- display name
- last name, first name
- first name, last name
- first name, last initial
This setting can only be used if the **Enable sign in** key is set to **true**. | ❌ | @@ -88,7 +90,7 @@ The following table lists the Managed Home Screen available configuration keys, | Configuration Key | Value Type | Default Value | Description | Available in device configuration | |-|-|-|-|-| -| Show Managed Setting | bool | TRUE | The **Managed Settings** menu is specific to the Managed Home Screen app. It is visible on the top bar of the app. Specific settings appear in this menu only if you've configured these settings for quick access. These settings can include the **Show Wi-Fi setting**, **Show Bluetooth setting**, **Show volume setting**, and **Show flashlight setting**. Set this key to FALSE to hide the **Managed Settings** menu from the top bar. If required permissions are missing or the device is configured with sign-in enabled, the settings menu will be visible to allow users access to required permissions and profile information. Note that even if **Show Managed settings** is set to FALSE, you can choose to configure other settings to appear, which will allow the **Managed Settings** menu to be visible.
**NOTE**: Access to the settings menu has changed with the Managed Home Screen updated user experience. To learn more about the changes, see [Updates to the Managed Home Screen experience](https://techcommunity.microsoft.com/t5/intune-customer-success/updates-to-the-managed-home-screen-experience/ba-p/3974412). | ✔️ | +| Show Managed Setting | bool | TRUE | The **Managed Settings** menu is specific to the Managed Home Screen app. It's visible on the top bar of the app. Specific settings appear in this menu only if you've configured these settings for quick access. These settings can include the **Show Wi-Fi setting**, **Show Bluetooth setting**, **Show volume setting**, and **Show flashlight setting**. Set this key to FALSE to hide the **Managed Settings** menu from the top bar. If required permissions are missing or the device is configured with sign-in enabled, the settings menu is visible to allow users access to required permissions and profile information. Note that even if **Show Managed settings** is set to FALSE, you can choose to configure other settings to appear, which will allow the **Managed Settings** menu to be visible.
**NOTE**: Access to the settings menu has changed with the Managed Home Screen updated user experience. To learn more about the changes, see [Updates to the Managed Home Screen experience](https://techcommunity.microsoft.com/t5/intune-customer-success/updates-to-the-managed-home-screen-experience/ba-p/3974412). | ✔️ | | Show Wi-Fi setting | bool | FALSE | Turning this setting to True allows the end user to connect to different Wi-Fi networks. | ✔️ | | Enable Wi-Fi allow-list | bool | FALSE | True fills out the Wi-Fi allow-list key to restrict what Wi-Fi networks are shown within Managed Home Screen. Set to False to show all possible available Wi-Fi networks the device has discovered. This setting is only relevant if show Wi-Fi setting has been set to True and the Wi-Fi allow-list has been filled out. | ✔️ | | Wi-Fi allow-list | bundleArray | See **Enter JSON Data** section of this document. | Allows you to list all the SSIDs of what Wi-Fi networks you want the device to show within Managed Home Screen. This list is only relevant if show Wi-Fi setting and Enable Wi-Fi allow-list have been set to True. If either setting has been set to False, then you don't need to modify this configuration. | ✔️ | @@ -110,12 +112,12 @@ The following table lists the Managed Home Screen available configuration keys, > [!IMPORTANT] > The Managed Home Screen app has been updated at the API level to better adhere with the Google Play Store's requirements. In doing so, there were some changes to how Wi-Fi configuration works from Managed Home Screen. The changes include the following: -> - Being unable to change (enable or disable) the Wi-Fi connection for the device. Users will be able to switch between networks, but will not be able to turn on/off Wi-Fi. +> - Being unable to change (enable or disable) the Wi-Fi connection for the device. Users will be able to switch between networks, but won't be able to turn on/off Wi-Fi. > - Being unable to automatically connect to a configured Wi-Fi network that requires a password for the first time. The configured network will automatically connect after you enter the password the first time. > -> On Android devices running OS 11, when an end-user tries to connect to a network via the Managed Home Screen app, they will get prompted with a consent pop-up. This pop-up comes from the Android platform, and is not specific to the Managed Home Screen app. Additionally, when an end-user tries to connect to a password protected network via the Managed Home Screen app, they will be asked to input the password. Even if the password is correct, the network will only change if the device is not connected to a network. Devices that are already connected to a stable network will not be able connect to a password protected network via the Managed Home Screen app. +> On Android devices running OS 11, when an end-user tries to connect to a network via the Managed Home Screen app, they'll get prompted with a consent pop-up. This pop-up comes from the Android platform, and isn't specific to the Managed Home Screen app. Additionally, when an end-user tries to connect to a password protected network via the Managed Home Screen app, they'll be asked to input the password. Even if the password is correct, the network will only change if the device isn't connected to a network. Devices that are already connected to a stable network won't be able connect to a password protected network via the Managed Home Screen app. > -> On Android devices running OS 10, when an end-user tries to connect to a network via the Managed Home Screen app, they will get prompted with a consent via notifications. Because of this prompt, users on OS 10 will need to have access to the status bar and notifications in order to complete the consent step. Use the [General settings for fully managed and dedicated devices](../configuration/device-restrictions-android-for-work.md#dedicated-devices) to make status bar and notifications available to your end-users, if appropriate. Additionally, when an end-user tries to connect to a password protected network via the Managed Home Screen app, they will be asked to input the password. Even if the password is correct, the network will only change if the device is not already connected to a stable network. +> On Android devices running OS 10, when an end-user tries to connect to a network via the Managed Home Screen app, they'll get prompted with a consent via notifications. Because of this prompt, users on OS 10 will need to have access to the status bar and notifications in order to complete the consent step. Use the [General settings for fully managed and dedicated devices](../configuration/device-restrictions-android-for-work.md#dedicated-devices) to make status bar and notifications available to your end-users, if appropriate. Additionally, when an end-user tries to connect to a password protected network via the Managed Home Screen app, they'll be asked to input the password. Even if the password is correct, the network will only change if the device isn't already connected to a stable network. > [!IMPORTANT] > End users cannot automatically connect to Enterprise Wi-Fi networks they select from the MHS settings menu, even if that network has been pre-configured using either Intune or another external source. While managed devices can still reliably utilize these networks, end users cannot initialize a connection from within MHS to the preconfigured networks. @@ -129,25 +131,29 @@ The following table lists the Managed Home Screen available configuration keys, > For more information on how to enable Android system apps, go to: [Manage Android Enterprise system apps](apps-ae-system.md#enable-a-system-app-in-intune) > [!NOTE] -> The virtual home button requires granting overlay permission to MHS. The notification badge functionality requires granting notification permission to MHS.The brightness slider, adaptive brightness toggle, and autorotate toggle require granting write settings permission to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant these permissions to prevent possible breakout scenarios from the Settings application. +> The virtual home button requires granting overlay permission to MHS. The notification badge functionality requires granting notification permission to MHS.The brightness slider, adaptive brightness toggle, and autorotate toggle require granting write settings permission to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it's recommended to use OEMconfig to auto-grant these permissions to prevent possible breakout scenarios from the Settings application. +> +> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It's recommended to only configure access to notifications and features which require permissions when necessary. **Configurations for a custom screensaver**: | Configuration Key | Value Type | Default Value | Description | Available in device configuration profile | |-|-|-|-|-| | Enable screen saver | bool | FALSE | To enable screen saver mode or not. If set to true, you can configure screen_saver_image, screen_saver_show_time, inactive_time_to_show_screen_saver, and media_detect_screen_saver. | ✔️ | -| Screen saver image | string | | Set the URL of the screen saver image. If no URL is set, devices will show the default screen saver image when screen saver is activated. The default image shows the Managed Home Screen app icon. | ✔️ | -| Screen saver show time | integer | 0 | Gives option to set the amount of time in seconds the device will display the screen saver during screen saver mode. If set to 0, the screen saver will show on screen saver mode indefinitely until the device becomes active. | ✔️ | +| Screen saver image | string | | Set the URL of the screen saver image. If no URL is set, devices show the default screen saver image when screen saver is activated. The default image shows the Managed Home Screen app icon. | ✔️ | +| Screen saver show time | integer | 0 | Gives option to set the amount of time in seconds the device displays the screen saver during screen saver mode. If set to 0, the screen saver shows on screen saver mode indefinitely until the device becomes active. | ✔️ | | Inactive time to enable screen saver | integer | 30 | The number of seconds the device is inactive before triggering the screen saver. If set to 0, the device will never go into screen saver mode. | ✔️ | -| Media detect before showing screen saver | bool | TRUE | Choose whether the device screen should show screen saver if audio/video is playing on device. If set to true, the device won't play audio/video, regardless of the value in inactive_time_to_show_scree_saver. If set to false, device screen will show screen saver according to value set in inactive_time_to_show_screen_saver. | ✔️ | +| Media detect before showing screen saver | bool | TRUE | Choose whether the device screen should show screen saver if audio/video is playing on device. If set to true, the device won't play audio/video, regardless of the value in inactive_time_to_show_scree_saver. If set to false, device screen shows screen saver according to value set in inactive_time_to_show_screen_saver. | ✔️ | > [!NOTE] -> Managed Home Screen will start the screensaver whenever the lock screen appears. If the system's lock screen timeout is longer than **Screensaver show time** then the -> screen saver will show until the lock screen appears. If the system's lock screen timeout is shorter than **inactive time to enable screen saver** the screensaver will appear +> Managed Home Screen starts the screensaver whenever the lock screen appears. If the system's lock screen timeout is longer than **Screensaver show time** then the +> screen saver shows until the lock screen appears. If the system's lock screen timeout is shorter than **inactive time to enable screen saver** the screensaver appears > as soon as the device's lock screen appears. > [!NOTE] -> The screensaver requires granting overlay permission and exact alarm permission (OS 14+) to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant overlay and exact alarm permission to prevent possible breakout scenarios from the Settings application. +> The screensaver requires granting overlay permission and exact alarm permission (OS 14+) to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it's recommended to use OEMconfig to auto-grant overlay and exact alarm permission to prevent possible breakout scenarios from the Settings application. +> +> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It's recommended to only configure access to notifications and features which require permissions when necessary. **Configurations to help with troubleshooting issues on the device**: @@ -156,12 +162,14 @@ The following table lists the Managed Home Screen available configuration keys, | Exit lock task mode password | string | | Enter a 4-6-digit code to use to temporarily drop out of lock-task mode for troubleshooting. | ✔️ | | Enable easy access debug menu | bool | FALSE | Turn this setting to True to access the debug menu from the Managed Settings menu while in Managed Home Screen. The debug menu is currently where the capability to exit kiosk mode lives, and is accessed by clicking the back button about 15 times. Keep this setting set to False to keep the entry point to debug menu only accessible via the back button. | ✔️ | | Enable MAX inactive time outside of MHS | bool | FALSE | Turn this setting to True to automatically re-launch Managed Home Screen after a set period of inactivity. The timer will only count inactive time and, when configured, will reset each time the user interacts with the device while outside of Managed Home Screen. Use **MAX inactive time outside MHS** to set the inactivity timer. By default, this setting is off. This setting can only be used if **Exit lock task mode password** has been configured. | ❌ | -| MAX inactive time outside MHS | integer | 180 | Set the maximum amount of inactive time, in seconds, that a user can spend outside of Managed Home Screen before it is automatically re-launched. By default, this configuration is set to 180 seconds. **Enable MAX inactive time outside of MHS** must be set to true to use this setting. | ❌ | +| MAX inactive time outside MHS | integer | 180 | Set the maximum amount of inactive time, in seconds, that a user can spend outside of Managed Home Screen before it's automatically re-launched. By default, this configuration is set to 180 seconds. **Enable MAX inactive time outside of MHS** must be set to true to use this setting. | ❌ | | Enable MAX time outside MHS | bool | FALSE | Turn this setting to True to automatically re-launch Managed Home Screen after a set period of time has passed. The timer will factor in both inactive and active time spent outside of Managed Home Screen. Use **MAX time outside MHS** to set the inactivity timer. By default, this setting is off. This setting can only be used if **Exit lock task mode password** has been configured. | ❌ | -| MAX time outside MHS | integer | 600 | Set the maximum amount of absolute time, in seconds, that a user can spend outside of Managed Home Screen before it is automatically re-launched. By default, this configuration is set to 600 seconds. **Enable MAX time outside of MHS** must be set to true to use this setting. | ❌ | +| MAX time outside MHS | integer | 600 | Set the maximum amount of absolute time, in seconds, that a user can spend outside of Managed Home Screen before it's automatically re-launched. By default, this configuration is set to 600 seconds. **Enable MAX time outside of MHS** must be set to true to use this setting. | ❌ | >[!NOTE] -> The automatic relaunch functionality requires granting exact alarm permission to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant exact alarm permission to prevent possible breakout scenarios from the Settings application. +> The automatic relaunch functionality requires granting exact alarm permission to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it's recommended to use OEMconfig to auto-grant exact alarm permission to prevent possible breakout scenarios from the Settings application. +> +> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It's recommended to only configure access to notifications and features which require permissions when necessary. **Configurations to customize Managed Home Screen experience when device is set up with Microsoft Entra shared device mode**: @@ -169,13 +177,13 @@ The following table lists the Managed Home Screen available configuration keys, |-|-|-|-|-| | Enable sign in | bool | FALSE | Turn this setting to True to enable end-users to sign into Managed Home Screen. When used with Microsoft Entra shared device mode, users who sign in to Managed Home Screen will get automatically signed in to all other apps on the device that have participated with Microsoft Entra shared device mode. By default this setting is off.
NOTE: After rebooting the device, end users must reauthenticate by signing in to Managed Home Screen. | ✔️
NOTE: On devices that have a device configuration profile with the [**Enabled System Navigation Features** setting](../configuration/device-restrictions-android-for-work.md#dedicated-devices) set to **Home and Overview buttons**, end users can ignore and skip the sign in screen. | | Sign in type | string | Microsoft Entra ID | Set this configuration to "AAD" to sign in with a Microsoft Entra account. Otherwise, set this configuration to "Other". Users who sign in with a non-AAD account won't get single sign-on to all apps that have integrated with Microsoft Entra shared device mode, but will still get signed in to Managed Home Screen. By default, this setting uses "AAD" user accounts. This setting can only be used if **Enable sign in** has been set to True. | ✔️ | -| Domain name | string | | Set a domain name to be appended to usernames for sign in. If this is not set, users will need to enter the domain name. To allow users to select between multiple domain name options, add semicolon delimited strings. Enable sign in must be set to TRUE to use this configuration.
**NOTE**: This setting does not prevent users from inputting alternative domain names. | ❌ | +| Domain name | string | | Set a domain name to be appended to usernames for sign in. If this isn't set, users will need to enter the domain name. To allow users to select between multiple domain name options, add semicolon delimited strings. Enable sign in must be set to TRUE to use this configuration.
**NOTE**: This setting does not prevent users from inputting alternative domain names. | ❌ | | Login hint text | string | | Set a custom login hint string by entering a string. If no string is set, the default string "Enter email or phone number" will be displayed. Enable sign in must be set to TRUE to use this configuration. | ❌ | | Set to the url of wallpaper | string | | Allows you to set a wallpaper of your choice for the sign in screen. To use this setting, enter the URL of the image that you want set for the sign-in screen wallpaper. This image can be different than the Managed Home Screen wallpaper that is configured with **Set device wallpaper**. This setting can only be used if **Enable sign in** has been set to True. | ✔️ | | Enable show organization logo on sign in page | bool | TRUE | Turn this setting to True to use a company logo that will appear on the sign-in screen. This setting is used with **Organization logo on sign in page** and can only be used if **Enable sign in** has been set to TRUE. | ✔️ | | Organization logo on sign in page | string | | Allows you to brand your device with a logo of your choice on the Managed Home Screen sign-in screen. To use this setting, enter the URL of the image that you want set for the logo. This setting can only be used if **Enable show organization logo on sign in page** and **Enable sign in** have been set to True. | ✔️ | | Enable session PIN | bool | FALSE | Turn this setting to True if you want end-users to get prompted to create a local Session PIN after they've successfully signed in to Managed Home Screen. The Session PIN prompt will appear before end-user gets access to the home screen, and can be used in conjunction with other features. The Session PIN lasts for the duration of a user's sign-in, and is cleared upon sign-out. By default, this setting is off. This setting can only be used if **Enable sign in** has been set to True. | ✔️
NOTE: On devices that have a device configuration profile with the [**Enabled System Navigation Features** setting](../configuration/device-restrictions-android-for-work.md#dedicated-devices) set to **Home and Overview buttons**, end users can ignore and skip the session PIN screen. | -| Complexity of session PIN | string | | Choose whether the local session PIN should be **simple**, **complex**, or **alphanumeric complex**. If you choose **simple**, users will only be required to enter a numeric PIN. If you choose **complex**, users will get prompted to create a PIN with alphanumeric characters and no repeating (444) or ordered sequences (123, 432, 246) are allowed. Evaluation of repeating and sequential patterns begins at three (3) digits/characters. If you choose **alphanumeric complex**, then users will get prompted to create a PIN with alphanumeric characters, and at least one symbol or letter is required. No repeating (444) or ordered sequences (123, 432, 246) are allowed. Evaluation of repeating and sequential patterns begins at three (3) characters. The default value for this setting is one (1), where one (1) means that the user must have at least one character in their Session PIN. This setting can only be used if **Enable session PIN** and **Enable sign in** have been set to True. | ✔️
NOTE: The **alphanumeric complex** option is only available in app config today. | +| Complexity of session PIN | string | | Choose whether the local session PIN should be **simple**, **complex**, **complex numeric only**, or **alphanumeric complex**. If you choose **simple**, users will only be required to enter a numeric PIN. If you choose **complex**, users will get prompted to create a PIN with alphanumeric characters and no repeating (444) or ordered sequences (123, 432, 246) are allowed. Evaluation of repeating and sequential patterns begins at three (3) digits/characters. If you choose **complex numeric only**, users will get prompted to create a PIN with numerals only and no repeating (444) or ordered sequences (123, 432, 246) are allowed. Evaluation of repeating and sequential patterns begins at three (3) digits/characters. If you choose **alphanumeric complex**, then users will get prompted to create a PIN with alphanumeric characters, and at least one symbol or letter is required. No repeating (444) or ordered sequences (123, 432, 246) are allowed. Evaluation of repeating and sequential patterns begins at three (3) characters. The default value for this setting is one (1), where one (1) means that the user must have at least one character in their Session PIN. This setting can only be used if **Enable session PIN** and **Enable sign in** have been set to True. | ✔️
NOTE: The **complex numeric only** and **alphanumeric complex** options are only available in app config today. |
| Minimum length for session PIN | string | | Define the minimum length a user's session PIN must adhere to. This can be used with any of the complexity values for session PIN. This setting can only be used if **Enable session PIN** and **Enable sign in** have been set to True. | ❌ |
| Maximum number of attempts for session PIN | string | | Define the maximum number of times a user can attempt to enter their session PIN before getting automatically logged out from Managed Home Screen. The default value is zero (0), where zero (0) means the user gets infinite tries. This can be used with any of the complexity values for session PIN. This setting can only be used if **Enable session PIN** and **Enable sign in** have been set to True. | ❌ |
| Customer facing folder | Bool | FALSE | Use this specification with **Create Managed Folder for grouping apps** to create a folder that can't be exited without a user entering their Session PIN. This setting can only be used if **Enable session PIN** and **Enable sign in** have been set to True. | ❌ |
@@ -193,10 +201,12 @@ The following table lists the Managed Home Screen available configuration keys,
> - Launch a screen saver after a set period of inactivity
> - Automatically relaunch MHS after a certain period of time when a user exits kiosk mode
>
-> For devices running Android 14 and higher, by default, the exact alarm permission will be denied. To make sure critical user functionality is not impacted, end-users will be prompted to grant exact alarm permission upon first launch of Managed Home Screen.
+> For devices running Android 14 and higher, by default, the exact alarm permission will be denied. To make sure critical user functionality isn't impacted, end-users will be prompted to grant exact alarm permission upon first launch of Managed Home Screen.
> [!NOTE]
-> The automatic sign out feature requires granting overlay permission and exact alarm permission (OS 14+) to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant overlay and exact alarm permission to prevent possible breakout scenarios from the Settings application.
