to come through.
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Go to **Tenant administration** > **Organizational messages**.
-2. In the **Overview** tab, go to step 2 under **Before you create a message**.
-3. **Decide whether to block messages directly from Microsoft, while allowing admin messages to display**: Switch the toggle to **Allow** to allow both Microsoft messages and organizational messages. Switch the toggle to **Block** to block Microsoft messages and allow organizational messages.
-## Attention: New Microsoft Entra tenants
-If you recently created your Microsoft Entra tenant, the organizational messages feature won't be available to use right away. It will become available 36 to 64 hours after you create the tenant.
-## Next steps
-Now that prerequisites are complete, you can [create organizational messages](organizational-messages-create.md) in Microsoft Intune.
diff --git a/memdocs/intune/remote-actions/organizational-messages-reporting.md b/memdocs/intune/remote-actions/organizational-messages-reporting.md
deleted file mode 100644
index 8c20ed0c947..00000000000
--- a/memdocs/intune/remote-actions/organizational-messages-reporting.md
+++ /dev/null
@@ -1,75 +0,0 @@
-# required metadata
-title: View reporting details for organizational messages | Microsoft Intune
-description: View the reporting details for existing organizational messages in the Microsoft Intune admin center.
-author: Lenewsad
-ms.author: lanewsad
-manager: dougeby
-ms.date: 04/02/2024
-ms.topic: how-to
-ms.service: microsoft-intune
-ms.subservice: fundamentals
-ms.localizationpriority: medium
-# optional metadata
-ms.suite: ems
-search.appverid: MET150
-ms.custom: intune-azure
-- tier2
-- M365-identity-device-management
-# View reporting details for organizational messages
-*Applies to Windows 11*
-View the details of your organizational messages in the Microsoft Intune admin center.
-## Access message details
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Go to **Tenant administration** > **Organizational messages**.
-3. Select the **Message** tab to see a list of all existing messages and message details.
-### Available details
-Message details include:
- * **Message type**: Shows whether the message is for the taskbar, notification area, or Get Started app. Select the hyperlink to see your message, schedule, and assignment settings.
- * **Message theme**: Shows the theme you chose for the message.
- * **Date created**: Shows the date and time you created the message.
- * **Status** Shows the status of the message, which includes:
- * **Active**: The message is currently being shown to users according to your schedule.
- * **Pending**: The message hasn't been scheduled yet and is currently in progress.
- * **Scheduled**: The message isn't currently being shown to users but has been scheduled.
- * **Canceled**: The message was canceled and is no longer scheduled to go out to users.
- * **Completed**: The message was sent out during the scheduled time and is done being shown.
- * **Failed**: The message failed to schedule due to a service error.
- * **Start date**: Shows the start date for the message.
- * **End date** Shows the end date for the message.
- * **Times shown**: Shows an estimate of the total number of times the message has been shown to users in the past 180 days.
- * **Times clicked**: Shows an estimate of the total number of times users clicked the message in the past 180 days.
- * **Click-through rate**: Shows how often, in percentage, that users clicked the message when shown. This data is determined by dividing times clicked by times shown.
- ## Access audit logs
- Use audit logs to track and monitor organizational message events in Microsoft Intune. Audit logs contain a record of activities that generate a change in Microsoft Intune. The following organizational message actions create audit events:
- * Assign
- * Create
- * Delete
- * Update (edit)
- To access audit logs, go to **Tenant administration** > **Audit logs**. Available logs are shown in the table. Select **Filter** to filter logs by category. The category for organizational messages is **OrganizationalMessage**.
- For more information about audit logs, see [Use audit logs to track and monitor events in Microsoft Intune](../fundamentals/monitor-audit-logs.md).
-## Learn more about organizational messages
-For frequently asked questions, known issues, and limitations, see [Overview of organizational messages](organizational-messages-overview.md).