+> The automatic sign out feature requires granting overlay permission and exact alarm permission (OS 14+) to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it's recommended to use OEMconfig to auto-grant overlay and exact alarm permission to prevent possible breakout scenarios from the Settings application.
+>
+> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It's recommended to only configure access to notifications and features which require permissions when necessary.
## Enter JSON Data
@@ -206,11 +216,14 @@ Enter JSON data to configure all available settings for Managed Home Screen, and
In addition to the list of configurable settings listed in the **Configuration Designer** table (above), the following table provides the configuration keys you can only configure via JSON data.
-| Configuration Key | Value Type | Default Value | Description |
+| Configuration Key | Value Type | Details | Description |
|-|-|-|-|
-| Set allow-listed applications | bundleArray | 
| Allows you to define the set of apps visible on the home screen from all the apps installed on the device. You can define the apps by entering the app package name of the apps that you want to make visible. For example, `com.android.settings` would make settings accessible on the home screen. The apps that you allow-list in this section should already be installed on the device to be visible on the home screen. |
-| Set pinned web links | bundleArray | 
| Allows you to pin websites as quick launch icons on the home screen. With this configuration, you can define the URL and add it to the home screen for the end user to launch in the browser with a single tap. Note: We recommend that you create, assign, and approve [Managed Google Play web links](./apps-add-android-for-work.md#managed-google-play-web-links) to your devices. When you do, they're treated like allow-listed applications. |
-| Create Managed Folder for grouping apps | bundleArray | 
| Allows you to create and name folders and group apps within these folders. End users can't move folders, rename the folders, or move the apps within the folders. Folders will appear in the order created, and apps within the folders will appear alphabetically. Note: all apps that you want to group into folders must be assigned as required to the device and must have been added to the Managed Home Screen. |
+| Set allow-listed applications | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to define the set of apps visible on the home screen from all the apps installed on the device. You can define the apps by entering the app package name of the apps that you want to make visible. For example, `com.android.settings` would make settings accessible on the home screen. The apps that you allow-list in this section should already be installed on the device to be visible on the home screen. |
+| Set pinned web links | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to pin websites as quick launch icons on the home screen. With this configuration, you can define the URL and add it to the home screen for the end user to launch in the browser with a single tap. Note: We recommend that you create, assign, and approve [Managed Google Play web links](./apps-add-android-for-work.md#managed-google-play-web-links) to your devices. When you do, they're treated like allow-listed applications. |
+| Create Managed Folder for grouping apps | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to create and name folders and group apps within these folders. End users can't move folders, rename the folders, or move the apps within the folders. Folders will appear in the order created, and apps within the folders will appear alphabetically.
**NOTE:** all apps that you want to group into folders must be assigned as required to the device and must have been added to the Managed Home Screen. | +| Widget | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to add widgets to the home screen. Managed Home Screen provides and maintains a **Time** and **Weather** widget. You can also add a custom LOB widget or a third-party widget using JSON data. You can define the widget to be exposed by entering the app package name and widget class name. For example, to expose the **Time** widget, define the package name as `com.microsoft.launcher.enterprise` and widget class as **Time**. | + +### JSON Data Examples The following syntax is an example JSON script with all the available configuration keys included: diff --git a/memdocs/intune/apps/app-configuration-policies-outlook.md b/memdocs/intune/apps/app-configuration-policies-outlook.md index f3e011e3d4f..a4616b34af8 100644 --- a/memdocs/intune/apps/app-configuration-policies-outlook.md +++ b/memdocs/intune/apps/app-configuration-policies-outlook.md @@ -7,7 +7,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 12/12/2023 +ms.date: 11/21/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps @@ -32,10 +32,10 @@ ms.custom: intune-azure The Outlook for iOS and Android app is designed to enable users in your organization to do more from their mobile devices, by bringing together email, calendar, contacts, and other files. -The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as conditional access. At a minimum, you will want to deploy a conditional access policy that allows connectivity to Outlook for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected. +The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as Conditional Access. At a minimum, you will want to deploy a Conditional Access policy that allows connectivity to Outlook for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected. ## Apply Conditional Access -Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using Outlook for iOS and Android. To do this, you will need a conditional access policy that targets all potential users. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection). +Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using Outlook for iOS and Android. To do this, you will need a Conditional Access policy that targets all potential users. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection). 1. Follow the steps in [Require approved client apps or app protection policy with mobile devices](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection#require-approved-client-apps-or-app-protection-policy-with-mobile-devices). This policy allows Outlook for iOS and Android, but blocks OAuth and basic authentication capable Exchange ActiveSync mobile clients from connecting to Exchange Online. @@ -49,7 +49,7 @@ Organizations can use Microsoft Entra Conditional Access policies to ensure that 3. Follow the steps in [How to: Block legacy authentication to Microsoft Entra ID with Conditional Access](/azure/active-directory/conditional-access/block-legacy-authentication) to block legacy authentication for other Exchange protocols on iOS and Android devices; this policy should target only Microsoft Exchange Online cloud app and iOS and Android device platforms. This ensures mobile apps using Exchange Web Services, IMAP4, or POP3 protocols with basic authentication cannot connect to Exchange Online. > [!NOTE] -> To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see [App-based Conditional Access with Intune](../protect/app-based-conditional-access-intune.md). +> To leverage app-based Conditional Access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see [App-based Conditional Access with Intune](../protect/app-based-conditional-access-intune.md). ## Create Intune app protection policies diff --git a/memdocs/intune/apps/app-configuration-policies-overview.md b/memdocs/intune/apps/app-configuration-policies-overview.md index 9f7b637b3e5..65a25ee8ad2 100644 --- a/memdocs/intune/apps/app-configuration-policies-overview.md +++ b/memdocs/intune/apps/app-configuration-policies-overview.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 12/12/2023 +ms.date: 11/21/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps @@ -69,7 +69,7 @@ App configuration can be delivered either through the mobile device management ( Intune represents these different app configuration policy channels as: - **Managed devices** - The device is managed by Intune as the unified endpoint management provider. The app must be pinned to the management profile on iOS/iPadOS or deployed through Managed Google Play on Android devices. In addition, the app supports the desired app configuration. -- **Managed apps** - An app that has either integrated the Intune App SDK or have been wrapped using the Intune Wrapping Tool and supports App Protection Policies (APP). In this configuration, neither the device's enrollment state or how the app is delivered to the device matter. The app supports the desired app configuration. +- **Managed apps** - An app that has either integrated the Intune App SDK or has been wrapped using the Intune Wrapping Tool and supports App Protection Policies (APP). In this configuration, neither the device's enrollment state or how the app is delivered to the device matter. The app supports the desired app configuration.  @@ -101,7 +101,7 @@ Delivery of app configuration through the MAM channel does not require the devic - Advanced APP data protection settings which extend the capabilities offered by App Protection Policies > [!NOTE] -> Intune managed apps will check-in with an interval of 30 minutes for Intune App Configuration Policy status, when deployed in conjunction with an Intune App Protection Policy. If an Intune App Protection Policy isn't assigned to the user, then the Intune App Configuration Policy check-in interval is set to 720 minutes. +> Intune managed apps will check in with an interval of 30 minutes for Intune App Configuration Policy status, when deployed in conjunction with an Intune App Protection Policy. If an Intune App Protection Policy isn't assigned to the user, then the Intune App Configuration Policy check-in interval is set to 720 minutes. For information on which apps support app configuration through the MAM channel, see [Microsoft Intune protected apps](apps-supported-intune-apps.md). @@ -133,7 +133,7 @@ You can validate the app configuration policy using the following three methods: Device Install Status Report monitors the latest check-in's for all the devices the configuration policy has been targeted to.  - Additionally,in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **All Devices** > *select a device* > **App configuration**. The app configuration** pane will display all the assigned policies and their state: + Additionally, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **All Devices** > *select a device* > **App configuration**. The **app configuration** pane will display all the assigned policies and their state:  diff --git a/memdocs/intune/apps/app-configuration-policies-use-ios.md b/memdocs/intune/apps/app-configuration-policies-use-ios.md index 31612c8d0f0..eac7121cbfe 100644 --- a/memdocs/intune/apps/app-configuration-policies-use-ios.md +++ b/memdocs/intune/apps/app-configuration-policies-use-ios.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 05/08/2024 +ms.date: 11/20/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps @@ -123,6 +123,10 @@ As the Microsoft Intune administrator, you can control which work or school acco |----|----| | IntuneMAMAllowedAccountsOnly |
- **Enabled**: The only account allowed is the managed user account defined by the [IntuneMAMUPN](data-transfer-between-apps-manage-ios.md#configure-user-upn-setting-for-microsoft-intune-or-third-party-emm) key.
- **Disabled** (or any value that is not a case insensitive match to **Enabled**): Any account is allowed.
- UPN of the account allowed to sign into the app.
- For Intune enrolled devices, the
{{userprincipalname}}token may be used to represent the enrolled user account.
- User Object ID of the account allowed to sign into the app.
- For Intune enrolled devices, the {{userid}} token may be used to represent the enrolled user account.
-When conflicts arise between two app protection policies for configured values, Intune typically takes the most restrictive approach. Thus, the resultant policy sent down to the targeted app opened by the targeted Intune user would be an intersection of the listed iOS/iPadOS model identifiers in *Policy A* and *Policy B* targeted to the same app/user combination. For example, *Policy A* specifies "iPhone5,2;iPhone5,3", while *Policy B* specifies "iPhone5,3", the resultant policy that the Intune user targeted by both *Policy A* and *Policy B* is "iPhone5,3". +When conflicts arise between two app protection policies for configured values, Intune typically takes the most restrictive approach. The resultant policy sent down to the targeted app opened by the targeted Intune user would be an intersection of the listed iOS/iPadOS model identifiers in *Policy A* and *Policy B* targeted to the same app/user combination. For example, *Policy A* specifies `iPhone5,2;iPhone5,3`, while *Policy B* specifies `iPhone5,3`, the resultant policy that the Intune user targeted by both *Policy A* and *Policy B* is `iPhone5,3`. ### Android policy settings @@ -111,7 +111,7 @@ To use the **Device manufacturer(s)** setting, input a semi-colon separated list Example input: *Manufacturer A;Manufacturer B* >[!NOTE] -> These are some common manufacturers reported from devices using Intune, and can be used as input: Asus;Blackberry;Bq;Gionee;Google;Hmd global;Htc;Huawei;Infinix;Kyocera;Lemobile;Lenovo;Lge;Motorola;Oneplus;Oppo;Samsung;Sharp;Sony;Tecno;Vivo;Vodafone;Xiaomi;Zte;Zuk +> The following list are some common manufacturers reported from devices using Intune, and can be used as input: Asus;Blackberry;Bq;Gionee;Google;Hmd global;Htc;Huawei;Infinix;Kyocera;Lemobile;Lenovo;Lge;Motorola;Oneplus;Oppo;Samsung;Sharp;Sony;Tecno;Vivo;Vodafone;Xiaomi;Zte;Zuk On end-user devices, the Intune client would take action based on a simple matching of device model strings specified in Intune for Application Protection Policies. Matching depends entirely on what the device reports. You (the IT administrator) are encouraged to ensure that the intended behavior occurs by testing this setting based on various device manufacturers and models, and targeted to a small user group. The default value is **Not configured**.
Set one of the following actions: @@ -119,7 +119,7 @@ Set one of the following actions: - Allow specified (Wipe on nonspecified) **What happens if the IT admin inputs a different list of Android manufacturer(s) between policies targeted to the same apps for the same Intune user?**
-When conflicts arise between two app protection policies for configured values, Intune typically takes the most restrictive approach. Thus, the resultant policy sent down to the targeted app being opened by the targeted Intune user would be an intersection of the listed Android manufacturers in *Policy A* and *Policy B* targeted to the same app/user combination. For example, *Policy A* specifies "Google;Samsung", while *Policy B* specifies "Google", the resultant policy that the Intune user targeted by both *Policy A* and *Policy B* is "Google." +When conflicts arise between two app protection policies for configured values, Intune typically takes the most restrictive approach. The resultant policy sent down to the targeted app being opened by the targeted Intune user would be an intersection of the listed Android manufacturers in *Policy A* and *Policy B* targeted to the same app/user combination. For example, *Policy A* specifies `Google;Samsung`, while *Policy B* specifies `Google`, the resultant policy that the Intune user targeted by both *Policy A* and *Policy B* is `Google`. ### Additional settings and actions diff --git a/memdocs/intune/apps/app-protection-policies-configure-windows-10.md b/memdocs/intune/apps/app-protection-policies-configure-windows-10.md index ece8a778217..559365135c9 100644 --- a/memdocs/intune/apps/app-protection-policies-configure-windows-10.md +++ b/memdocs/intune/apps/app-protection-policies-configure-windows-10.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 02/27/2024 +ms.date: 01/06/2025 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps diff --git a/memdocs/intune/apps/app-protection-policies-exception.md b/memdocs/intune/apps/app-protection-policies-exception.md index 33a3a17a123..b7516e4b217 100644 --- a/memdocs/intune/apps/app-protection-policies-exception.md +++ b/memdocs/intune/apps/app-protection-policies-exception.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 02/27/2024 +ms.date: 01/06/2025 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: apps @@ -36,7 +36,7 @@ ms.collection: As an administrator, you can create exceptions to the Intune App Protection Policy (APP) data transfer policy. An exception allows you to specifically choose which unmanaged apps can transfer data to and from managed apps. Your IT must trust the unmanaged apps that you include in the exception list. >[!WARNING] -> You are responsible for making changes to the data transfer exception policy. Additions to this policy allow unmanaged apps (apps that are not managed by Intune) to access data protected by managed apps. This access to protected data may result in data security leaks. Only add data transfer exceptions for apps that your organization must use, but that do not support Intune APP (Application Protection Policies). Additionally, only add exceptions for apps that you do not consider to be data leak risks. +> You're responsible for making changes to the data transfer exception policy. Additions to this policy allow unmanaged apps (apps that aren't managed by Intune) to access data protected by managed apps. This access to protected data may result in data security leaks. Only add data transfer exceptions for apps that your organization must use, but that don't support Intune APP (Application Protection Policies). Additionally, only add exceptions for apps that you don't consider to be data leak risks. Within an Intune Application Protection Policy, setting **Allow app to transfer data to other apps** to **Policy managed apps** means that the app can transfer data only to apps managed by Intune. If you need to allow data to be transferred to specific apps that don't support Intune APP, you can create exceptions to this policy by using **Select apps to exempt**. Exemptions allow applications managed by Intune to invoke unmanaged applications based on URL protocol (iOS/iPadOS) or package name (Android). By default, Intune adds vital native applications to this list of exceptions. @@ -47,7 +47,7 @@ Within an Intune Application Protection Policy, setting **Allow app to transfer For a policy targeting iOS/iPadOS, you can configure data transfer exceptions by URL protocol. To add an exception, check the documentation provided by the developer of the app to find information about supported URL protocols. For more information about iOS/iPadOS data transfer exceptions, see [iOS/iPadOS app protection policy settings - Data transfer exemptions](app-protection-policy-settings-ios.md#data-transfer-exemptions). > [!NOTE] -> Microsoft does not have a method to manually find the URL protocol for creating app exceptions for third-party applications. +> Microsoft doesn't have a method to manually find the URL protocol for creating app exceptions for third-party applications. ## Android data transfer exceptions For a policy targeting Android, you can configure data transfer exceptions by app package name. You can check the **Google Play** store page for the app you would like to add an exception for to find the app package name. For more information about Android data transfer exceptions, see [Android app protection policy settings - Data transfer exemptions](app-protection-policy-settings-android.md#data-transfer-exemptions). diff --git a/memdocs/intune/apps/app-protection-policies-validate.md b/memdocs/intune/apps/app-protection-policies-validate.md index cacc72026ed..acef31ac7c5 100644 --- a/memdocs/intune/apps/app-protection-policies-validate.md +++ b/memdocs/intune/apps/app-protection-policies-validate.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 02/27/2024 +ms.date: 01/06/2025 ms.service: microsoft-intune ms.subservice: apps ms.localizationpriority: medium diff --git a/memdocs/intune/apps/app-protection-policies.md b/memdocs/intune/apps/app-protection-policies.md index 11db27a5ad0..aa8fa6749ce 100644 --- a/memdocs/intune/apps/app-protection-policies.md +++ b/memdocs/intune/apps/app-protection-policies.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 07/24/2024 +ms.date: 08/20/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps @@ -190,7 +190,6 @@ To use these filters when assigning policies, browse to **Apps** > **App protect ### Device Management types - [!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)] - **Unmanaged**: For iOS/iPadOS devices, unmanaged devices are any devices where either Intune MDM management or a 3rd party MDM/EMM solution doesn't pass the `IntuneMAMUPN` key. For Android devices, unmanaged devices are devices where Intune MDM management hasn't been detected. This includes devices managed by third-party MDM vendors. @@ -209,6 +208,11 @@ For iOS/iPadOS, for the Device Management type to be enforced to Intune managed - **IntuneMAMDeviceID** must be configured for all third-party and line-of-business MDM managed applications. The **IntuneMAMDeviceID** should be configured to the device ID token. For example, `key=IntuneMAMDeviceID, value={{deviceID}}`. For more information, see [Add app configuration policies for managed iOS/iPadOS devices](app-configuration-policies-use-ios.md). - If only the **IntuneMAMDeviceID** is configured, the Intune APP will consider the device as unmanaged. +> [!IMPORTANT] +> Starting with Intune's September (2409) service release, the **IntuneMAMUPN**, **IntuneMAMOID**, and **IntuneMAMDeviceID** app configuration values will be automatically sent to managed applications on Intune enrolled iOS devices for the following apps: Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft Teams and Microsoft Word. Intune will continue to expand this list to include additional managed apps. +> +> If these values aren't configured correctly for iOS devices, there is a possibility of either the policy not getting delivered to the app or the wrong policy is delivered. For more information, see [Support tip: Intune MAM users on iOS/iPadOS userless devices may be blocked in rare cases](https://techcommunity.microsoft.com/blog/intunecustomersuccess/support-tip-intune-mam-users-on-iosipados-userless-devices-may-be-blocked-in-rar/4254335). + ## Policy settings To see a full list of the policy settings for iOS/iPadOS and Android, select one of the following links: diff --git a/memdocs/intune/apps/app-protection-policy-extensions.md b/memdocs/intune/apps/app-protection-policy-extensions.md index 1deccf0b21a..255e8174028 100644 --- a/memdocs/intune/apps/app-protection-policy-extensions.md +++ b/memdocs/intune/apps/app-protection-policy-extensions.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 02/27/2024 +ms.date: 01/06/2025 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: apps diff --git a/memdocs/intune/apps/app-protection-policy-settings-android.md b/memdocs/intune/apps/app-protection-policy-settings-android.md index 64d73ce8164..4f1626b965c 100644 --- a/memdocs/intune/apps/app-protection-policy-settings-android.md +++ b/memdocs/intune/apps/app-protection-policy-settings-android.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 09/23/2024 +ms.date: 01/09/2025 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: apps @@ -101,6 +101,8 @@ There are some exempt apps and platform services that Intune app protection poli |com.azure.authenticator |Azure Authenticator app, which is required for successful authentication in many scenarios. | |com.microsoft.windowsintune.companyportal |Intune Company Portal| |com.android.providers.contacts |Native contacts app | + |com.samsung.android.providers.contacts | Samsung contacts provider. Allowed for Samsung devices. | + |com.android.providers.blockednumber | Android Block number provider. Allowed for Android devices. | ### Conditional exemptions These apps and services are only allowed for data transfer to and from Intune-managed apps under certain conditions. @@ -115,6 +117,8 @@ There are some exempt apps and platform services that Intune app protection poli |com.android.documentsui|Android Document Picker|Allowed when opening or creating a file.| |com.google.android.documentsui |Android Document Picker (Android 10+)|Allowed when opening or creating a file.| + + For more information, see [Data transfer policy exceptions for apps](app-protection-policies-exception.md). ## Access requirements diff --git a/memdocs/intune/apps/app-protection-policy-settings-ios.md b/memdocs/intune/apps/app-protection-policy-settings-ios.md index b7ef9f6a44c..0c00c8c2b58 100644 --- a/memdocs/intune/apps/app-protection-policy-settings-ios.md +++ b/memdocs/intune/apps/app-protection-policy-settings-ios.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 09/23/2024 +ms.date: 12/05/2024 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: apps @@ -43,6 +43,9 @@ There are three categories of policy settings: *Data relocation*, *Access requir ## Data protection +> [!IMPORTANT] +> For apps that have updated to v19.7.6 or later for Xcode 15 and v20.2.1 or later for Xcode 16 of the SDK, screen capture block will be applied if you have configured **Send Org data to other apps** setting to a value other than "All apps". You can configure app configuration policy setting `com.microsoft.intune.mam.screencapturecontrol` = `Disabled` (**Apps** > **App configuration policies** > **Create** > **Managed apps** > under the **Settings** step, select **General configuration settings**) if you need to allow screen capture for your iOS devices. + ### Data Transfer | Setting | How to use | Default value | |------|----------|-------| @@ -184,7 +187,7 @@ By default, several settings are provided with pre-configured values and actions | **Min SDK version** | Specify a minimum value for the Intune SDK version.
*Actions* include:
- **Block access** - The user is blocked from access if the app's Intune app protection policy SDK version doesn't meet the requirement.
- **Wipe data** - The user account that is associated with the application is wiped from the device.
- **Warn** - The user will see a notification if the iOS/iPadOS SDK version for the app doesn't meet the minimum SDK requirement. The user will be instructed to upgrade to the latest version of the app. This notification can be dismissed.
This entry can appear multiple times, with each instance supporting a different action.| | **Device model(s)** | Specify a semi-colon separated list of model identifier(s). These values aren't case sensitive.
*Actions* include:
- **Allow specified (Block non-specified)** - Only devices that match the specified device model can use the app. All other device models are blocked.
- **Allow specified (Wipe non-specified)** - The user account that is associated with the application is wiped from the device.
*Actions* include:
- **Block access** - The user will be blocked from access if the threat level determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device doesn't meet this requirement.
- **Wipe data** - The user account that is associated with the application is wiped from the device.
For more information on using this setting, see [Enable MTD for unenrolled devices](../protect/mtd-enable-unenrolled-devices.md). | -|**Primary MTD service** |If you have configured multiple Intune-MTD connectors, specify the primary MTD vendor app that should be used on the end user device.
**Values** include:
- **Microsoft Defender for Endpoint** - if the MTD connector is configured, specify Microsoft Defender for Endpoint will provide the device threat level information.
- **Mobile Threat Defense (Non-Microsoft)** - if the MTD connector is configured, specify the non-Microsoft MTD will provide the device threat level information.
You must configure the setting “Max allowed device threat level” to use this setting.
There are no **Actions** for this setting.| +|**Primary MTD service** |If you have configured multiple Intune-MTD connectors, specify the primary MTD vendor app that should be used on the end user device.
**Values** include:
- **Microsoft Defender for Endpoint** - if the MTD connector is configured, specify Microsoft Defender for Endpoint will provide the device threat level information.
- **Mobile Threat Defense (Non-Microsoft)** - if the MTD connector is configured, specify the non-Microsoft MTD will provide the device threat level information.
You must configure the setting "Max allowed device threat level" to use this setting.
There are no **Actions** for this setting.| |**Non-working time** |There is no value to set for this setting.
*Actions* include:
- **Block access** - The user is blocked from access because the user account that is associated with the application is in non-working time.
- **Warn** - The user sees a notification if the user account that is associated with the application is in non-working time. The notification can be dismissed.
The following apps support this feature:
- Teams for iOS v6.9.2 or later
- Edge for iOS v126.2592.56 or later
> iOS Store apps (not iOS/iPadOS VPP apps) that are targeted with required intent will be enforced on the device at the time of the device check-in and will also show in the Company Portal app.
-> When conflicts occur in **Uninstall on device removal** setting, the app is not removed from the device when the device is no longer managed. +> When conflicts occur in **Uninstall on device removal** setting, the app isn't removed from the device when the device is no longer managed. > [!NOTE] -> Apps deployed as Required to corporate-owned work profile and corporate-owned fully managed devices cannot be uninstalled manually by the user. +> Apps deployed as Required to corporate-owned work profile and corporate-owned fully managed devices can't be uninstalled manually by the user. ## Managed Google Play app deployment to unmanaged devices diff --git a/memdocs/intune/apps/apps-monitor.md b/memdocs/intune/apps/apps-monitor.md index 89ea6267ae6..3e53853364e 100644 --- a/memdocs/intune/apps/apps-monitor.md +++ b/memdocs/intune/apps/apps-monitor.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 09/17/2024 +ms.date: 11/18/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps @@ -60,7 +60,7 @@ The **Essentials** section provides the following information about the app if a | **Operating system** | The app operating system (Windows, iOS/iPadOS, Android, and so on) | | **Version** | If applicable, the version number of the app | | **MAM SDK enabled** | If applicable, whether the app uses the Intune MAM SDK (**Yes** or **No**) | -| **Created** | The date and time when this revision was created **Note**: This date value is updated when an IT admin changes app metadata, such as changing the app category or app description. | +| **Created** | The date and time when this revision was created **Note**: This date value is updated when an admin changes app metadata, such as changing the app category or app description. | | **Assigned** | Whether the app has been assigned (**Yes** or **No**) | **App package file** | If applicable, the app package file name | @@ -74,7 +74,7 @@ The graphs show the number of apps for the following status: | **Not Installed** | The number of apps not installed | | **Failed** | The number of failed installations | | **Install Pending** | The number of apps that are in the process of being installed | -| **Not Applicable** | The number of apps for which status is not applicable | +| **Not Applicable** | The number of apps for which status isn't applicable | > [!NOTE] > Be aware that Android LOB apps (.APK) deployed as **Available with or without enrollment** only report app installation status for enrolled devices. App installation status is not available for devices that are not enrolled in Intune. @@ -108,6 +108,54 @@ A user status list is shown when you select **User install status** in the **Mon | **Failures** | The number of failed app installations for the user | | **Not installed** | The number of apps not installed by the user | +## App installation error reporting + +Additional error details are available for Line of Business (LOB) apps on Android Open Source Project (AOSP) devices. You can view installation error codes for LOB apps in Intune. + +### LOB apps on AOSP devices + +The following table provides addition installation error code details for LOB apps on AOSP devices: + +| Error code | Error string | Retry automatically | Additional information | +|---|---|---|---| +| 0x87D54FB0 | Couldn't install the app because the user didn't allow it or accept permissions. | Yes | Ask the end user to accept any installation request when prompted. | +| 0x87D54FB1 | The operating system couldn't install the app. | No | The Android system failed to install the app. | +| 0x87D54FB2 | The operating system blocked installation. | Yes | A device policy or the Android package verifier may have blocked the operation. | +| 0x87D54FB3 | Either the user or the system stopped the installation. | Yes | The end user may have declined a permission request or is missing permissions. The OS might also block the APK for security reasons. For example, the APK could have been marked as "dangerous" by Google Play Protect. | +| 0x87D54FB4 | Couldn't install the app because it's corrupt or not valid. | No | The Android system detected the APK as being invalid. This error could have occurred for several reasons. For example, the APK isn't signed, or the package manifest is missing or is malformed. Upload a new APK. Check that the APK wasn't corrupted before upload. | +| 0x87D54FB5 | Installation failed. | No | | +| 0x87D54FB6 | Couldn't install the app because it conflicts with the version of the app already on the device. Remove the existing app first. | Yes | The conflict could be for a variety of reasons. For example, the package on the device could have a different signature than the one being installed. If the policy is intended to upgrade an existing application, sign the upgraded version with the same certificate used for the original app. If not, uninstall the existing app before deploying the new one. Or, there could be an existing package that defines a permission that the installing app also defines. In that case, the OS rejects the installation because certain permissions can only be owned by one app. Uninstall the existing application for the policy to succeed. | +| 0x87D54FB7 | Install failed. Insufficient storage space on device. | Yes | Free up space on the device. | +| 0x87D54FB8 | Installation failed because this app won't work with the device. | No | Upload a new APK that is compatible with the device architecture and SDK version running on the device, or upgrade the device. | +| 0x87D54FB9 | Installation failed because it took too long. | Yes | | +| 0x87D54FBA | Installation failed because it took too long. | No | | +| 0x87D54FBB | Couldn't uninstall the app. | No | | +| 0x87D55014 | Couldn't download the app. | Yes | A generic download failure occurred. | +| 0x87D55015 | Couldn't download the app because there's not enough room on the device. | Yes | Free up space on the device. | +| 0x87D55016 | Couldn't download the app because the service gave a bad response. | Yes | | +| 0x87D55017 | Couldn't download the app because it was too large. | No | The admin uploaded an APK that exceeded the allowable download size of 2GB. Upload a smaller APK. | +| 0x87D55018 | Couldn't download the app because there was no network connection. | Yes | The download resumes when the network resumes. | +| 0x87D55019 | Couldn't download the app because of a network error. | Yes | The download failed due to an unspecified network error. The admin may have a firewall restriction, or something else is blocking the network. The admin could temporarily enroll the device using a different Wi-Fi network, which may allow enrollment SCEP certificates to be installed and more secure firewall rules to take effect. | +| 0x87D5501A | Couldn't download the app. | No | Confirm the network connection and sufficient bandwidth. Additionally, confirm nothing is interfering with network traffic. | +| 0x87D5501B | Couldn't download the app. Contact Microsoft Intune support and include the error code. | No | The app couldn't be downloaded. Contact Microsoft Intune support and include the error code. | +| 0x87D5501C | Couldn't download the app because the downloaded file couldn't be found. | No | The downloaded content was corrupted or deleted before it was installed. The downloaded app files were removed before the app could install. Make sure the app is installed immediately after downloading. Ask the end user to accept the installation request when prompted. | +| 0x87D5501D | Couldn't download the app because of an input/output error. | Yes | | +| 0x87D5501E | Couldn't download the app because it took too long. | Yes | If a download takes more than 8 hours, Intune cancels and retries the download. | +| 0x87D5501F | The downloaded app couldn't be validated. | Yes | The hash code of the downloaded content doesn't equal the hash code of the content from the policy. There are multiple reasons this could occur. The OS may not support encryption/decryption. In this case, you should try updating the OS to latest version. Alternatively, an intermittent issue occurred which may have corrupted the download. Lastly, a less likely scenario where this error occurs is due to a machine in the middle (MITM) attack. | +| 0x87D55078 | Couldn't download the app because Intune had an error. | Yes | | +| 0x87D55079 | Couldn't download the app because of a network error. | Yes | A generic HTTP failure occurred. | +| 0x87D5507A | Couldn't download the app because it doesn't seem to exist or it isn't assigned to this device. | No | While the policy was being applied, the policy was removed by the admin. | +| 0x87D5507B | Couldn't download the app because Intune had an error. | Yes | | +| 0x87D5507C | Couldn't download the app because Intune had an error. | Yes | | +| 0x87D5507D | Couldn't download the app because Intune had an error. | Yes | | +| 0x87D550DC | The uploaded app is missing the versionCode property. | No | The versionCode is missing from the uploaded APK. For more information on versionCode, see Android documentation. | +| 0x87D550DD | The uploaded app is missing the minSdkVersion value. | No | Ensure the android:minSdkVersion parameter is specified in the APK manifest. | +| 0x87D550DE | The policy is missing the minSdkVersion value. | No | If the admin creates the policy in the admin portal, there's a requirement that the admin specifies what the minimum SDK version the policy supports. If the admin creates the policy by Graph, this property isn't always required. If this parameter is missing, this exception is thrown. | +| 0x87D550DF | Couldn't uninstall this app because there's another policy to install the same app. | No | If you have two policies that target the same package and version, but one is an install and one is an uninstall, the install is applied and the uninstall is marked as a conflict. | +| 0x87D550E0 | Couldn't install this app because there's another policy to install a newer version of the same app. | No | If there is more than one install policy for the same package but with different versions, the policy with the highest package version takes priority. Remove the conflicting policy. | +| 0x87D550E1 | Couldn't find the app on the device. Intune will try to reinstall it. | Yes | Data indicates that the install policy was previously applied successfully (package was installed), but the package isn't found on the device anymore. The end user shouldn't be able to uninstall any required apps, so this scenario is less likely. | +| 0x87D550E2 | Intune will try to uninstall the app. | Yes | This error may happen if the end user manually reinstalled an app that was supposed to be uninstalled. This error is unlikely to persist. | + ## Next steps - To learn more about working with your Intune data, see [Use the Intune Data Warehouse](../developer/reports-nav-create-intune-reports.md). diff --git a/memdocs/intune/apps/apps-supported-intune-apps.md b/memdocs/intune/apps/apps-supported-intune-apps.md index 551001ff9a1..a6194468ccc 100644 --- a/memdocs/intune/apps/apps-supported-intune-apps.md +++ b/memdocs/intune/apps/apps-supported-intune-apps.md @@ -6,7 +6,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 10/31/2024 +ms.date: 11/05/2024 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: apps @@ -66,6 +66,8 @@ The below apps support the Core Intune App Protection Policy settings and are al |Microsoft Azure|[iOS](https://apps.apple.com/app/microsoft-azure/id1219013620)|✔|No settings|✖|N/A|✖|✖|N/A|✖| |Microsoft Copilot|[Android](https://play.google.com/store/apps/details?id=com.microsoft.copilot)|✔|No settings|✖|N/A|✖|✖|N/A|✖| |Microsoft Copilot|[iOS](https://apps.apple.com/us/app/microsoft-copilot/id6472538445)|✔|No settings|✔ Supported for v28.1.420324001 or later|N/A|✖|✖|N/A|✖| +|Microsoft Designer|[Android](https://play.google.com/store/apps/details?id=com.microsoft.designer&hl=en_IN)|✔|No settings|✔|N/A|✔|✔|✔|✖| +|Microsoft Designer|[iOS](https://apps.apple.com/us/app/microsoft-designer/id6448308247)|✔|No settings|✔|N/A|✔|✔|✔|✖| |Microsoft Edge|[Android](https://play.google.com/store/apps/details?id=com.microsoft.emmx)|✔|✔ see [Edge app config](manage-microsoft-edge.md)|✔|N/A|N/A|N/A|✔|✔ Supported for v125.0.2535.96 or later| |Microsoft Edge|[iOS](https://apps.apple.com/us/app/microsoft-edge/id1288723196)|✔|✔ see [Edge app config](manage-microsoft-edge.md)|✔|N/A|N/A|N/A|✔|✔ Supported for v126.2592.56 or later| |Microsoft Excel|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.excel)|✔|No settings|✔|N/A|✖|✖|✔|✖| @@ -193,7 +195,6 @@ The following apps support the core Intune App Protection Policy settings. Apps | :::no-loc text="Fuze Mobile for Intune":::
| Fuze Mobile for Intune allows end users to communicate using voice calling, video meetings, contact center, chat messaging, and content sharing. Admins can deploy Fuze Mobile securely and at scale in a BYOD context. Fuze Mobile for Intune requires both a Fuze account and a Microsoft managed environment. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.fuze.fuzeapp),
[App Store link (iOS)](https://apps.apple.com/app/fuze-mobile/id1160444971) |
| :::no-loc text="Global Relay":::
| Put compliance at the heart of your communication with one powerful app. Global Relay is an enterprise unified communication platform purpose-built for financial and other regulated industries to meet collaboration, compliance, privacy, and security requirements.
Global Relay supports BYOD and corporate programs, ensuring compliant communication with customers, colleagues, and industry peers via text, voice, WhatsApp, and other preferred channels.
The Global Relay App is available for mobile, desktop, and web. And, Global Relay is fully integrated with Microsoft Intune SDK to provide MDM/MAM policy control for IT Administrators.
NOTE: You must be a Global Relay customer or partner to use this app. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.globalrelay.message.intune),
[App Store link (iOS)](https://apps.apple.com/app/global-relay/id576031737) |
| :::no-loc text="Goodnotes 6":::
| Goodnotes 6 is a powerful note-taking app designed to provide a seamless and natural handwriting experience on digital paper. This comprehensive solution combines the simplicity of handwriting, the power of digital tools, and advanced AI features to enhance productivity and organization. Whether you're in a meeting, on a call, or brainstorming, Goodnotes keeps your ideas organized and accessible. | [App Store link (iOS)](https://apps.apple.com/us/app/goodnotes-6/id1444383602) |
-| :::no-loc text="Groupdolists":::
| Groupdolists helps to coordinates incident response teams, whether corporate or public sector, in a single organization or across multiple organizations. Groupdolists creates a common operating picture between all responders, wherever they are, and synchronizes their efforts in real time.
Benefits include the following:
- Groupdolists brings emergency (and everyday) operating procedures to interactive life.
- Groupdolists pushes task lists to response teams, regardless of their location or device, instantly synchronizing what needs to be done and by whom, as well as confirming completed tasks in chronological order.
- Groupdolists increases transparency, provides greater accountability, and offers a "leadership view" for those who need to see but not touch.
- Groupdolists instantly synchronizes not just tasks, but photos, videos, links, comments, and documents to all team members. Everything you use is available for reference and action.
- Groupdolists provides complete after-action documentation in both PDF and Excel formats.
| HCSS Field is a mobile app for heavy civil construction. It is designed to replace paper-based processes with digital solutions. It integrates with the HCSS software suite to streamline field operations, project management, safety, and team communication. | [App Store link (iOS)](https://apps.apple.com/app/hcss-field-time-cost-safety/id720784422) |
| :::no-loc text="HCSS Plans: Revision control":::
| HCSS Plans is a collaborative app for heavy civil construction. It allows teams to work with the latest project plans and documents, enabling seamless teamwork, smart revision control, and instant document access. | [App Store link (iOS)](https://apps.apple.com/app/hcss-plans-revision-control/id1319971186) |
| :::no-loc text="Hearsay for Intune":::
| Hearsay for Intune enables advisors to manage and nurture their book of business in a protected BYOD environment with mobile application management (MAM). This version of Hearsay allows IT administrators to protect corporate data while keeping advisors in touch with their book of business.
Hearsay, a mobile application that enables financial services professionals to move business forward. Leverage compliant texting and seamless voice calling to connect with your entire book of business. Stay productive with calendar integration to set appointments, and schedule reminder messages for upcoming meetings, birthday greetings, and more.
Hearsay for Intune gives enterprise users all the features they expect from Hearsay, while providing IT administrators the MAM functionality they need to keep corporate data safe. In the event of a lost or stolen device, IT can remove Hearsay for Intune from the device along with any sensitive data associated with it. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.hearsaysocial.messages.intune),
[App Store link (iOS)](https://apps.apple.com/app/hearsay-for-intune/id1501771956) |
diff --git a/memdocs/intune/apps/apps-win32-add.md b/memdocs/intune/apps/apps-win32-add.md
index e2cb2c9d59c..3f45c9688dc 100644
--- a/memdocs/intune/apps/apps-win32-add.md
+++ b/memdocs/intune/apps/apps-win32-add.md
@@ -6,7 +6,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 09/11/2024
+ms.date: 01/23/2025
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
@@ -74,7 +74,10 @@ The following steps help you add a Windows app to Intune:
On the **App information** page, add the details for your app. Depending on the app that you chose, some of the values on this page might be automatically filled in.
- **Name**: Enter the name of the app as it appears in the company portal. Make sure all app names that you use are unique. If the same app name exists twice, only one of the apps appears in the company portal.
-- **Description**: Enter the description of the app. The description appears in the company portal.
+- **Description**: Enter the description of the app. The description appears in the Company Portal. You can select the **Edit Description** option to display the **Edit description** pane. Within this pane, you can optionally use Markdown to create an app description with rich text formatting. However, only the Markdown styles shown in this section are supported. HTML isn't supported.
+
+ 
+
- **Publisher**: Enter the name of the publisher of the app.
- **Category**: Select one or more of the built-in app categories, or select a category that you created. Categories make it easier for users to find the app when they browse through the company portal.
- **Show this as a featured app in the Company Portal**: Display the app prominently on the main page of the company portal when users browse for apps.