diff --git a/memdocs/intune/toc.yml b/memdocs/intune/toc.yml
index d0447afa92f..258112b2c92 100644
--- a/memdocs/intune/toc.yml
+++ b/memdocs/intune/toc.yml
@@ -390,8 +390,6 @@ items:
href: ./apps/store-apps-microsoft.md
- name: Microsoft store apps (legacy)
href: ./apps/store-apps-windows.md
- - name: Microsoft Store for Business apps
- href: ./apps/windows-store-for-business.md
- name: Managed Google Play apps
href: ./apps/apps-add-android-for-work.md
- name: Microsoft 365 Suite
@@ -669,8 +667,6 @@ items:
href: ./protect/mde-security-integration.md
- name: Manage endpoint security policies in Microsoft Defender
href: /defender-endpoint/manage-security-policies?toc=/mem/intune/toc.json&bc=/mem/breadcrumb/toc.json
- - name: Firewall rule migration
- href: ./protect/endpoint-security-firewall-rule-tool.md
- name: Tenant attach
href: ./protect/tenant-attach-intune.md
- name: Encrypt disks
@@ -1733,18 +1729,6 @@ items:
href: ./remote-actions/remove-apps-config.md
- name: Pause config refresh
href: ./remote-actions/pause-config-refresh.md
- - name: Send organizational messages
- items:
- - name: Overview
- href: ./remote-actions/organizational-messages-overview.md
- - name: Prerequisites for organizational messages
- href: ./remote-actions/organizational-messages-prerequisites.md
- - name: Create organizational messages
- href: ./remote-actions/organizational-messages-create.md
- - name: Cancel or delete organizational message
- href: ./remote-actions/organizational-messages-cancel.md
- - name: Monitor organizational messages
- href: ./remote-actions/organizational-messages-reporting.md
- name: Bulk device actions
href: ./remote-actions/bulk-device-actions.md
- name: Troubleshooting
diff --git a/memdocs/intune/user-help/media/1804_remote_lock_Windows_CPapp_05.png b/memdocs/intune/user-help/media/1804_remote_lock_Windows_CPapp_05.png
deleted file mode 100644
index aad3b152f31..00000000000
Binary files a/memdocs/intune/user-help/media/1804_remote_lock_Windows_CPapp_05.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/1809_CheckAccess_Checking_Status.png b/memdocs/intune/user-help/media/1809_CheckAccess_Checking_Status.png
deleted file mode 100644
index 8903554edd3..00000000000
Binary files a/memdocs/intune/user-help/media/1809_CheckAccess_Checking_Status.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/1809_CheckAccess_Context_Menu_Alert2.png b/memdocs/intune/user-help/media/1809_CheckAccess_Context_Menu_Alert2.png
deleted file mode 100644
index 71545ea6876..00000000000
Binary files a/memdocs/intune/user-help/media/1809_CheckAccess_Context_Menu_Alert2.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/1809_CheckAccess_Context_Select_Device.png b/memdocs/intune/user-help/media/1809_CheckAccess_Context_Select_Device.png
deleted file mode 100644
index ea3e6426651..00000000000
Binary files a/memdocs/intune/user-help/media/1809_CheckAccess_Context_Select_Device.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/1809_CheckAccess_Device_details_alert1.png b/memdocs/intune/user-help/media/1809_CheckAccess_Device_details_alert1.png
deleted file mode 100644
index f5e813a854d..00000000000
Binary files a/memdocs/intune/user-help/media/1809_CheckAccess_Device_details_alert1.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/1809_CheckAccess_Device_details_button.png b/memdocs/intune/user-help/media/1809_CheckAccess_Device_details_button.png
deleted file mode 100644
index 854dab51a8d..00000000000
Binary files a/memdocs/intune/user-help/media/1809_CheckAccess_Device_details_button.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/1809_CheckAccess_Device_details_status1.png b/memdocs/intune/user-help/media/1809_CheckAccess_Device_details_status1.png
deleted file mode 100644
index 24c0aed0367..00000000000
Binary files a/memdocs/intune/user-help/media/1809_CheckAccess_Device_details_status1.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/1809_DeviceContextMenu_Windows_CP.png b/memdocs/intune/user-help/media/1809_DeviceContextMenu_Windows_CP.png
deleted file mode 100644
index d0224eebaa9..00000000000
Binary files a/memdocs/intune/user-help/media/1809_DeviceContextMenu_Windows_CP.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/1812_UCP_Help_Support_sections.png b/memdocs/intune/user-help/media/1812_UCP_Help_Support_sections.png