@@ -125,6 +128,9 @@ On the **Program** page, configure the app installation and removal commands for
- **Allow available uninstall**: Select **Yes** to provide the uninstall option for this app for users from the Company Portal. Select **No** to prevent users from uninstalling the app from the Company Portal.
+ > [!NOTE]
+ > If a Win32 app has dependencies or is a dependent app itself, the Company Portal will not show the uninstall option for the app, even when **Allow available uninstall** is set to **Yes**.
+
- **Install behavior**: Set the install behavior to either **System** or **User**.
> [!NOTE]
@@ -257,7 +263,7 @@ After you've added your rules, select **Next** to display the **Dependencies** p
App dependencies define a relationship between apps where one app requires one or more dependent apps to be installed. If Intune has not yet installed an app on a device, any apps configured as dependent apps must be installed first. If an app is already installed on a device, Intune will install any newly configured dependent apps, that are configured for automatic installation, the next time Intune evaluates app policy on the device.
-You can add Win32 app dependencies only after your Win32 app has been added and uploaded to Intune. After your Win32 app has been added, you'll see the **Dependencies** option on the pane for your Win32 app. There's a maximum of 100 dependencies, which includes the dependencies of any included dependencies, as well as the app itself.
+You can add Win32 app dependencies only after your Win32 app has been added and uploaded to Intune. After your Win32 app has been added, you'll see the **Dependencies** option on the pane for your Win32 app. There's a maximum of 100 dependencies, which include the dependencies of any included dependencies, as well as the app itself.
Any Win32 app dependency needs to also be a Win32 app. It doesn't support depending on other app types, such as single MSI LOB apps or Microsoft Store apps.
diff --git a/memdocs/intune/apps/apps-win32-deploy-update-package.md b/memdocs/intune/apps/apps-win32-deploy-update-package.md
index 16012980b37..9fa7300e33f 100644
--- a/memdocs/intune/apps/apps-win32-deploy-update-package.md
+++ b/memdocs/intune/apps/apps-win32-deploy-update-package.md
@@ -6,7 +6,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/01/2023
+ms.date: 11/21/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
diff --git a/memdocs/intune/apps/apps-win32-prepare.md b/memdocs/intune/apps/apps-win32-prepare.md
index 843967c5346..4888108dd83 100644
--- a/memdocs/intune/apps/apps-win32-prepare.md
+++ b/memdocs/intune/apps/apps-win32-prepare.md
@@ -6,7 +6,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/01/2023
+ms.date: 11/21/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
diff --git a/memdocs/intune/apps/apps-win32-s-mode.md b/memdocs/intune/apps/apps-win32-s-mode.md
index 4912126a02a..910b0a7f2ca 100644
--- a/memdocs/intune/apps/apps-win32-s-mode.md
+++ b/memdocs/intune/apps/apps-win32-s-mode.md
@@ -6,7 +6,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/01/2023
+ms.date: 11/21/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
diff --git a/memdocs/intune/apps/apps-win32-supersedence.md b/memdocs/intune/apps/apps-win32-supersedence.md
index 6ab0665921e..491fce28dab 100644
--- a/memdocs/intune/apps/apps-win32-supersedence.md
+++ b/memdocs/intune/apps/apps-win32-supersedence.md
@@ -6,7 +6,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 04/08/2024
+ms.date: 01/06/2025
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
@@ -38,9 +38,9 @@ Supersedence relationships can be created when adding or modifying a Win32 app w
App supersedence can only be applied to Win32 apps. For more information, see [Add a Win32 app](apps-win32-add.md) to Intune.
-A Microsoft Intune permission is required to create and edit Win32 app supersedence and dependency relationships with other apps. The permission is available under the **Mobile apps** category by selecting **Relate**. Starting in the **2202** service release, Intune admins need this permission to add supersedence and dependency apps when creating or editing a Win32 app in Microsoft Intune admin center. To find this permission in [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Roles** > **All roles** > **Create**.
+A Microsoft Intune permission is required to create and edit Win32 app supersedence and dependency relationships with other apps. The permission is available under the **Mobile apps** category by selecting **Relate**. Starting in the **2202** service release, Intune administrators need this permission to add supersedence and dependency apps when creating or editing a Win32 app in Microsoft Intune admin center. To find this permission in [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Roles** > **All roles** > **Create**.
-This Win32 app supersedence permission has been added to the following built-in roles:
+This Win32 app supersedence permission is added to the following built-in roles:
- Application Manager
- School administrator
@@ -53,7 +53,7 @@ This Win32 app supersedence permission has been added to the following built-in
The following steps help you create a supersedence relationship between apps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Select **Apps** > **All apps**, and then select a Win32 app from the list. If you haven't added a Win32 app, you can follow the steps to [add a Win32 app to Intune](apps-win32-add.md).
+2. Select **Apps** > **All apps**, and then select a Win32 app from the list. To add a Win32 app, see [add a Win32 app to Intune](apps-win32-add.md).
3. After you select the existing Win32 app, select **Properties**.
4. In the **Supersedence** section, select **Edit** > **Add** to choose apps that should be superseded.
@@ -61,11 +61,11 @@ The following steps help you create a supersedence relationship between apps:
> There can be a maximum of 10 nodes in a supersedence relationship in Intune.
5. Find and select the apps to apply the supersedence relationship in the **Add Apps** pane. Click **Select** to add the apps to your supersedence list.
-6. In the list of superseded apps, modify the **Uninstall previous version** option for each selected app to specify whether an uninstall command is sent by Intune to each selected app. If the installer of the current app updates the selected app automatically, then it isn't necessary to send an uninstall command. When replacing a selected app with a different app, it may be necessary to turn on the **Uninstall previous version** option to remove and replace the older app.
+6. In the list of superseded apps, modify the **Uninstall previous version** option for each selected app to specify whether an uninstall command is sent by Intune to each selected app. If the installer of the current app updates the selected app automatically, then it isn't necessary to send an uninstall command. When replacing a selected app with a different app, it might be necessary to turn on the **Uninstall previous version** option to remove and replace the older app.
7. Once this step is finalized, select **Review + save** > **Save**.
> [!IMPORTANT]
- > Superseding apps do not get automatic targeting. Each app must have explicit targeting to take effect. Superseding apps that aren't targeted will be ignored by the agent. If the superseding app is targeted to a device with a superseded app, then the supersedence will take place regardless of whether the superseded app has targeting or not. For more information on Supersedence behavior, please refer to the matrix below. This behavior is in direct contrast to dependencies, which doesn't require targeting. Additionally, only apps that are targeted will show install statuses in Microsoft Intune admin center.
+ > Superseding apps don't get automatic targeting. Each app must have explicit targeting to take effect. Superseding apps that aren't targeted are ignored by the agent. If the superseding app is targeted to a device with a superseded app, then the supersedence takes place regardless of whether the superseded app has targeting or not. For more information on Supersedence behavior, see the matrix below. This behavior is in direct contrast to dependencies, which doesn't require targeting. Additionally, only apps that are targeted show install statuses in Microsoft Intune admin center.
## Supersedence behavior
@@ -73,8 +73,8 @@ A *superseding app* is an app that updates or replaces other apps. A *superseded
| Scenarios | Targeting for required intent | Targeting for available intent |
|-|-|-|
-| **Scenario 1:**
The superseded app exists on the device and **Uninstall previous version** is set to **Yes**. | The superseded app is uninstalled, and the superseding app will be installed on the device.
**NOTE:** Even if the superseded app isn't targeted, it is uninstalled. | Only superseding apps are shown in the company portal and can be installed. |
-| **Scenario 2:**
The superseded app exists on the device and **Uninstall previous version** is set to **No**. | The superseding app will be installed on the device. Whether the superseded app will be uninstalled or not is dependent on the superseding app’s installer. | Only superseding apps are shown in the company portal and can be installed. |
+| **Scenario 1:**
The superseded app exists on the device and **Uninstall previous version** is set to **Yes**. | The superseded app is uninstalled, and the superseding app are installed on the device.
**NOTE:** Even if the superseded app isn't targeted, it's uninstalled. | Only superseding apps are shown in the company portal and can be installed. |
+| **Scenario 2:**
The superseded app exists on the device and **Uninstall previous version** is set to **No**. | The superseding app will be installed on the device. Whether the superseded app will be uninstalled or not is dependent on the superseding app's installer. | Only superseding apps are shown in the company portal and can be installed. |
| **Scenario 3:**
The superseded app doesn't exist on the device. | The superseding app is installed. | The new app appears in the Company Portal. |
### Understand app update versus app replacement within supersedence
@@ -82,14 +82,14 @@ A *superseding app* is an app that updates or replaces other apps. A *superseded
Given that an app could have multiple superseded apps, it's possible for an app to update a set of apps while replacing another set of apps at the same time.
> [!NOTE]
-> End-users won't be able to check whether a specific Win32 app supersedence operation is an update or replacement in the Company Portal. In addition, when multiple apps supersede an app with available targeting in the Company Portal, the superseded app's details page will navigate to the app page of the first superseding app that was set up. For example, if app A is superseded by apps B and C, and app B supersedes app A first, then app A's detail page in the Company Portal will navigate to App B.
+> End-users won't be able to check whether a specific Win32 app supersedence operation is an update or replacement in the Company Portal. In addition, when multiple apps supersede an app with available targeting in the Company Portal, the superseded app's details page navigates to the app page of the first superseding app that was set up. For example, if app A is superseded by apps B and C, and app B supersedes app A first, then app A's detail page in the Company Portal will navigate to App B.
Understanding how supersedence is applied when updating an app versus replacing an app can be illustrated based on the following scenario.
| Customer scenario | Description | Expected behavior | Additional information |
|-|-|-|-|
| App update | IT admin wants to update an app with a newer version of the same app. | The installer of the newer version of the app (the superseding app) will automatically update the older version of the app to the newer version. | Since the installer completes the updating, it isn't necessary to send down an uninstall command to the older version. Hence, the Uninstall previous version is toggled off. |
-| App replacement | IT admin wants to replace an app with an entirely different app. | The superseded app is uninstalled and the superseding app will be installed. Both install and uninstall will be based on IT Pro’s defined install/uninstall command line. | Since the two apps are different, the admin can turn the Uninstall previous version toggle on to uninstall the older app from the device. |
+| App replacement | IT admin wants to replace an app with an entirely different app. | The superseded app is uninstalled and the superseding app will be installed. Both install and uninstall will be based on IT Pro's defined install/uninstall command line. | Since the two apps are different, the admin can turn the Uninstall previous version toggle on to uninstall the older app from the device. |
### Understand in-place app update versus supersedence app update
@@ -129,12 +129,12 @@ For the purposes of this document, we assume that all apps are targeted (either
| Case | Resolution | Notes |
|-|-|-|
|  | **Scenario:** Neither app is detected on the device. A is superseded by B via app update.
**Result:** Install B. | App update means that admin chose not to uninstall the superseded app during the configuration stage. See above in the Supersedence Step in App Deployment. | -|  | **Scenario:** Only A is detected on the device. A is superseded by B via app update.
**Result:** Install B. | Since admin chose not to uninstall the previous version during configuration, A isn't explicitly uninstalled by Intune. A may be uninstalled based on the behavior of B’s installer. | +|  | **Scenario:** Only A is detected on the device. A is superseded by B via app update.
**Result:** Install B. | Since admin chose not to uninstall the previous version during configuration, A isn't explicitly uninstalled by Intune. A may be uninstalled based on the behavior of B's installer. | |  | **Scenario:** Only B is detected on the device. A is superseded by B via app update.
**Result:** Nothing. | Since B is already detected on the device, no action is taken. | |  | **Scenario:** Both apps are detected on the device. A is superseded by B via app update.
**Result:** Nothing. | Since B is already detected on the device, no action is taken. Admin chose not to uninstall the previous version when configuring, hence A isn't uninstalled. | |  | **Scenario:** Neither apps are detected on the device. A is superseded by B via app replacement.
**Result:** Install B. | App replacement means that admin chose to uninstall the superseded app during the configuration stage. See above in the Supersedence Step in App Deployment. | -|  | **Scenario:** Only A is detected on the device. A is superseded by B via app replacement.
**Result:** Uninstall A, then install B. | A will be uninstalled and once the agent detects that A is no longer present on the device, it installs B. If the detection continues to detect A as present, then the agent won’t install B. Whether B is installed on the device is predicated on whether A is detected on the device. | -|  | **Scenario:** Only B is detected on the device. A is superseded by B via app replacement.
**Result:** None | No actions are taken because B is already installed and A doesn’t exist on the device. | +|  | **Scenario:** Only A is detected on the device. A is superseded by B via app replacement.
**Result:** Uninstall A, then install B. | A will be uninstalled and once the agent detects that A is no longer present on the device, it installs B. If the detection continues to detect A as present, then the agent won't install B. Whether B is installed on the device is predicated on whether A is detected on the device. | +|  | **Scenario:** Only B is detected on the device. A is superseded by B via app replacement.
**Result:** None | No actions are taken because B is already installed and A doesn't exist on the device. | |  | **Scenario:** Both apps are detected on the device. A is superseded by B via app replacement.
**Result:** Uninstall A. | A is uninstalled as part of the app replacement process. Detection of a replaced app after the replacing app is already installed will incur a remediation enforcement. | ## Behavior for Chained Supersedence Scenarios @@ -151,11 +151,11 @@ To better understand the behavior of a supersedence chain, the following table p |-|-|-| |  | **Scenario:** None of the apps exist on the device. The relationship between apps is one of app update.
**Result:** Install C. | Since none of the apps exist on the device, we install the superseding app: App C. The superseding app refers to the app that supersedes all other apps in the chain. | |  | **Scenario:** Only Apps A and C exist on the device. The relationship between apps is one of app update.
**Result:** None. | Since App C already exists on the device and this is an app update scenario, App A isn't uninstalled. | -|  | **Scenario:** Only App A exists on the device. The relationship between apps is one of app update.
**Result:** Install C. | Simply install App C. App A isn't uninstalled because it's an app update scenario. C’s installer may or may not have behavior to remove A, where "remove" means A is no longer detected via its detection rules (usually due to version detection). | -|  | **Scenario:** Only App C exists on the device. The relationship between apps is one of app update.
**Result:** None. | Since App C, the superseding app, already exists on the device, and this is an app update scenario, no action is taken. | -|  | **Scenario:** None of the apps exist on the device. The relationship between apps is one of app replacement.
**Result:** Install C. | Since none of the apps exist on the device, simply install the superseding app, App C. | -|  | **Scenario:** Apps A and C exist on the device. The relationship between apps is one of app replacement.
**Result:** Uninstall A. | Since App C exists on the device and this is an app replacement scenario, simply uninstall App A. | -|  | **Scenario:** Only App A exists on the device. The relationship between apps is one of app replacement.
**Result:** Uninstall A, then install C. | Since this is an app replacement scenario, App A is uninstalled and App C, the superseding app, is installed. | +|  | **Scenario:** Only App A exists on the device. The relationship between apps is one of app update.
**Result:** Install C. | Install App C. App A isn't uninstalled because it's an app update scenario. C's installer may or may not have behavior to remove A, where "remove" means A is no longer detected via its detection rules (due to version detection). | +|  | **Scenario:** Only App C exists on the device. The relationship between apps is one of app update.
**Result:** None. | Since App C, the superseding app, already exists on the device, and this case is an app update scenario, no action is taken. | +|  | **Scenario:** None of the apps exist on the device. The relationship between apps is one of app replacement.
**Result:** Install C. | Since none of the apps exist on the device, install the superseding app, App C. | +|  | **Scenario:** Apps A and C exist on the device. The relationship between apps is one of app replacement.
**Result:** Uninstall A. | Since App C exists on the device and this case is an app replacement scenario, uninstall App A. | +|  | **Scenario:** Only App A exists on the device. The relationship between apps is one of app replacement.
**Result:** Uninstall A, then install C. | Since this case is an app replacement scenario, App A is uninstalled and App C, the superseding app, is installed. | |  | **Scenario:** Only App C exists on the device. The relationship between apps is one of app replacement.
**Result:** None. | Since the superseding app, App C, exists on the device and none of the other superseded apps exist, no action is taken. |
## Supersedence Limitations
@@ -200,7 +200,18 @@ The first available check-in will commonly happen between 1-8 hours after the as
### Auto-update limitations
-The maximum number of superseding apps a Win32 app can have is 10. User must be logged in to the device to receive the superseding app.
+A Win32 app can have a maximum of 10 superseding apps. User must be logged in to the device to receive the superseding app.
+
+When an app is targeted with available intent to a group that contains the user, and the user requested the app install from the Company Portal, Intune creates a device based assignment to track both the user consent and internal targeting to process the app during check-in. This device based assignment is used to install the app on the devices. However, in situations where the targeting changes during the lifecycle of the app, a few scenarios can occur. If you take any of the following actions once the app is already installed on the device, Intune will remove user consent and the app will no longer be targeted with available intent:
+
+1. You remove the user from the Group membership of the targeted group in the Microsoft Entra admin center.
+2. You removed the assignment to the targeted group.
+3. You changed the intent of the app from **Available** to something else. For example, you could change the intent to **Unintall** or **Exclude**.
+
+It’s important to note that even if you re-target the app with **Available** intent later, the auto-update supersedence won't occur because user consent has been removed.
+
+> [!NOTE]
+> The **Uninstall** intent takes precedence over **Available** intent.
### Auto-update retry behavior
@@ -214,9 +225,9 @@ Below are specific cases where app B has been created to supersede app A.
|---|---|---|
| App A is still present on the device. | The upgrade is already triggered after first available check-in, but before app B gets installed on the device, the admin removes the relationship between app A and app B, making them independent apps. | During the second available check-in, both apps are sent down to the device and app B will be installed as an independent app. |
| Auto update setting changes | The upgrade is already triggered after first available check-in, but before app B gets installed on the device, the admin changes the auto-update setting for app B to false. | During the second available check-in, app B is sent down to the device and app A will be upgraded with app B on the device. |
-| Uninstall superseded app after superseding app entities created | The upgrade is already triggered after first available check-in, but before app B gets installed on the device, the user requests an uninstall of app A and app A is removed from the device. | During the second available check-in, app B will be sent down to the device and app A will be upgraded with app B on the device. |
+| Uninstall superseded app after superseding app entities created | The upgrade is already triggered after first available check-in, but before app B gets installed on the device, the user requests an uninstall of app A and app A is removed from the device. | During the second available check-in, app B is sent down to the device and app A will be upgraded with app B on the device. |
| Uninstall after supersedence update | App A was auto-updated to app B, but app A wasn't removed from the device. Later, the user requests an uninstall of app B from the device and app B is uninstalled successfully. | App A is still present on the device. |
-| Upgrade failure | Intune attempts to auto-update app A to app B but the installation of app B failed and app A was already removed from the device. | Users won't be able to reinstall app A from the Company Portal as it’s superseded by app B, but are able to try to reinstall app B from the Company Portal. |
+| Upgrade failure | Intune attempts to auto-update app A to app B but the installation of app B failed and app A was already removed from the device. | Users won't be able to reinstall app A from the Company Portal as it's superseded by app B, but are able to try to reinstall app B from the Company Portal. |
## Next steps
diff --git a/memdocs/intune/apps/company-portal-app.md b/memdocs/intune/apps/company-portal-app.md
index 85c0d5c8b38..a48a34c6099 100644
--- a/memdocs/intune/apps/company-portal-app.md
+++ b/memdocs/intune/apps/company-portal-app.md
@@ -8,7 +8,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 06/07/2024
+ms.date: 12/20/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
@@ -43,7 +43,7 @@ The Company Portal apps, Company Portal website, and Intune app on Android are w
## Customizing the user experience
-By customizing the end-user experience, you will help to provide a familiar and helpful experience for your end users. To do this, sign in as an [Intune administrator](../fundamentals/users-add.md#types-of-administrators). Navigate to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Tenant Administration** > **Customization** where you can either edit the default policy or create up to 10 user group targeted policies. Note that targeting policies to device groups is not supported. These settings will apply to the Company Portal apps, Company Portal website, and Intune app on Android.