deleted file mode 100644
index b3ccf018ac8..00000000000
Binary files a/memdocs/intune/user-help/media/1812_UCP_Help_Support_sections.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/RS1_HoloLens_SettingsRS1_Accounts_06.png b/memdocs/intune/user-help/media/RS1_HoloLens_SettingsRS1_Accounts_06.png
deleted file mode 100644
index f59c2aced16..00000000000
Binary files a/memdocs/intune/user-help/media/RS1_HoloLens_SettingsRS1_Accounts_06.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/RS1_HoloLens_SyncRS1_Sync_08.png b/memdocs/intune/user-help/media/RS1_HoloLens_SyncRS1_Sync_08.png
deleted file mode 100644
index e4f02b2fd79..00000000000
Binary files a/memdocs/intune/user-help/media/RS1_HoloLens_SyncRS1_Sync_08.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/W81-1-workplacejoin.png b/memdocs/intune/user-help/media/W81-1-workplacejoin.png
deleted file mode 100644
index 91951d886d5..00000000000
Binary files a/memdocs/intune/user-help/media/W81-1-workplacejoin.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/W81-2-workplacesettings_signin.png b/memdocs/intune/user-help/media/W81-2-workplacesettings_signin.png
deleted file mode 100644
index 321f01d346d..00000000000
Binary files a/memdocs/intune/user-help/media/W81-2-workplacesettings_signin.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/W81-3-dev-mgt-turn-on.png b/memdocs/intune/user-help/media/W81-3-dev-mgt-turn-on.png
deleted file mode 100644
index 47eb68d75fe..00000000000
Binary files a/memdocs/intune/user-help/media/W81-3-dev-mgt-turn-on.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/W81-4-agree-allow-apps-services.png b/memdocs/intune/user-help/media/W81-4-agree-allow-apps-services.png
deleted file mode 100644
index 2f06d2ea01e..00000000000
Binary files a/memdocs/intune/user-help/media/W81-4-agree-allow-apps-services.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/W81-5-enrolled-done.png b/memdocs/intune/user-help/media/W81-5-enrolled-done.png
deleted file mode 100644
index dd5605b4759..00000000000
Binary files a/memdocs/intune/user-help/media/W81-5-enrolled-done.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/and-enroll-12-tem-datalert-setup.png b/memdocs/intune/user-help/media/and-enroll-12-tem-datalert-setup.png
deleted file mode 100644
index a9bc0a37319..00000000000
Binary files a/memdocs/intune/user-help/media/and-enroll-12-tem-datalert-setup.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/and-enroll-12a-tem-datalert-enroll-msft-account.png b/memdocs/intune/user-help/media/and-enroll-12a-tem-datalert-enroll-msft-account.png
deleted file mode 100644
index 1d285d6cc1b..00000000000
Binary files a/memdocs/intune/user-help/media/and-enroll-12a-tem-datalert-enroll-msft-account.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/and-enroll-12b-tem-datalert-enroll-select-msft-account.png b/memdocs/intune/user-help/media/and-enroll-12b-tem-datalert-enroll-select-msft-account.png
deleted file mode 100644
index 6cc683c7d68..00000000000
Binary files a/memdocs/intune/user-help/media/and-enroll-12b-tem-datalert-enroll-select-msft-account.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/and-enroll-13-tem-datalert-phone-number.png b/memdocs/intune/user-help/media/and-enroll-13-tem-datalert-phone-number.png
deleted file mode 100644
index 4214845fa24..00000000000
Binary files a/memdocs/intune/user-help/media/and-enroll-13-tem-datalert-phone-number.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/and-enroll-14-tem-datalert-sms.png b/memdocs/intune/user-help/media/and-enroll-14-tem-datalert-sms.png
deleted file mode 100644
index 687f2561855..00000000000
Binary files a/memdocs/intune/user-help/media/and-enroll-14-tem-datalert-sms.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/and-enroll-15-tem-datalert-monitoring-active.png b/memdocs/intune/user-help/media/and-enroll-15-tem-datalert-monitoring-active.png
deleted file mode 100644
index 3d038fea822..00000000000
Binary files a/memdocs/intune/user-help/media/and-enroll-15-tem-datalert-monitoring-active.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/andr-cert_install-1-cert_missing.png b/memdocs/intune/user-help/media/andr-cert_install-1-cert_missing.png
deleted file mode 100644
index a034902d371..00000000000