+By customizing the end-user experience, you will help to provide a familiar and helpful experience for your end users. To do this, sign in as an [Intune administrator](../fundamentals/users-add.md#types-of-administrators). Navigate to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Tenant Administration** > **Customization** where you can either edit the default policy or create up to 25 user group targeted policies. Note that targeting policies to device groups is not supported. These settings will apply to the Company Portal apps, Company Portal website, and Intune app on Android.
## Branding
diff --git a/memdocs/intune/apps/data-transfer-between-apps-manage-ios.md b/memdocs/intune/apps/data-transfer-between-apps-manage-ios.md
index c3315c79a4a..76cc80051dd 100644
--- a/memdocs/intune/apps/data-transfer-between-apps-manage-ios.md
+++ b/memdocs/intune/apps/data-transfer-between-apps-manage-ios.md
@@ -8,7 +8,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 02/27/2024
+ms.date: 11/20/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
@@ -49,7 +49,9 @@ Use App protection policies with the iOS **Open-in management** feature to prote
- **Devices managed by MDM solutions**: For devices enrolled in Intune or third-party MDM solutions, data sharing between apps with app protection policies and other managed iOS apps deployed through MDM is controlled by Intune APP policies and the iOS **Open-in management** feature. To make sure that apps you deploy using a MDM solution are also associated with your Intune app protection policies, configure the user UPN setting as described in the following section, [Configure user UPN setting](data-transfer-between-apps-manage-ios.md#configure-user-upn-setting-for-microsoft-intune-or-third-party-emm). To specify how you want to allow data transfer to other *policy managed apps* and iOS managed apps, configure **Send org data to other apps** setting to **Policy managed apps with OS sharing**. To specify how you want to allow an app to receive data from other apps, enable **Receive data from other apps** and then choose your preferred level of receiving data. For more information about receiving and sharing app data, see [Data relocation settings](app-protection-policy-settings-ios.md#data-protection).
## Configure user UPN setting for Microsoft Intune or third-party EMM
-Configuring the user UPN setting is **required** for devices that are managed by Intune or a third-party EMM solution to identify the enrolled user account for the sending *policy managed app* when transferring data to an iOS managed app. The UPN configuration works with the app protection policies you deploy from Intune. The following procedure is a general flow on how to configure the UPN setting and the resulting user experience:
+Configuring the user UPN setting is **required** for devices that are managed by Intune or a third-party EMM solution to identify the enrolled user account for the sending *policy managed app* when transferring data to an iOS managed app. For more information about required app configuration settings, see [Device Management types](../apps/app-protection-policies.md#device-management-types). The UPN configuration works with the app protection policies you deploy from Intune.
+
+The following procedure is a general flow on how to configure the UPN setting and the resulting user experience:
1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), [create and assign an app protection policy](app-protection-policies.md) for iOS/iPadOS. Configure policy settings per your company requirements and select the iOS apps that should have this policy.
@@ -77,7 +79,7 @@ Configuring the user UPN setting is **required** for devices that are managed by
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) or your third-party MDM provider. Go to the section of the admin center in which you deploy application configuration settings to enrolled iOS devices.
-2. In the Application Configuration section, enter the following setting for each *policy managed app* that will transfer data to iOS managed apps:
+2. In the Application Configuration section, enter the following setting for each *policy managed app* that will transfer data to iOS managed apps, except for apps that are automatically configured based on [device management type](../apps/app-protection-policies.md#device-management-types):
**key** = IntuneMAMUPN, **value** = |
- |**Subject alternative name** | |
+ |**Subject alternative name** |All |For *Attribute*, select **User principal name (UPN)** unless otherwise required, configure a corresponding *Value*, and then select **Add**.
**inprivate** disables InPrivate browsing
**autofill** disables "Save and Fill Addresses" and "Save and Fill Payment info". Autofill will be disabled even for previously saved information
**translator** disables translator
**readaloud** disables read aloud
**drop** disables drop
**coupons** disables coupons
**extensions** disables extensions (Edge for Android only)
**developertools** grays out the build version numbers to prevent users from accessing Developer options (Edge for Android only)
**UIRAlert** suppress re-verify account popups in new tab page screen
**share** disables Share under menu
**sendtodevices** disables Send to devices under menu
**weather** disables weather in NTP (New Tab Page)
To disable multiple features, separate values with `|`. For example, `inprivate|password` disables both InPrivate and password storage. |
+|com.microsoft.intune.mam.managedbrowser.disabledFeatures|**password** disables prompts that offer to save passwords for the end user
**inprivate** disables InPrivate browsing
**autofill** disables "Save and Fill Addresses" and "Save and Fill Payment info". Autofill will be disabled even for previously saved information
**translator** disables translator
**readaloud** disables read aloud
**drop** disables drop
**coupons** disables coupons
**extensions** disables extensions (Edge for Android only)
**developertools** grays out the build version numbers to prevent users from accessing Developer options (Edge for Android only)
**UIRAlert** suppress re-verify account popups in new tab page screen
**share** disables Share under menu
**sendtodevices** disables Send to devices under menu
**weather** disables weather in NTP (New Tab Page)
**webinspector** disables Web Inspector setting (Edge for iOS only)
To disable multiple features, separate values with `|`. For example, `inprivate|password` disables both InPrivate and password storage. |
#### Disable import passwords feature
@@ -561,8 +561,8 @@ Use the following key/value pairs to configure either an allowed or blocked site
|:--|:----|
|com.microsoft.intune.mam.managedbrowser.AllowListURLs
This policy name has been replaced by the UI of **Allowed URLs** under Edge Configuration settings|The corresponding value for the key is a list of URLs. You enter all the URLs you want to allow as a single value, separated by a pipe `|` character.
**Examples:**
`URL1|URL2|URL3`
`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
|com.microsoft.intune.mam.managedbrowser.BlockListURLs
This policy name has been replaced by the UI of **Blocked URLs** under Edge Configuration settings|The corresponding value for the key is a list of URLs. You enter all the URLs you want to block as a single value, separated by a pipe `|` character.
**Examples:**
`URL1|URL2|URL3`
`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
-|com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock |**true** (default) allows Edge for iOS and Android to transition restricted sites. When personal accounts aren't disabled, users are prompted to either switch to the personal context to open the restricted site, or to add a personal account. If com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked is set to true, users have the capability of opening the restricted site in the InPrivate context.
**false** prevents Edge for iOS and Android from transitioning users. Users are simply shown a message stating that the site they are trying to access is blocked. |
-|com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked
This policy name has been replaced by the UI of **Redirect restricted sites to personal context** under Edge Configuration settings |**true** allows restricted sites to be opened in the Microsoft Entra account's InPrivate context. If the Microsoft Entra account is the only account configured in Edge for iOS and Android, the restricted site is opened automatically in the InPrivate context. If the user has a personal account configured, the user is prompted to choose between opening InPrivate or switch to the personal account.
**false** (default) requires the restricted site to be opened in the user's personal account. If personal accounts are disabled, then the site is blocked.
In order for this setting to take effect, com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock must be set to true. |
+|com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock
This policy name has been replaced by the UI of **Redirect restricted sites to personal context** under Edge Configuration settings|**true** (default) allows Edge for iOS and Android to transition restricted sites. When personal accounts aren't disabled, users are prompted to either switch to the personal context to open the restricted site, or to add a personal account. If com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked is set to true, users have the capability of opening the restricted site in the InPrivate context.
**false** prevents Edge for iOS and Android from transitioning users. Users are simply shown a message stating that the site they are trying to access is blocked. |
+|com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked |**true** allows restricted sites to be opened in the Microsoft Entra account's InPrivate context. If the Microsoft Entra account is the only account configured in Edge for iOS and Android, the restricted site is opened automatically in the InPrivate context. If the user has a personal account configured, the user is prompted to choose between opening InPrivate or switch to the personal account.
**false** (default) requires the restricted site to be opened in the user's personal account. If personal accounts are disabled, then the site is blocked.
In order for this setting to take effect, com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock must be set to true. |
|com.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBar | Enter the number of seconds that users will see the snack bar notification "Access to this site is blocked by your organization. We’ve opened it in InPrivate mode for you to access the site." By default, the snack bar notification is shown for 7 seconds.|
The following sites except copilot.microsoft.com are always allowed regardless of the defined allow list or block list settings:
@@ -590,6 +590,18 @@ You can configure a policy to enhance users' experience. This policy is recommen
|:--|:----|
|com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork |**1**: (Default) Switch to work profile even if the URL is blocked by Edge policy.
**2**: The blocked URLs will open under personal profile if personal profile is signed in. If personal profile is not signed in, the blocked URL will opened in InPrivate mode. |
+#### Manage Sub Resource Blocking
+By default, AllowListURLs and BlockListURLs apply only at the navigation level. When you embed blocked URLs (either URLs configured in BlockListURLs or URLs not configured in AllowListURLs) as sub resources within a web page, those sub resource URLs are not blocked.
+
+To further restrict these sub resources, you can configure a policy to block the sub resource URLs.
+
+|Key |Value |
+|:--|:----|
+|com.microsoft.intune.mam.managedbrowser.ManageRestrictedSubresourceEnabled |**false**: (Default) Sub resource URLs will not be blocked even if the sub resource URLs are blocked.
**true**: Sub resource URLs will be blocked if they are listed as blocked. |
+
+> [!NOTE]
+> It is recommended to use this policy in conjunction with BlockListURLs. If used with AllowListURLs, ensure that all sub resource URLs are included in the AllowListURLs. Otherwise, some sub resources may fail to load
+
#### URL formats for allowed and blocked site list
You can use various URL formats to build your allowed/blocked sites lists. These permitted patterns are detailed in the following table.
@@ -600,7 +612,8 @@ You can use various URL formats to build your allowed/blocked sites lists. These
- You can specify port numbers in the address. If you do not specify a port number, the values used are:
- Port 80 for http
- Port 443 for https
-- Using wildcards for the port number is **not** supported. For example, `http://www.contoso.com:*` and `http://www.contoso.com:*/` aren't supported.
+- Using wildcards for the port number is supported in Edge for iOS only. For example, you can specify `http://www.contoso.com:*` and `http://www.contoso.com:*/`.
+- Specifying IPv4 addresses with CIDR notation is supported. For example, you can specify 127.0.0.1/24 (a range of IP addresses).
|URL |Details |Matches |Does not match |
|:----|:-------|:----------|:----------------|
@@ -613,17 +626,17 @@ You can use various URL formats to build your allowed/blocked sites lists. These
|`http://www.contoso.com:80`|Matches a single page, by using a port number |`www.contoso.com:80`| |
|`https://www.contoso.com`|Matches a single, secure page|`www.contoso.com`|`www.contoso.com/images`|
|`http://www.contoso.com/images/*` |Matches a single folder and all subfolders |`www.contoso.com/images/dogs`
`www.contoso.com/images/cats` | `www.contoso.com/videos`|
-
-- The following are examples of some of the inputs that you can't specify:
+ |`http://contoso.com:*` |Matches any port number for a single page |`contoso.com:80`
`contoso.com:8080` | |
+ |`10.0.0.0/24` |Matches a range of IP addresses from 10.0.0.0 to 10.0.0.255 |`10.0.0.0`
`10.0.0.100`| `192.168.1.1`|
+
+ - The following are examples of some of the inputs that you can't specify:
- `*.com`
- `*.contoso/*`
- `www.contoso.com/*images`
- `www.contoso.com/*images*pigs`
- `www.contoso.com/page*`
- - IP addresses
- `https://*`
- `http://*`
- - `http://www.contoso.com:*`
- `http://www.contoso.com: /*`
### Disable Edge internal pages
@@ -792,15 +805,27 @@ For a list of the settings stored in the app logs, see [Review client app protec
## Diagnostic logs
-Besides Intune logs from `edge://intunehelp/`, you may be asked by Microsoft Support to provide diagnostic logs of Microsoft Edge for iOS and Android. You can download the logs to local devices and share them to Microsoft Support. To download the logs to local devices:
+In additional to Intune logs from `edge://intunehelp/`, you may be asked by Microsoft Support to provide diagnostic logs of Microsoft Edge for iOS and Android. You can either upload the logs to Microsoft server or save them locally and share them directly with Microsoft Support.
-1.Open **Help and feedback** from overflow menu
+### Upload logs to Microsoft server
+Follow these steps to upload logs to Microsoft server:
+1. Reproduce the issue.
+2. Open the overflow menu by selecting the hamburger icon at the bottom-right corner.
+3. Swipe left and select **Help and feedback**.
+4. In the **Describe what's happening section**, provide details about the issue so the support team can identify the relevant logs.
+5. Upload the logs to Microsoft server by selecting the button at the top-right corner.
-2.Click **diagnostic data**
-3.For Microsoft Edge for iOS, click the **Share** icon on the top right. The OS sharing dialog will be displayed. You can choose to save the logs to local or share with other apps. For Microsoft Edge for Android, click sub menu on the top right corner to save logs. The logs will be stored to folder **Download** -> **Edge**.
+### Save logs locally and share directly with Microsoft Support
+Follow these steps to save logs locally and share them:
+1. Reproduce the issue.
+2. Open overflow menu by selecting on the hamburger menu on the bottom-right corner.
+3. Swipe left and select **Help and feedback**.
+4. Select **diagnostic data**.
+6. For Microsoft Edge for iOS, tap the **Share** icon at the top-right corner. The OS sharing dialog will appear, allowing you to save the logs locally or share them via other apps.
+For Microsoft Edge for Android, open the submenu in the top-right corner and select the option to save logs. The logs will be saved in the **Download** > **Edge** folder.
-You may also want to click the **Clear** icon to clear logs first in order to get refresh logs.
+If you want to clear the old logs, select the **Clear** icon at the top-right when selecting **diagnostic data**. Then, reproduce the issue again to ensure that only fresh logs are captured.
> [!NOTE]
> Saving logs also respects the Intune App Protection Policy. Therefore, you may not be allowed to save diagnostic data to local devices.
diff --git a/memdocs/intune/apps/manage-microsoft-office.md b/memdocs/intune/apps/manage-microsoft-office.md
index 757629b2953..cb60445832d 100644
--- a/memdocs/intune/apps/manage-microsoft-office.md
+++ b/memdocs/intune/apps/manage-microsoft-office.md
@@ -40,10 +40,10 @@ Microsoft 365 (Office) for iOS and Android delivers several key benefits includi
- Integrating Microsoft Lens technology to unlock the power of the camera with capabilities like converting images into editable Word and Excel documents, scanning PDFs, and capturing whiteboards with automatic digital enhancements to make the content easier to read.
- Adding new functionality for common tasks people often encounter when working on a phone—things like making quick notes, signing PDFs, scanning QR codes, and transferring files between devices.
-The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as conditional access. At a minimum, you will want to deploy a conditional access policy that allows connectivity to Microsoft 365 (Office) for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected.
+The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as Conditional Access. At a minimum, you will want to deploy a Conditional Access policy that allows connectivity to Microsoft 365 (Office) for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected.
## Apply Conditional Access
-Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using Microsoft 365 (Office) for iOS and Android. To do this, you will need a conditional access policy that targets all potential users. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection).
+Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using Microsoft 365 (Office) for iOS and Android. To do this, you will need a Conditional Access policy that targets all potential users. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection).
1. Follow the steps in [Require approved client apps or app protection policy with mobile devices](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection#require-approved-client-apps-or-app-protection-policy-with-mobile-devices), which allows Microsoft 365 (Office) for iOS and Android, but blocks third-party OAuth capable mobile device clients from connecting to Microsoft 365 endpoints.
@@ -51,7 +51,7 @@ Organizations can use Microsoft Entra Conditional Access policies to ensure that
> This policy ensures mobile users can access all Microsoft 365 endpoints using the applicable apps.
> [!NOTE]
-> To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see [App-based Conditional Access with Intune](../protect/app-based-conditional-access-intune.md).
+> To leverage app-based Conditional Access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see [App-based Conditional Access with Intune](../protect/app-based-conditional-access-intune.md).
## Create Intune app protection policies
diff --git a/memdocs/intune/apps/manage-microsoft-teams.md b/memdocs/intune/apps/manage-microsoft-teams.md
index 665a5fb776d..f5d9fa40091 100644
--- a/memdocs/intune/apps/manage-microsoft-teams.md
+++ b/memdocs/intune/apps/manage-microsoft-teams.md
@@ -36,14 +36,14 @@ ms.collection:
Microsoft Teams is the hub for team collaboration in Microsoft 365 that integrates the people, content, and tools your team needs to be more engaged and effective.
-The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as conditional access. At a minimum, you'll want to deploy a conditional access policy that allows connectivity to Teams for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected.
+The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as Conditional Access. At a minimum, you'll want to deploy a Conditional Access policy that allows connectivity to Teams for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected.
## Apply Conditional Access
-Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using Teams for iOS and Android. To do this, you will need a conditional access policy that targets all potential users. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection).
+Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using Teams for iOS and Android. To do this, you will need a Conditional Access policy that targets all potential users. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection).
> [!NOTE]
-> To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see [App-based Conditional Access with Intune](../protect/app-based-conditional-access-intune.md).
+> To leverage app-based Conditional Access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see [App-based Conditional Access with Intune](../protect/app-based-conditional-access-intune.md).
Follow the steps in [Require approved client apps or app protection policy with mobile devices](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection#require-approved-client-apps-or-app-protection-policy-with-mobile-devices), which allows Teams for iOS and Android, but blocks third-party OAuth capable mobile device clients from connecting to Microsoft 365 endpoints.
diff --git a/memdocs/intune/apps/manage-without-gms.md b/memdocs/intune/apps/manage-without-gms.md
index bfea7580abe..4b92cde69ef 100644
--- a/memdocs/intune/apps/manage-without-gms.md
+++ b/memdocs/intune/apps/manage-without-gms.md
@@ -37,10 +37,8 @@ Microsoft Intune uses Google Mobile Services (GMS) to communicate with the Micro
> [!NOTE]
> These GMS related limitations also apply to Device Administrator management and Android (AOSP) Management.
-> [!NOTE]
-> Microsoft Intune is ending support for [Android device administrator management](../enrollment/android-enroll-device-administrator.md) on devices with access to Google Mobile Services (GMS) on December 31, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable.
-> For devices running Android 15 or earlier that don't have access GMS (excluding Microsoft Teams certified Android devices), Intune will continue allowing device administrator enrollment and will maintain limited support, since Android Enterprise management is unavailable to these devices. However, device administrator use on these devices is still not recommended, since Google's device administrator deprecation means there could be future functionality impact outside Intune's ability to mitigate.
-> For more information, and to learn about alternatives to device administrator, see [Ending support for Android device administrator on GMS devices](https://techcommunity.microsoft.com/t5/intune-customer-success/microsoft-intune-ending-support-for-android-device-administrator/ba-p/3915443).
+[!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
+
## Install the Intune Company Portal app without access to the Google Play Store
### For users outside of People's Republic of China
diff --git a/memdocs/intune/apps/media/apps-win32-app-management/apps-win32-app-11.png b/memdocs/intune/apps/media/apps-win32-app-management/apps-win32-app-11.png
new file mode 100644
index 00000000000..3b2b59fca6f
Binary files /dev/null and b/memdocs/intune/apps/media/apps-win32-app-management/apps-win32-app-11.png differ
diff --git a/memdocs/intune/apps/protect-mam-windows.md b/memdocs/intune/apps/protect-mam-windows.md
index 667771bb9c6..1e2c3612388 100644
--- a/memdocs/intune/apps/protect-mam-windows.md
+++ b/memdocs/intune/apps/protect-mam-windows.md
@@ -42,7 +42,7 @@ You can enable protected Mobile Application Management (MAM) access to org data
- Application Protection Conditional Access to ensure the device is protected and healthy before granting protected service access via Microsoft Entra ID
> [!NOTE]
-> Intune Mobile Application Management (MAM) for Windows is available for Windows 10, build 19045.3636, KB5031445 or later and Windows 11, build 10.0.22621.2506, KB5031455 (22H2) or later. This includes the supporting changes for Microsoft Intune (2309 release), Microsoft Edge (v117 stable branch and later for Windows 11 and v118.0.2088.71 and later for Windows 11) and Windows Security Center (v 1.0.2310.2002 and later). App Protection Conditional Access is generally available.