Binary files a/memdocs/intune/user-help/media/andr-cert_install-1-cert_missing.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/android-wp-05-1908.png b/memdocs/intune/user-help/media/android-wp-05-1908.png
deleted file mode 100644
index f64bc591d50..00000000000
Binary files a/memdocs/intune/user-help/media/android-wp-05-1908.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/android-wp-05a-1908.png b/memdocs/intune/user-help/media/android-wp-05a-1908.png
deleted file mode 100644
index 1789c1b8187..00000000000
Binary files a/memdocs/intune/user-help/media/android-wp-05a-1908.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/ios-enroll-11b-tem-datalert-open-authenticator.png b/memdocs/intune/user-help/media/ios-enroll-11b-tem-datalert-open-authenticator.png
deleted file mode 100644
index 03109cb6c71..00000000000
Binary files a/memdocs/intune/user-help/media/ios-enroll-11b-tem-datalert-open-authenticator.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/management-profile-approve-macos-2006.png b/memdocs/intune/user-help/media/management-profile-approve-macos-2006.png
deleted file mode 100644
index b8dd2d366ac..00000000000
Binary files a/memdocs/intune/user-help/media/management-profile-approve-macos-2006.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/rename-reset-device-step2-1808.png b/memdocs/intune/user-help/media/rename-reset-device-step2-1808.png
deleted file mode 100644
index 20f17000efc..00000000000
Binary files a/memdocs/intune/user-help/media/rename-reset-device-step2-1808.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/rename-reset-device-step3-more-1808.png b/memdocs/intune/user-help/media/rename-reset-device-step3-more-1808.png
deleted file mode 100644
index 1ce72f29373..00000000000
Binary files a/memdocs/intune/user-help/media/rename-reset-device-step3-more-1808.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/skycure-list-of-potential-issues-android.png b/memdocs/intune/user-help/media/skycure-list-of-potential-issues-android.png
deleted file mode 100644
index 5cd48723f2c..00000000000
Binary files a/memdocs/intune/user-help/media/skycure-list-of-potential-issues-android.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/win10pc-sync-2-settings-accounts.png b/memdocs/intune/user-help/media/win10pc-sync-2-settings-accounts.png
deleted file mode 100644
index 032e3d316a0..00000000000
Binary files a/memdocs/intune/user-help/media/win10pc-sync-2-settings-accounts.png and /dev/null differ
diff --git a/memdocs/intune/user-help/media/win10pc-sync-5-tap-sync.png b/memdocs/intune/user-help/media/win10pc-sync-5-tap-sync.png
deleted file mode 100644
index 7e3f6d9ad98..00000000000
Binary files a/memdocs/intune/user-help/media/win10pc-sync-5-tap-sync.png and /dev/null differ
diff --git a/memdocs/media/00009-icon-service-Log-Analytics-Workspaces.svg b/memdocs/media/00009-icon-service-Log-Analytics-Workspaces.svg
deleted file mode 100644
index ec1c0ce91c4..00000000000
--- a/memdocs/media/00009-icon-service-Log-Analytics-Workspaces.svg
+++ /dev/null
@@ -1 +0,0 @@
\ No newline at end of file
diff --git a/memdocs/media/10332-icon-service-Devices.svg b/memdocs/media/10332-icon-service-Devices.svg
deleted file mode 100644
index 35561135f4c..00000000000
--- a/memdocs/media/10332-icon-service-Devices.svg
+++ /dev/null
@@ -1 +0,0 @@
\ No newline at end of file
diff --git a/memdocs/media/active-directory.svg b/memdocs/media/active-directory.svg
deleted file mode 100644
index 4a4d020cc2f..00000000000
--- a/memdocs/media/active-directory.svg
+++ /dev/null
@@ -1,56 +0,0 @@
diff --git a/memdocs/media/analytics.svg b/memdocs/media/analytics.svg
deleted file mode 100644
index 5d294245acd..00000000000
--- a/memdocs/media/analytics.svg
+++ /dev/null
@@ -1,61 +0,0 @@
diff --git a/memdocs/media/autopatch.png b/memdocs/media/autopatch.png
deleted file mode 100644
index 5dfff52e866..00000000000
Binary files a/memdocs/media/autopatch.png and /dev/null differ
diff --git a/memdocs/media/autopatch.svg b/memdocs/media/autopatch.svg
deleted file mode 100644
index f781d11c928..00000000000
--- a/memdocs/media/autopatch.svg
+++ /dev/null
@@ -1,65 +0,0 @@
diff --git a/memdocs/media/autopilot.svg b/memdocs/media/autopilot.svg
deleted file mode 100644
index 38c827eacf9..00000000000
--- a/memdocs/media/autopilot.svg
+++ /dev/null
@@ -1,44 +0,0 @@