+> Intune Mobile Application Management (MAM) for Windows is available for Windows 10, build 19045.3636, KB5031445 or later and Windows 11, build 10.0.22621.2506, KB5031455 (22H2) or later. This includes the supporting changes for Microsoft Intune (2309 release), Microsoft Edge (v117 stable branch and later for Windows 11 and v118.0.2088.71 and later for Windows 10) and Windows Security Center (v 1.0.2310.2002 and later). App Protection Conditional Access is generally available.
>
> Windows MAM is supported in government cloud environments. For related information, see [Deploying apps using Intune on the GCC High and DoD Environments](../apps/apps-deploy-gcc-dod.md).
>
@@ -78,7 +78,7 @@ Preventing data loss is a part of protecting your organizational data. Data loss
This MAM service syncs compliance state per user, per app, and per device to the Microsoft Entra CA service. This includes the threat information received from the Mobile Threat Defense (MTD) vendors starting with Windows Security Center.
> [!NOTE]
-> This MAM service uses the same conditional access compliance workflow that is used to [manage Microsoft Edge on iOS and Android devices](../apps/manage-microsoft-edge.md).
+> This MAM service uses the same Conditional Access compliance workflow that is used to [manage Microsoft Edge on iOS and Android devices](../apps/manage-microsoft-edge.md).
When a change is detected, the MAM service updates the device compliance state immediately. The service also includes MTD health state as part of the compliance state.
@@ -88,7 +88,7 @@ When a change is detected, the MAM service updates the device compliance state i
The MAM Client communicates the client heath state (or health metadata) to the MAM Service upon check-in. The health state includes any failure of APP Health Checks for **Block** or **Wipe** conditions. In addition, Microsoft Entra ID guides end-users through remediation steps when they attempt to access a blocked CA resource.
### Conditional Access Compliance
-Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using policy managed applications on Windows. To do this, you'll need a conditional access policy that targets all potential users. Follow the steps in [Require an app protection policy on Windows devices](/azure/active-directory/conditional-access/how-to-app-protection-policy-windows), which allows Microsoft Edge for Windows, but blocks other web browsers from connecting to Microsoft 365 endpoints.
+Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using policy managed applications on Windows. To do this, you'll need a Conditional Access policy that targets all potential users. Follow the steps in [Require an app protection policy on Windows devices](/azure/active-directory/conditional-access/how-to-app-protection-policy-windows), which allows Microsoft Edge for Windows, but blocks other web browsers from connecting to Microsoft 365 endpoints.
With Conditional Access, you can also target on-premises sites that you have exposed to external users via the [Microsoft Entra application proxy](/azure/active-directory/active-directory-application-proxy-get-started).
diff --git a/memdocs/intune/apps/store-apps-android.md b/memdocs/intune/apps/store-apps-android.md
index f56f48667b8..39178a1d183 100644
--- a/memdocs/intune/apps/store-apps-android.md
+++ b/memdocs/intune/apps/store-apps-android.md
@@ -8,7 +8,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 02/27/2024
+ms.date: 01/06/2025
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
diff --git a/memdocs/intune/apps/store-apps-company-portal-autopilot.md b/memdocs/intune/apps/store-apps-company-portal-autopilot.md
index e928750a11b..fa136aae575 100644
--- a/memdocs/intune/apps/store-apps-company-portal-autopilot.md
+++ b/memdocs/intune/apps/store-apps-company-portal-autopilot.md
@@ -8,7 +8,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 02/27/2024
+ms.date: 01/06/2025
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
diff --git a/memdocs/intune/apps/store-apps-ios.md b/memdocs/intune/apps/store-apps-ios.md
index 739c88e02a6..83ade21213a 100644
--- a/memdocs/intune/apps/store-apps-ios.md
+++ b/memdocs/intune/apps/store-apps-ios.md
@@ -7,7 +7,7 @@ keywords: Intune
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 02/27/2024
+ms.date: 01/06/2025
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
diff --git a/memdocs/intune/configuration/administrative-templates-windows.md b/memdocs/intune/configuration/administrative-templates-windows.md
index 5dfe87fcf18..4e1d690e371 100644
--- a/memdocs/intune/configuration/administrative-templates-windows.md
+++ b/memdocs/intune/configuration/administrative-templates-windows.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 11/04/2024
+ms.date: 12/11/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: configuration
@@ -34,6 +34,9 @@ ms.collection:
> [!IMPORTANT]
> Starting with the December 2412 release, you can't create new Administrative Templates policies from the **Templates** > **Administrative Templates** profile type in the Intune admin center. To create ADMX template profiles, use the **[settings catalog](settings-catalog.md)**. For more information on this change, see [Windows device configuration policies migrating to unified settings platform in Intune](https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-windows-device-configuration-policies-migrating-to/ba-p/4189665).
+>
+> There will be no changes to the following UI experiences:
+> - ‘Imported Administrative templates (Preview)’ template which is used for Custom ADMX templates.
**Administrative Templates** in Microsoft Intune include thousands of settings that control features in Microsoft Edge version 77 and later, Internet Explorer, Google Chrome, Microsoft Office programs, remote desktop, OneDrive, passwords, PINs, and more. These settings enable administrators to create group policies using the cloud.
diff --git a/memdocs/intune/configuration/apple-settings-catalog-configurations.md b/memdocs/intune/configuration/apple-settings-catalog-configurations.md
new file mode 100644
index 00000000000..b45122d526b
--- /dev/null
+++ b/memdocs/intune/configuration/apple-settings-catalog-configurations.md
@@ -0,0 +1,250 @@
+---
+# Required metadata
+title: Apple configuration list for Intune settings catalog
+description: Use the Microsoft Intune settings catalog to add, configure, or restrict features on Apple devices. This article lists and describes the settings you can configure.
+author: beflamm
+ms.author: beflamm
+manager: dougeby
+ms.topic: reference
+ms.date: 11/13/2024
+ms.service: microsoft-intune
+ms.subservice: configuration
+ms.localizationpriority: medium
+
+# optional metadata
+#ROBOTS:
+#audience:
+ms.reviewer: beflamm, mandia
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.custom: intune-azure
+ms.collection:
+- tier2
+- M365-identity-device-management
+---
+
+# Apple device configuration list in the Intune settings catalog
+
+This article lists and describes the Apple configurations you can manage using a settings catalog policy in Microsoft Intune.
+
+This article applies to:
+
+- iOS/iPadOS
+- macOS
+
+## Before you begin
+
+- At a minimum, sign into the Intune admin center as a member of the **Policy and Profile Manager** role. For more information on the built-in Intune roles, go to [Role-based access control (RBAC) with Microsoft Intune](../fundamentals/role-based-access-control.md).
+- Create a [settings catalog policy](settings-catalog.md).
+
+### How to use this article
+
+This article covers the two types of configurations from Apple's mobile device management (MDM) protocol:
+
+- Apple declarative configurations
+- Apple MDM payloads
+
+Each section can have links to other documents:
+
+- **Apple platform guides**: The Apple Platform Deployment and Security guides that cover deployment and security features of Apple technology
+- **Apple developer**: The developer documentation outlines the device management API that gets updated with every OS release
+- **Apple YAML**: Apple GitHub repository that contains setting definitions that are ingested into the settings catalog. Use this information to see requirements like applicable OS version, enrollment types, and if supervision is required
+- **Intune documentation**: Intune guides for scenario-based configuration like setting up Platform Single Sign On or deploying declarative software updates
+- **Known issues**: Updated list of known issues related to each configuration
+
+Some settings are available in device configuration templates and in the settings catalog. To help with a manual policy migration, this article lists the template settings that maps to their equivalent setting in the settings catalog.
+
+> [!IMPORTANT]
+> It's recommended to create all new policies using the settings catalog where possible. Some of the existing device configuration templates are no longer being updated. In a future Intune release, they will be migrated to use the settings catalog policy type and the ability to create new templates will be deprecated. These templates include:
+>
+> - Device features
+> - Device restrictions
+> - Endpoint protection (Deprecated)
+> - Extensions (Deprecated)
+>
+> Policies that should still be created using templates include:
+>
+> - Derived credential
+> - Email
+> - PKCS certificate
+> - PKCS imported certificate
+> - SCEP certificate
+> - Trusted certificate
+> - VPN
+> - Wi-Fi
+> - Wired network
+
+## Apple declarative configurations
+
+This section is specific to the configurations that are under the Declarative Device Management (DDM) category in the settings catalog. You can learn more about DDM at [Intro to declarative device management and Apple devices](https://support.apple.com/guide/deployment/depb1bab77f8/1/web/1.0) on Apple's website.
+
+### Disk Management
+
+Use Disk Management setting to install disk management settings on devices. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Disk Management using the following documentation:
+
+|Apple Platform Guides|Apple Developer|Apple YAML|Intune documentation|
+| -------- | -------- | -------- | -------- |
+|[Storage management declarative configuration](https://support.apple.com/en-tm/guide/deployment/dep2b9f009ed/web)|[Disk Management Settings](https://developer.apple.com/documentation/devicemanagement/diskmanagementsettings)|[Disk Management Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/diskmanagement.settings.yaml)||
+
+**Known issues**
+
+- None
+
+### Math Settings
+
+Use Math Settings to configure the Math and Calculator apps on devices. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Math Settings using the following documentation:
+
+|Apple Platform Guides|Apple Developer|Apple YAML|Intune documentation|
+| -------- | -------- | -------- | -------- |
+|[Math and Calculator app declarative configuration](https://support.apple.com/en-tm/guide/deployment/dep7881be3bb/web)|[Math Settings](https://developer.apple.com/documentation/devicemanagement/mathsettings)|[Math Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/math.settings.yaml)||
+
+**Known issues**
+
+- None
+
+### Passcode
+Use the passcode configuration to require that devices have a password or passcode that meet your organization's requirements. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Passcode using the following documentation:
+
+| Apple Platform Guides | Apple Developer | Apple YAML | Intune documentation|
+| ------- | ------- | ------- | ------- |
+|
| [Passcode](https://developer.apple.com/documentation/devicemanagement/passcode)| [Passcode](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/passcode.settings.yaml)||
+
+**Known issues**
+
+- None
+
+### Safari Extension Settings
+
+Use the Safari extensions settings to manage extensions in the Safari browser. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Safari Extension Settings using the following documentation:
+
+|Apple Platform Guides|Apple Developer|Apple YAML|Intune documentation|
+| -------- | -------- | -------- | -------- |
+|[Safari extensions management declarative configuration](https://support.apple.com/en-tm/guide/deployment/depff7fad9d8/web)|[Safari Extension Settings](https://developer.apple.com/documentation/devicemanagement/safariextensionsettings)|[Safari Extension Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/safari.extensions.settings.yaml)||
+
+**Known issues**
+
+- None
+
+### Software Update
+Use the Software Update configuration to enforce an update to install at a specific time. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about this configuration using the following documentation:
+
+| Apple Platform Guides | Apple Developer | Apple YAML | Intune documentation
+| ------- | ------- | ------- | ------- |
+|
| [Software Update Enforcement Specific](https://developer.apple.com/documentation/devicemanagement/softwareupdateenforcementspecific)| [Software Update Enforcement Specific](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml)| [Use the settings catalog to configure managed software updates](../protect/managed-software-updates-ios-macos.md) |
+
+**Known issues**
+
+- None
+
+### Software Update Settings
+
+Use the Software Update Settings configuration to defer OS updates and control how users can manually interact with software updates in System Settings. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Passcode using the following documentation:
+
+|Apple Platform Guides|Apple Developer|Apple YAML|Intune documentation|
+| -------- | -------- | -------- | -------- |
+|[Software Update Settings declarative configuration](https://support.apple.com/en-tm/guide/deployment/dep0578d8b8a/web)|[Software Update Settings](https://developer.apple.com/documentation/devicemanagement/softwareupdatesettings)|[Software Update Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/softwareupdate.settings.yaml)|[Use the settings catalog to configure managed software updates](../protect/managed-software-updates-ios-macos.md)|
+
+**Known issues**
+
+- None
+
+## Apple MDM payload settings
+
+This section is specific to Apple payloads that use the standard MDM channel. A list of these payloads is available at [Review MDM payloads for Apple devices](https://support.apple.com/guide/deployment/dep5370d089/web) on Apple's website.
+
+### FileVault
+
+Use FileVault configurations to manage disk encryption on macOS devices. These configurations are located in the **Full Disk Encryption** category of the settings catalog. You can learn more about FileVault using the following documentation:
+
+| Apple Platform Guides | Apple Developer | Apple YAML | Intune documentation
+| ------- | ------- | ------- | ------- |
+|
|
| [Encrypt macOS devices (Microsoft Learn)](../protect/encrypt-devices-filevault.md)|
+
+**Known issues**
+
+- [FileVault failing to enable on macOS devices during Setup Assistant](https://techcommunity.microsoft.com/t5/intune-customer-success/known-issue-filevault-failing-to-enable-on-macos-devices-during/ba-p/4180523)
+
+#### Intune device configuration template to settings catalog mapping
+
+| Endpoint protection template | Settings catalog category| Settings catalog setting |
+| -------- | ------- | ------- |
+| Enable FileVault | Full Disk Encryption > FileVault | Enable |
+| Escrow location description of personal recovery key | Full Disk Encryption > FileVault Recovery Key Escrow | Location
+| Personal recovery key rotation | Full Disk Encryption > FileVault | Recovery Key Rotation In Months |
+| Hide recovery key | Full Disk Encryption > FileVault | Show Recovery Key |
+| Disable prompt at sign out | Full Disk Encryption > FileVault | Defer Don't Ask At User Logout |
+| Number of times allowed to bypass | Full Disk Encryption > FileVault | Defer Force At User Login Max Bypass Attempts |
+
+### Firewall
+
+Use the Firewall configuration to manage the native macOS application firewall. This configuration is located in the **Security** category of the settings catalog. You can learn more about Firewall using the following documentation:
+
+| Apple Platform Guides | Apple Developer | Apple YAML |
+| -------- | ------- | ------- |
+|
| [Firewall](https://developer.apple.com/documentation/devicemanagement/firewall) | [Firewall (YAML)](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.security.firewall.yaml) |
+
+**Known issues**
+
+- [macOS devices using stealth mode turn noncompliant after upgrading to macOS 15](https://techcommunity.microsoft.com/t5/intune-customer-success/known-issue-macos-devices-using-stealth-mode-turn-non-compliant/ba-p/4250583)
+
+#### Intune device configuration template to settings catalog mapping
+
+| Endpoint protection template | Settings catalog category| Settings catalog setting |
+| -------- | ------- | ------- |
+| Enable Firewall | Networking > Firewall | Enable Firewall |
+| Block all incoming connections | Networking > Firewall | Block All Incoming
+| Apps allowed | Networking > Firewall | Applications (Allowed = True) |
+| Apps blocked | Networking > Firewall | Applications (Allowed = False) |
+| Enable stealth mode | Networking > Firewall | Enable Stealth Mode |
+
+### Font
+
+> [!NOTE]
+> Font files being uploaded to Intune must be less than 2MB in size.
+
+Use the Font payload to configure fonts on devices. This configuration is located in the **System Configuration** category of the settings catalog. You can learn more about Font using the following documentation:
+
+|Apple Platform Guides|Apple Developer|Apple YAML|Intune documentation|
+| -------- | -------- | -------- | -------- |
+|[Fonts MDM payload settings](https://support.apple.com/en-tm/guide/deployment/depeba084b8/web)|[Font](https://developer.apple.com/documentation/devicemanagement/font)|[Font](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.font.yaml)||
+
+**Known issues**
+
+- None
+
+### System Policy Control (Gatekeeper)
+Use the System Policy Control payload to configure Gatekeeper settings. This configuration is located in the **System Policy Control** category of the settings catalog. You can learn more about System Policy Control using the following documentation:
+
+| Apple Platform Guides | Apple Developer | Apple YAML |
+| -------- | ------- | ------- |
+|
| [SystemPolicyControl](https://developer.apple.com/documentation/devicemanagement/systempolicycontrol) | [System Policy Control](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.systempolicy.control.yaml) |
+
+**Known issues**
+
+- None
+
+#### Intune device configuration template to settings catalog mapping
+
+| Endpoint protection template | Settings catalog category| Settings catalog setting |
+| -------- | ------- | ------- |
+| Do not allow user to override Gatekeeper | System Policy Control > System Policy Control | Enable Assessment |
+| Allow apps downloaded from these locations | System Policy Control > System Policy Control | Allow Identified Developers |
+### System Extensions
+Use the System Extensions payload to configure system extensions to be automatically loaded or prevent users from approving specific extensions. This configuration is located in the **System Configuration** category of the settings catalog. You can learn more about System Extensions using the following documentation:
+
+| Apple Platform Guides | Apple Developer | Apple YAML |
+| -------- | ------- | ------- |
+|
| [System Extensions](https://developer.apple.com/documentation/devicemanagement/systemextensions) | [System Extensions](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.system-extension-policy.yaml)|
+
+**Known issues**
+
+- None
+
+#### Intune device configuration template to settings catalog mapping
+| Extensions template | Settings catalog category| Settings catalog setting |
+| -------- | ------- | ------- |
+| Block User Overrides | System Configuration > System Extensions | Allow User Overrides |
+| Allowed team identifiers | System Configuration > System Extensions | Allowed Team Identifiers
+| Allowed system extensions | System Configuration > System Extensions | Allowed System Extensions
+| Allowed system extension types | System Configuration > System Extensions | Allowed System Extension Types |
diff --git a/memdocs/intune/configuration/custom-settings-linux.md b/memdocs/intune/configuration/custom-settings-linux.md
index e9edec7477b..3c09718c7c1 100644
--- a/memdocs/intune/configuration/custom-settings-linux.md
+++ b/memdocs/intune/configuration/custom-settings-linux.md
@@ -8,7 +8,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 05/15/2024
+ms.date: 01/09/2025
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: configuration
@@ -17,7 +17,7 @@ ms.localizationpriority: medium
#ROBOTS:
#audience:
-ms.reviewer: ilwu
+ms.reviewer: arnab
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -61,7 +61,7 @@ This article lists the steps to add an existing script and has a GitHub repo wit
- **Execution context**: Select the context the script is executed in. Your options:
- **User** (default): When a user signs in to the device, the script runs. If a user never signs into the device, or there isn't any user affinity, then the script doesn't run.
- - **Root**: The script always runs (with or without users logged in) at the device level.
+ - **Root**: The script always runs (with or without users logged in) at the device level. The first time the script executes, the end user might have to consent. After they consent, it should continue to execute on its schedule.
- **Execution frequency**: Select how frequently the script is executed. The default is **Every 15 minutes**.
diff --git a/memdocs/intune/configuration/device-profile-assign.md b/memdocs/intune/configuration/device-profile-assign.md
index 84a8e9d7e68..5aa7f42b36d 100644
--- a/memdocs/intune/configuration/device-profile-assign.md
+++ b/memdocs/intune/configuration/device-profile-assign.md
@@ -40,7 +40,7 @@ In Intune, you can create and assign the following policies:
- App protection policies
- App configuration policies
- Compliance policies
-- Conditional access policies
+- Conditional Access policies
- Device configuration profiles
- Enrollment policies
diff --git a/memdocs/intune/configuration/device-profile-monitor.md b/memdocs/intune/configuration/device-profile-monitor.md
index baf7fda7978..1f363a71eca 100644
--- a/memdocs/intune/configuration/device-profile-monitor.md
+++ b/memdocs/intune/configuration/device-profile-monitor.md
@@ -32,7 +32,7 @@ ms.collection:
# Monitor device configuration policies in Microsoft Intune
-Intune includes some features to help monitor and manage your device configuration policies. For example, you can check the status of a policy, view the devices assigned to the policy, and update the properties of an existing policy.
+Intune includes some features to help monitor and manage your device configuration policies. For example, you can check the status of a policy, view the devices assigned to the policy, and update the properties of an existing policy. These capabilities extend to the profiles for your [endpoint security policies](../protect/endpoint-security-manage-devices.md#review-your-profiles-for-endpoint-security-policies) for macOS and Windows devices.
You can also use [Microsoft Copilot in Intune](../copilot/copilot-intune-overview.md) to get more information about your policies and the settings configured in your policies.
@@ -62,7 +62,7 @@ After you create your device configuration policy, Intune provides reporting dat
# [By policy](#tab/policy)
1. In **Devices** > **Manage devices** > **Configuration** > **Policies** tab, select an existing policy.
-
+
2. **Device and user check-in status** shows the number of all users or devices that checked-in with the policy. If one device has multiple users, this report shows the status for each user. When the user or device checks in with Intune, they receive the settings in your policy.
The following statuses are shown:
diff --git a/memdocs/intune/configuration/device-profile-troubleshoot.md b/memdocs/intune/configuration/device-profile-troubleshoot.md
index 6cd6514893f..51028584a4d 100644
--- a/memdocs/intune/configuration/device-profile-troubleshoot.md
+++ b/memdocs/intune/configuration/device-profile-troubleshoot.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 05/13/2024
+ms.date: 11/25/2024
ms.topic: troubleshooting
ms.service: microsoft-intune
ms.subservice: configuration
@@ -40,49 +40,61 @@ This article applies to the following policies:
- App protection policies
- App configuration policies
- Compliance policies
-- Conditional access policies
+- Conditional Access policies
- Device configuration profiles
- Enrollment policies
## Policy refresh intervals
-Intune notifies the device to check in with the Intune service. The notification times vary, including immediately up to a few hours. These notification times also vary between platforms. On Android devices, [Google Mobile Services (GMS) can affect policy refresh intervals](../apps/manage-without-gms.md#some-tasks-can-be-delayed).
+When a device checks-in, it immediately checks for compliance, non-compliance and configuration for the current user/device context, receiving any pending actions, policies and apps assigned to it.
-If a device doesn't check in to get the policy or profile after the first notification, Intune makes three more attempts. An offline device, such as turned off, or not connected to a network, might not receive the notifications. In this case, the device gets the policy or profile on its next scheduled check-in with the Intune service. The same applies to checks for noncompliance, including devices that move from a compliant to a noncompliant state.
+There are 4 main types of check-ins:
-**Estimated** frequencies:
+**Scheduled check-ins** - These check-ins happen at predetermined intervals and can be initiated by the client or service depending on the platform. The check-ins are estimated as follows:
-| Platform | Refresh cycle|
+| Platform | Estimated refresh cycle|
| --- | --- |
| Android, AOSP | About every 8 hours |
| iOS/iPadOS | About every 8 hours |
| macOS | About every 8 hours |
| Windows 10/11 PCs enrolled as devices | About every 8 hours |
-| Windows 8.1 | About every 8 hours |
-If devices recently enroll, then the compliance, noncompliance, and configuration check-in runs more frequently. The check-ins are **estimated** at:
+**End user driven check-ins** – These check-ins are driven by end users when they perform certain actions in the Company Portal app like going into **Devices** > **Check Status** or **Settings** > **Sync** to check for policy or profile updates or selecting an app for download.
-| Platform | Frequency |
+**Admin check-ins** - These check-ins are driven by admins when they perform certain actions on a single device from the Intune portal, like [device sync](../remote-actions/device-sync.md), [remote lock](../remote-actions/device-remote-lock.md) or [reset passcode](../remote-actions/device-passcode-reset.md). Other actions like [remotely assist users](../fundamentals/remote-help.md) do not cause a device check-in.
+
+**Notification-based check-ins** - These check-ins happen through different actions that trigger a notification. For example, when a policy, profile, or app is assigned (or unassigned), updated, deleted, or when certain behind the scenes changes like Microsoft Entra group membership updates are made. Other changes don't cause an immediate notification to devices, like adding an app as available to your users.
+
+Intune notifies online devices to check-in with the Intune service. The notification times vary from immediately up to a few hours.
+These notification times also vary between platforms.
+
+- On Android devices, [Google Mobile Services (GMS) can affect policy refresh intervals](../apps/manage-without-gms.md#some-tasks-can-be-delayed).
+
+- On iOS devices, [Specific conditions can affect policy refresh intervals](/troubleshoot/mem/intune/device-configuration/2016341112-ios-device-is-currently-busy).
+
+An offline device, such as a powered off, or a disconnected device, might not receive the notifications. In this case, the device gets the policy or profile on its next scheduled check-in with Intune.
+
+> [!NOTE]
+> It might take additional time for Intune reports to reflect the latest status of the policy on the device in the Intune portal.
+
+Additionally, when devices first enroll, configuration check-ins run more frequently to perform configuration, compliance and non-compliance checks. The check-ins are estimated as follows:
+
+| Platform | Estimated refresh cycle|
| --- | --- |
| Android, AOSP | Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours |
| iOS/iPadOS | Every 15 minutes for 1 hour, and then around every 8 hours |
| macOS | Every 15 minutes for 1 hour, and then around every 8 hours |
| Windows 10/11 PCs enrolled as devices | Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours |
-| Windows 8.1 | Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours |
-
-For app protection policy refresh intervals, go to [App Protection Policy delivery timing](../apps/app-protection-policy-delivery.md).
-
-At any time, users can open the Company Portal app, **Devices** > **Check Status** or **Settings** > **Sync** to immediately check for policy or profile updates. For related information about the Intune Management Extension agent or Win32 apps, see [Win32 app management in Microsoft Intune](../apps/apps-win32-app-management.md).
-## Intune actions that immediately send a notification to a device
+For app protection policy refresh intervals, go to [App Protection Policy delivery timing](../apps/app-protection-policy-delivery.md).
-There are different actions that trigger a notification. For example, when a policy, profile, or app is assigned (or unassigned), updated, deleted, and so on. These action times vary between platforms.
+## Company portal
-Devices check in with Intune when they receive a notification to check in, or during the scheduled check-in. When you target a device or user with an action, then Intune immediately notifies the device to check in to receive these updates. For example, a notification happens when a lock, passcode reset, app, or policy assignment action runs.
+At any time, users can open the Company Portal app and navigate to **Devices** > **Check Status** to evaluate your device's settings and verify access to work or school resources or navigate to **Settings** > **Sync** to get the latest updates, requirements, and communications from your organization.
-Other changes don't cause an immediate notification to devices, including revising the contact information in the Company Portal app or updates to an `.ipa` file.
+For related information about the Intune Management Extension agent or Win32 apps, see [Win32 app management in Microsoft Intune](../apps/apps-win32-app-management.md).
-The settings in the policy or profile are applied at every check-in. A [Windows 10 MDM policy refresh customer blog post](https://www.petervanderwoude.nl/post/windows-10-mdm-policy-refresh/) might be a good resource.
+For related information, see [Sync enrolled device for Windows](../user-help/sync-your-device-manually-windows.md) and [Check device access in Company Portal for Windows](../user-help/check-device-access-windows-cpapp.md).
## Conflicts
@@ -172,6 +184,12 @@ For more information on dynamic groups, go to:
- [Performance recommendations when using Intune to group, target, and filter](../fundamentals/filters-performance-recommendations.md)
- [Dynamic membership rules for groups in Microsoft Entra ID](/azure/active-directory/enterprise-users/groups-dynamic-membership)
+## "The sync could not be initiated (0x80072f9a)" error
+
+On Windows devices, when trying to sync in the **Settings** app > **Accounts** > **Access work or school**, you might see a `The sync could not be initiated (0x80072f9a)` error.
+
+If the Trusted Platform Module (TPM) was reset to factory settings, then the device must reenrolled to resume syncing. The device's Microsoft Entra identity is stored in the TPM. So, if the ID is removed, then reenrollment is the only way to reestablish the Microsoft Entra identity.
+
## Related articles
- [Troubleshoot policies and profiles](/troubleshoot/mem/intune/troubleshoot-policies-in-microsoft-intune).
diff --git a/memdocs/intune/configuration/device-profiles.md b/memdocs/intune/configuration/device-profiles.md
index ace0952e590..75b48eb82ec 100644
--- a/memdocs/intune/configuration/device-profiles.md
+++ b/memdocs/intune/configuration/device-profiles.md
@@ -265,7 +265,7 @@ This feature supports:
## Microsoft Defender for Endpoint
-[Microsoft Defender for Endpoint](../protect/advanced-threat-protection.md) integrates with Intune to monitor and help protect devices. You set risk levels, and determine what happens if devices exceed that level. When combined with conditional access, you can help prevent malicious activity in your organization.
+[Microsoft Defender for Endpoint](../protect/advanced-threat-protection.md) integrates with Intune to monitor and help protect devices. You set risk levels, and determine what happens if devices exceed that level. When combined with Conditional Access, you can help prevent malicious activity in your organization.
This feature supports:
diff --git a/memdocs/intune/configuration/device-restrictions-android-enterprise-personal.md b/memdocs/intune/configuration/device-restrictions-android-enterprise-personal.md
index 2159afa9e83..e4351628178 100644
--- a/memdocs/intune/configuration/device-restrictions-android-enterprise-personal.md
+++ b/memdocs/intune/configuration/device-restrictions-android-enterprise-personal.md
@@ -18,7 +18,7 @@ ms.localizationpriority: medium
#audience:
params:
siblings_only: true
-ms.reviewer: andreibiswas, anuragjain
+ms.reviewer: arnab, anuragjain
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
diff --git a/memdocs/intune/configuration/device-restrictions-android-for-work.md b/memdocs/intune/configuration/device-restrictions-android-for-work.md
index 17ce9a929b3..f7fd491beb2 100644
--- a/memdocs/intune/configuration/device-restrictions-android-for-work.md
+++ b/memdocs/intune/configuration/device-restrictions-android-for-work.md
@@ -18,7 +18,7 @@ ms.localizationpriority: medium
#audience:
params:
siblings_only: true
-ms.reviewer: andreibiswas, anuragjain
+ms.reviewer: arnab, anuragjain
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
diff --git a/memdocs/intune/configuration/device-restrictions-ios.md b/memdocs/intune/configuration/device-restrictions-ios.md
index 6074512f15a..cfaf7aa8ae8 100644
--- a/memdocs/intune/configuration/device-restrictions-ios.md
+++ b/memdocs/intune/configuration/device-restrictions-ios.md
@@ -6,7 +6,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 04/30/2024
+ms.date: 01/21/2025
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: configuration
@@ -47,7 +47,7 @@ These settings are added to a device configuration profile in Intune, and then a
## Before you begin
-When configuring device restriction policies, the broad range of settings enable you to tailor protection to your specific needs.
+When you configure device restriction policies, the broad range of settings enable you to tailor protection to your specific needs.
@@ -100,7 +100,7 @@ When you're ready to proceed, create an [iOS/iPadOS device restrictions configur
Starting with iOS/iPadOS 13.0, this setting requires supervised devices.
- - **Block installing apps using App Store**: **Yes** doesn't show the app store on the device home screen. Users can continue to use iTunes or the Apple Configurator to install apps. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow the app store on the home screen.
+ - **Block installing apps using App Store**: When set to **Yes**, the app store isn't shown on the device home screen. Users can continue to use iTunes or the Apple Configurator to install apps. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow the app store on the home screen.
- **Block automatic app downloads**: **Yes** prevents automatic downloading of apps bought on other devices and automatic updates to new apps. It doesn't affect updates to existing apps. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow apps bought on other iOS/iPadOS devices to download and update on the device.
- **Block playback of explicit music, podcast, and iTunes U**: **Yes** prevents explicit iTunes music, podcast, or news content. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow the device to access content rated as adult from the store.
@@ -128,7 +128,7 @@ Use these settings to configure iOS/iPadOS devices to run specific apps in auton
For the ASAM configuration to apply, users must manually open the specific app. This task also applies to the Company Portal app.
-- For example, in a school or university environment, add an app that lets users take a test on the device. Or, lock the device into the Company Portal app until the user authenticates. When the apps actions are completed by users, or you remove this policy, the device returns to its normal state.
+- For example, in a school or university environment, add an app that lets users take a test on the device. Or, lock the device into the Company Portal app until the user authenticates. When the users complete the app's actions, or you remove this policy, the device returns to its normal state.
- Not all apps support autonomous single app mode. To put an app in ASAM, a bundle ID or a key value pair delivered by an app config policy are typically required. For more information, see the [`autonomousSingleAppModePermittedAppIDs` restriction](https://developer.apple.com/documentation/devicemanagement/restrictions) in Apple's MDM documentation. For more information on the specific settings required for the app you're configuring, see the vendor documentation.
@@ -172,9 +172,9 @@ You can also **Import** a CSV file with the list of app names and their bundle I
- **Safari cookies**: By default, Apple allows all cookies, and blocks cross site tracking. Use this setting to allow users to enable or disable these features. Your options:
- **Not configured** (default): Intune doesn't change or update this setting. By default, the OS allows all cookies and blocks cross site tracking, and might allow users to enable and disable these features.
- - **Allow all cookies, and allow cross site tracking**: Cookies are allowed, and can be disabled by users. By default, cross site tracking is blocked, and can be enabled by users.
+ - **Allow all cookies, and allow cross site tracking**: Cookies are allowed, and users can disable the cookies. By default, cross site tracking is blocked, and users can enable cross site tracking.
- **Block all cookies, and block cross site tracking**: Cookies and cross site tracking are both blocked. Users can't enable or disable either setting.
- - **Allow all cookies, and block cross site tracking**: Cookies are allowed, and can be disabled by users. By default, cross site tracking is blocked, and can't be enabled or disabled by users.
+ - **Allow all cookies, and block cross site tracking**: Cookies are allowed, and users can disable the cookies. By default, cross site tracking is blocked, and users can't enable or disable cross site tracking.
- **Block Safari JavaScript**: **Yes** prevents Java scripts in the browser from running on devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow Java scripts.
@@ -798,18 +798,23 @@ You can also:
- On iOS/iPadOS 14.5 and newer devices, use this setting. Don't use the **Require joining Wi-Fi networks only using configuration profiles** setting.
- - When set to **Yes**, be sure the device has a Wi-Fi profile. If you don't assign a Wi-Fi profile, then this setting can prevent devices from connecting to the internet. For example, if this device restrictions profile is assigned before a Wi-Fi profile, then the device might be blocked from connecting to the internet.
+ - When set to **Yes**:
+
+ - Make sure you configure a Wi-Fi device configuration profile using the [built-in Wi-Fi template](wi-fi-settings-configure.md) (not the settings catalog). Don't assign Wi-Fi profiles created using [custom profiles](custom-settings-ios.md), as this setting doesn't support custom Wi-Fi profiles.
+
+ If you don't use the built-in Wi-Fi device configuration template, then the policy shows an error state for this settiing (**Require devices to use Wi-Fi networks set up via configuration profiles**).
+
+ - Make sure that the Wi-Fi device configuration profile is already on the devices **before** you assign this setting (**Require devices to use Wi-Fi networks set up via configuration profiles**).
+
+ If you don't assign a Wi-Fi profile, then this setting can prevent devices from connecting to the internet. For example, if this device restrictions profile is assigned before a Wi-Fi profile, then the device might be blocked from connecting to the internet.
- If the device can't connect, then unenroll the device, and re-enroll with a Wi-Fi profile. Then, set this setting to **Yes** in a device restrictions profile, and assign the profile to the device.
-
- > [!NOTE]
- > **Require devices to use Wi-Fi networks set up via configuration profiles** does not support Wi-Fi profiles deployed using [custom profiles](custom-settings-ios.md).
This feature applies to:
- - iOS/iPadOS 14.5 and newer
-## Next steps
+ - iOS/iPadOS 14.5 and newer
-[Assign the profile](device-profile-assign.md) and [monitor its status](device-profile-monitor.md).
+## Related articles
-You can also restrict device features and settings on [macOS](device-restrictions-macos.md) devices.
+- [Assign the profile](device-profile-assign.md) and [monitor its status](device-profile-monitor.md).
+- Restrict device features and settings on [macOS](device-restrictions-macos.md) devices.
diff --git a/memdocs/intune/configuration/kernel-extensions-settings-macos.md b/memdocs/intune/configuration/kernel-extensions-settings-macos.md
index bce329bdc46..f9f99d26d75 100644
--- a/memdocs/intune/configuration/kernel-extensions-settings-macos.md
+++ b/memdocs/intune/configuration/kernel-extensions-settings-macos.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 04/15/2024
+ms.date: 09/23/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: configuration
@@ -28,6 +28,11 @@ ms.collection:
# macOS device settings to configure and use kernel and system extensions in Intune
+> [!IMPORTANT]
+> This template is deprecated in the August 2024 service release (2408). Existing policies continue to work. But, you can't create new policies using this template.
+>
+> Instead, use the settings catalog to create new policies that configure the System Extension payload. To learn more about the settings catalog, go to the [macOS settings catalog](settings-catalog.md).
+
> [!NOTE]
>
> - [!INCLUDE [not-all-settings-are-documented](../includes/not-all-settings-are-documented.md)]
diff --git a/memdocs/intune/configuration/platform-sso-macos.md b/memdocs/intune/configuration/platform-sso-macos.md
index 0ded4892380..f33ec228292 100644
--- a/memdocs/intune/configuration/platform-sso-macos.md
+++ b/memdocs/intune/configuration/platform-sso-macos.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 09/03/2024
+ms.date: 01/08/2025
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: configuration
@@ -249,6 +249,12 @@ To configure the Platform SSO policy, use the following steps to create an [Intu
11. In **Assignments**, select the user or device groups that receive your profile. For devices with user affinity, assign to users or user groups. For devices with multiple users that are enrolled without user affinity, assign to devices or device groups.
+ > [!IMPORTANT]
+ > For Platform SSO settings on devices with user affinity, it's not supported to assign to device groups or filters. When using device group assignment or user group assignment with filters on devices with user affinity, the user might be unable to access resources protected by Conditional Access. This issue can happen:
+ >
+ > - If the Platform SSO settings are applied incorrectly. Or,
+ > - If the Company Portal app bypasses Microsoft Entra device registration when Platform SSO isn't enabled.
+
For more information on assigning profiles, go to [Assign user and device profiles](device-profile-assign.md).
Select **Next**.
diff --git a/memdocs/intune/configuration/properties-catalog.md b/memdocs/intune/configuration/properties-catalog.md
new file mode 100644
index 00000000000..820692ff2a0
--- /dev/null
+++ b/memdocs/intune/configuration/properties-catalog.md
@@ -0,0 +1,168 @@
+---
+# required metadata
+
+title: Properties catalog in Microsoft Intune
+description: Configure Properties catalog policy to manage Device Inventory settings on Windows devices you manage with Intune.
+keywords:
+author: smbhardwaj
+ms.author: smbhardwaj
+manager: dougeby
+ms.date: 11/14/2024
+ms.topic: how-to
+ms.service: microsoft-intune
+ms.subservice: configuration
+ms.localizationpriority: high
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.suite: ems
+#ms.tgt_pltfrm:
+ms.custom: intune-azure
+ms.collection:
+- tier2
+- M365-identity-device-management
+ms.reviewer: abbystarr
+---
+# Properties catalog in Microsoft Intune
+
+## Device inventory
+
+With Intune, you can use Device inventory to collect and view more hardware properties from your managed devices to help you better understand the state of your devices and make business decisions.
+
+This article describes how to configure Device Inventory settings as part of an Intune device configuration profile. After you create a profile, you then assign or deploy that profile to your Windows devices.
+
+This feature applies to:
+
+Windows 11
+
+Windows 10
+
+## Prerequisites
+
+- To use Inventory, devices must be corporate owned, Intune managed (includes co-managed), and Microsoft Entra joined.
+
+- For a user to configure a policy to start collecting inventory data from devices, they must have the Device Configurations **Create** permission and the Organization **Read** permission.
+
+- For a user to view collected data about devices, they must have the Managed Devices **Read** permission.
+
+## Supported platforms
+
+Inventory is currently only supported on devices running Windows 10 and later. Inventory is only supported on the following minimum Windows versions:
+
+- Windows 11, version 23H2 (22631.2506 or later) with KB5031455
+- Windows 11, version 22H2 (22621.2215 or later) with KB5029351
+- Windows 11, version 21H2 (22000.2713 or later) with KB5034121
+- Windows 10, version 22H2 (19045.3393 or later) with KB5030211
+- Windows 10, version 21H2 (19044.3393 or later) with KB5030211
+
+## How to use
+
+To configure Inventory collection, create a new **Properties Catalog** profile in the Intune admin center. This profile allows you to select which properties you would like to collect from your devices.
+
+After the profile is created, you can apply the profile to specific devices in the selected groups.
+
+### Create the profile
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+2. Select **Devices** > **Manage devices** > **Configuration** > **Create** > **New Policy**.
+
+3. Enter the following properties:
+
+ - **Platform**: Select **Windows 10 and later**.
+ - **Profile type**: Select **Properties catalog**.
+
+4. Select **Create**.
+
+5. In **Basics**, enter the following properties:
+
+ - **Name**: Enter a descriptive name for the new profile.
+ - **Description**: Enter a description for the profile. This setting is optional, but recommended.
+
+6. Select **Next**.
+
+7. Select **Add properties**.Expand out categories to view individual properties and then select which properties you would like to collect from the Properties Picker.
+
+ When you're done, select **Next**.
+
+8. On the **Scope (Tags)** page, select **Select scope tags** to open the *Select tags* pane to assign scope tags to the profile.
+
+ Select **Next** to continue.
+
+9. On the **Assignments** page, select the groups that receive this profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
+
+ Select **Next**.
+
+10. On the **Applicability Rules** page, use the **Rule**, **Property**, and **Value** options to define how this profile applies within assigned groups.
+
+11. On the **Review + create** page, when you're done, choose **Create**. The profile is created and is shown in the list.
+
+The next time each device checks in, the policy is applied.
+
+### View collected data
+
+To view collected inventory information, navigate to **Devices** > **Windows Devices** and select a device.
+
+Under **Monitor** select **Resource Explorer**. Choose a category to view hardware information.
+
+After a device syncs with Intune, it can take up to 24 hours for initial harvesting of inventory data.
+
+### Required Properties
+
+Certain **required** properties are automatically collected when you collect any properties in that category.
+
+The following properties are required:
+
+- **Battery**: Instance Name
+- **Bios Info**: Bios Name, Software Element ID, Software Element State, Target Operating System
+- **Cpu**: Processor ID
+- **Disk Drive**: Drive ID
+- **Encryptable Volume**: Volume ID
+- **Logical Drive**: Drive Identifier
+- **Network Adapter**: Identifier
+- **System Enclosure**: Serial Number
+- **Video Controller**: Identifier
+- **Windows Qfe**: Hot Fix ID
+
+## Known Limitations
+
+Collection of properties can only be stopped (deleted) at the category level.
+
+To stop collecting properties, navigate to the **Properties catalog** profile, and remove collection for every property in a particular category.
+
+Even if a properties policy is deleted, you will still be able to see the last-collected data in Resource Explorer for up to 28 days.
+
+## Supported Properties
+
+Inventory supports the following entities. To learn more about what properties are supported for each entity, see [Intune Data Platform Schema](../../analytics/data-platform-schema.md).
+
+- Battery
+- Bios Info
+- Cpu
+- Disk Drive
+- Encryptable Volume
+- Logical Drive
+- Memory Info
+- Network Adapter
+- Os Version
+- System Enclosure
+- Time
+- Tpm
+- Video Controller
+- Windows Qfe
+
+## Frequently Asked Questions
+
+### Is Resource Explorer different than the Hardware tab for a device?
+
+Yes, the **Hardware** tab data and **Resource Explorer** data come from different places. We recommend using Inventory and Resource Explorer for the most up-to-date and comprehensive data about your devices. In the future, the data source for **Hardware** tab and the Resource Explorer will be the same.
+
+### I'm using Co-management with Tenant Attach and I see two Resource Explorer nodes. Which one should I use?
+
+You'll see a **Resource Explorer** tab for Intune collected data and a **Resource Explorer** tab for Configuration Manager collected data. Feel free to use the source that best fits your use case. In the future, we recommend using the Intune-based Resource Explorer.
+
+### How can I troubleshoot this feature?
+
+Client logs are available at `C:\Program Files\Microsoft Device Inventory Agent\Logs` and logs can also be collected via Collect MDM Diagnostics.
diff --git a/memdocs/intune/configuration/tutorial-walkthrough-administrative-templates.md b/memdocs/intune/configuration/tutorial-walkthrough-administrative-templates.md
index d83515a4c24..4d6d6ecb958 100644
--- a/memdocs/intune/configuration/tutorial-walkthrough-administrative-templates.md
+++ b/memdocs/intune/configuration/tutorial-walkthrough-administrative-templates.md
@@ -202,7 +202,7 @@ In these next steps, you create security groups, and add users to these groups.
- [Dynamic Group Membership in Microsoft Entra ID (Part 1)](/archive/blogs/pauljones/dynamic-group-membership-in-azure-active-directory-part-1)
- [Dynamic Group Membership in Microsoft Entra ID (Part 2)](/archive/blogs/pauljones/dynamic-group-membership-in-azure-active-directory-part-2)
-- Microsoft Entra ID P1 or P2 includes other services that are commonly used when managing apps and devices, including [multifactor authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks) and [conditional access](/azure/active-directory/conditional-access/overview).
+- Microsoft Entra ID P1 or P2 includes other services that are commonly used when managing apps and devices, including [multifactor authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks) and [Conditional Access](/azure/active-directory/conditional-access/overview).
- Many administrators ask when to use user groups and when to use device groups. For some guidance, go to [User groups vs. device groups](device-profile-assign.md#user-groups-vs-device-groups).
diff --git a/memdocs/intune/configuration/vpn-settings-macos.md b/memdocs/intune/configuration/vpn-settings-macos.md
index f2391ab5732..1a3f03b3dbc 100644
--- a/memdocs/intune/configuration/vpn-settings-macos.md
+++ b/memdocs/intune/configuration/vpn-settings-macos.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 04/15/2024
+ms.date: 11/19/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: configuration
@@ -35,7 +35,8 @@ Depending on the settings you choose, not all values in the following list are c
This feature applies to:
-- macOS
+- macOS
+
## Before you begin
@@ -47,11 +48,20 @@ This feature applies to:
## Base VPN
-**Connection name**: Enter a name for this connection. End users see this name when they browse their device for the list of available VPN connections.
+- **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are stored, so it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. To change it, you must create a new profile.
+
+ >[!NOTE]
+ > We recommend rechecking the deployment channel setting in existing profiles when the linked authentication certificates are up for renewal to ensure the intended channel is selected. If it isn't, create a new profile with the correct deployment channel.
+
+ You have two options:
+ - **User channel**: Always select the user deployment channel in profiles with user certificates. This option stores certificates in the user keychain.
+ - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the system keychain.
+
+- **Connection name**: Enter a name for this connection. End users see this name when they browse their device for the list of available VPN connections.
- **VPN server address**: Enter the IP address or fully qualified domain name of the VPN server that devices connect to. For example, enter `192.168.1.1` or `vpn.contoso.com`.
- **Authentication method**: Choose how devices authenticate to the VPN server. Your options:
- - **Certificates**: Under **Authentication certificate**, select a SCEP or PKCS certificate profile you previously created to authenticate the connection. For more information about certificate profiles, go to [How to configure certificates](../protect/certificates-configure.md).
+ - **Certificates**: Under **Authentication certificate**, select a SCEP or PKCS certificate profile you previously created to authenticate the connection. For more information about certificate profiles, go to [How to configure certificates](../protect/certificates-configure.md). Choose the certificates that align with your deployment channel selection. If you selected the user channel, your certificate options are limited to user certificate profiles. If you selected the device channel, you have both user and device certificate profiles to choose from. However, we recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the system keychain increases security risks.
- **Username and password**: End users must enter a username and password to sign into the VPN server.
- **Connection type**: Select the VPN connection type from the following list of vendors:
diff --git a/memdocs/intune/configuration/vpn-settings-windows-10.md b/memdocs/intune/configuration/vpn-settings-windows-10.md
index 54dce306e9a..a59b49f8242 100644
--- a/memdocs/intune/configuration/vpn-settings-windows-10.md
+++ b/memdocs/intune/configuration/vpn-settings-windows-10.md
@@ -2,7 +2,7 @@
# required metadata
title: Windows 10/11 VPN settings in Microsoft Intune
-description: Learn and read about all the available VPN settings in Microsoft Intune, what they're used for, and what they do. See the traffic rules, conditional access, and DNS and proxy settings for Windows 10/11 and Windows Holographic for Business devices.
+description: Learn and read about all the available VPN settings in Microsoft Intune, what they're used for, and what they do. See the traffic rules, Conditional Access, and DNS and proxy settings for Windows 10/11 and Windows Holographic for Business devices.
keywords:
author: MandiOhlinger
ms.author: mandia
diff --git a/memdocs/intune/configuration/wi-fi-settings-android-aosp.md b/memdocs/intune/configuration/wi-fi-settings-android-aosp.md
index 34822016269..0612659fb0a 100644
--- a/memdocs/intune/configuration/wi-fi-settings-android-aosp.md
+++ b/memdocs/intune/configuration/wi-fi-settings-android-aosp.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 01/17/2024
+ms.date: 12/11/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: configuration
@@ -55,7 +55,7 @@ For more information on AOSP, go to [Android Open Source Project](https://source
When devices are connected to another preferred Wi-Fi connection, then they won't automatically connect to this Wi-Fi network. If devices fail to connect automatically when this setting is enabled, then disconnect the devices from any existing Wi-Fi connections.
- **Hidden network**: Select **Enable** to hide this network from the list of available networks on the device. The SSID isn't broadcasted. Select **Disable** to show this network in the list of available networks on the device.
-- **Wi-Fi type**: Select the security protocol to authenticate to the Wi-Fi network. Your options:
+- **Security type**: Select the security protocol to authenticate to the Wi-Fi network. Your options:
- **Open (no authentication)**: Only use this option if the network is unsecured.
- **WEP-Pre-shared key**: Enter the password in **Pre-shared key** (PSK). When your organization's network is set up or configured, a password or network key is also configured. Enter this password or network key for the PSK value.
diff --git a/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md b/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md
index c4fd01fe79d..157ccae05d1 100644
--- a/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md
+++ b/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md
@@ -1,13 +1,13 @@
---
# required metadata
-title: Wi-Fi settings for Android Enterprise and kiosk devices - Microsoft Intune | Microsoft Docs
+title: Add Wi-Fi settings for Android Enterprise devices in Microsoft Intune
description: Create or add a WiFi device configuration profile for Android Enterprise and Android Kiosk. See the different settings, add certificates, choose an EAP type, and select an authentication method in Microsoft Intune. For kiosk devices, also enter the Pre-shared key of your network.
keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 07/18/2024
+ms.date: 12/11/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: configuration
@@ -28,7 +28,7 @@ ms.collection:
- M365-identity-device-management
---
-# Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices in Microsoft Intune
+# Add Wi-Fi settings for Android Enterprise devices in Microsoft Intune
You can create a profile with specific Wi-Fi settings, and then deploy this profile to your Android Enterprise fully managed and dedicated devices. Microsoft Intune offers many features, including authenticating to your network, using a pre-shared key, and more.
@@ -67,7 +67,7 @@ Select this option if you're deploying to an Android Enterprise dedicated, corpo
When devices are connected to another preferred Wi-Fi connection, then they don't automatically connect to this Wi-Fi network. If devices fail to connect automatically when this setting is enabled, then disconnect the devices from any existing Wi-Fi connections.
- **Hidden network**: Select **Enable** to hide this network from the list of available networks on the device. The SSID isn't broadcasted. Select **Disable** to show this network in the list of available networks on the device.
-- **Wi-Fi type**: Select the security protocol to authenticate to the Wi-Fi network. Your options:
+- **Security type**: Select the security protocol to authenticate to the Wi-Fi network. Your options:
- **Open (no authentication)**: Only use this option if the network is unsecured.
- **WEP-Pre-shared key**: Enter the password in **Pre-shared key**. When your organization's network is set up or configured, a password or network key is also configured. Enter this password or network key for the PSK value.
@@ -258,6 +258,25 @@ Select this option if you're deploying to an Android Enterprise dedicated, corpo
- **Wi-Fi type**: Select **Basic**.
- **SSID**: Enter the **service set identifier**, which is the real name of the wireless network that devices connect to. However, users only see the **network name** you configured when they choose the connection.
- **Hidden network**: Select **Enable** to hide this network from the list of available networks on the device. The SSID isn't broadcasted. Select **Disable** to show this network in the list of available networks on the device.
+- **Wi-Fi type**: Select the security protocol to authenticate to the Wi-Fi network. Your options:
+
+ - **Open (no authentication)**: Only use this option if the network is unsecured.
+ - **WEP-Pre-shared key**: Enter the password in **Pre-shared key**. When your organization's network is set up or configured, a password or network key is also configured. Enter this password or network key for the PSK value.
+
+ > [!WARNING]
+ > On Android 12 and later, Google deprecated support for WEP pre-shared keys (PSK) in Wi-Fi configuration profiles. It's possible WEP might still work. But, it's not recommended and is considered obsolete. Instead, use WPA pre-shared keys (PSK) in your Wi-Fi configuration profiles.
+ >
+ > For more information, go to the [Android developer reference - WifiConfiguration.GroupCipher](https://developer.android.com/reference/android/net/wifi/WifiConfiguration.GroupCipher#summary).
+
+ - **WPA-Pre-shared key**: Enter the password in **Pre-shared key**. When your organization's network is set up or configured, a password or network key is also configured. Enter this password or network key for the PSK value.
+
+- **Proxy settings**: Select a proxy configuration. Your options:
+
+ - **None**: No proxy settings are configured.
+
+ - **Automatic**: Use a file to configure the proxy server. Enter the **Proxy server URL** that contains the configuration file. For example, enter `http://proxy.contoso.com`, `10.0.0.11`, or `http://proxy.contoso.com/proxy.pac`.
+
+ For more information on PAC files, see [Proxy Auto-Configuration (PAC) file](https://developer.mozilla.org/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_(PAC)_file) (opens a non-Microsoft site).
### Enterprise (personally owned work profile)
diff --git a/memdocs/intune/configuration/wi-fi-settings-macos.md b/memdocs/intune/configuration/wi-fi-settings-macos.md
index 03de0653506..48bc97cce36 100644
--- a/memdocs/intune/configuration/wi-fi-settings-macos.md
+++ b/memdocs/intune/configuration/wi-fi-settings-macos.md
@@ -8,7 +8,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 06/25/2024
+ms.date: 11/19/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: configuration
@@ -39,17 +39,17 @@ This feature applies to:
These Wi-Fi settings are separated in to two categories: Basic settings and Enterprise settings.
-This article describes the settings you can configure.
+This article describes the settings you can configure.
## Before you begin
- Create a [macOS Wi-Fi device configuration profile](wi-fi-settings-configure.md).
-- These settings are available for all enrollment types. For more information on the enrollment types, go to [macOS enrollment](../enrollment/macos-enroll.md).
+- These settings are available for all enrollment types. For more information on the enrollment types, go to [macOS enrollment](../enrollment/macos-enroll.md).
## Basic profiles
-Basic or personal profiles use WPA/WPA2 to secure the Wi-Fi connection on devices. Typically, WPA/WPA2 is used on home networks or personal networks. You can also add a pre-shared key to authenticate the connection.
+Basic or personal profiles use WPA/WPA2 to secure the Wi-Fi connection on devices. Typically, WPA/WPA2 is used on home networks or personal networks. You can also add a preshared key to authenticate the connection.
- **Wi-Fi type**: Select **Basic**.
- **SSID**: This **service set identifier** (SSID) property is the real name of the wireless network that devices connect to. However, users only see the network name you configured when they choose the connection.
@@ -72,6 +72,14 @@ Basic or personal profiles use WPA/WPA2 to secure the Wi-Fi connection on device
Enterprise profiles use Extensible Authentication Protocol (EAP) to authenticate Wi-Fi connections. EAP is often used by enterprises, as you can use certificates to authenticate and secure connections, and configure more security options.
+- **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are stored, so it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. To do so, you must create a new profile.
+
+ >[!NOTE]
+ > We recommend rechecking the deployment channel setting in existing profiles when the linked authentication certificates are up for renewal to ensure the intended channel is selected. If it isn't, create a new profile with the correct deployment channel.
+
+ You have two options:
+ - **User channel**: Always select the user deployment channel in profiles with user certificates. This option stores certificates in the user keychain.
+ - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the system keychain.
- **Wi-Fi type**: Select **Enterprise**.
- **SSID**: Short for **service set identifier**. This property is the real name of the wireless network that devices connect to. However, users only see the network name you configured when they choose the connection.
- **Connect automatically**: Select **Enable** to automatically connect to this network when the device is in range. Select **Disable** to prevent devices from automatically connecting.
@@ -92,7 +100,7 @@ Enterprise profiles use Extensible Authentication Protocol (EAP) to authenticate
- **Certificate server names**: **Add** one or more common names used in the certificates issued by your trusted certificate authority (CA). When you enter this information, you can bypass the dynamic trust window displayed on user's devices when they connect to this Wi-Fi network.
- **Root certificate for server validation**: Select one or more existing trusted root certificate profiles. When the client connects to the network, these certificates are used to establish a chain of trust with the server. If your authentication server uses a public certificate, then you don't need to include a root certificate.
- - **Certificates**: Select the SCEP or PKCS client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection.
+ - **Certificates**: Select the SCEP or PKCS client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection. Choose the certificates that align with your deployment channel selection. If you selected the user channel, your certificate options are limited to user certificate profiles. If you selected the device channel, you have both user and device certificate profiles to choose from. However, we recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the system keychain increases security risks.
- **Identity privacy (outer identity)**: Enter the text sent in the response to an EAP identity request. This text can be any value, such as `anonymous`. During authentication, this anonymous identity is initially sent. Then, the real identification is sent in a secure tunnel.
diff --git a/memdocs/intune/configuration/wired-network-settings-macos.md b/memdocs/intune/configuration/wired-network-settings-macos.md
index 5b83fc6d797..c274edd3cda 100644
--- a/memdocs/intune/configuration/wired-network-settings-macos.md
+++ b/memdocs/intune/configuration/wired-network-settings-macos.md
@@ -8,7 +8,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 06/25/2024
+ms.date: 11/19/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: configuration
@@ -39,13 +39,13 @@ This feature applies to:
- macOS
-This article describes the settings you can configure.
+This article describes the settings you can configure.
## Before you begin
- Create a [macOS wired network device configuration profile](wired-networks-configure.md).
-- These settings are available for all enrollment types. For more information on the enrollment types, go to [macOS enrollment](../enrollment/macos-enroll.md).
+- These settings are available for all enrollment types. For more information on the enrollment types, go to [macOS enrollment](../enrollment/macos-enroll.md).
## Wired Network
@@ -61,6 +61,15 @@ This article describes the settings you can configure.
Options with "active" in the title use interfaces that are actively working on the device. If there are no active interfaces, the next interface in service-order priority is configured. By default, **First active Ethernet** is selected, which is also the default setting configured by macOS.
+- **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are stored, so it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. To do so, you must create a new profile.
+
+ >[!NOTE]
+ > We recommend rechecking the deployment channel setting in existing profiles when the linked authentication certificates are up for renewal to ensure the intended channel is selected. If it isn't, create a new profile with the correct deployment channel.
+
+ You have two options:
+ - **User channel**: Always select the user deployment channel in profiles with user certificates. This option stores certificates in the user keychain.
+ - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the system keychain.
+
- **EAP type**: To authenticate secured wired connections, select the Extensible Authentication Protocol (EAP) type. Your options:
- **EAP-FAST**: Enter the **Protected Access Credential (PAC) Settings**. This option uses protected access credentials to create an authenticated tunnel between the client and the authentication server. Your options:
@@ -87,7 +96,7 @@ This article describes the settings you can configure.
- **Challenge Handshake Authentication Protocol (CHAP)**
- **Microsoft CHAP (MS-CHAP)**
- **Microsoft CHAP Version 2 (MS-CHAP v2)**
- - **Certificates**: Select an existing SCEP client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection. PKCS certificates aren't supported.
+ - **Certificates**: Select an existing SCEP client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection. PKCS certificates aren't supported. Choose the certificate that aligns with your deployment channel selection. If you selected the user channel, your certificate options are limited to user certificate profiles. If you selected the device channel, you have both user and device certificate profiles to choose from. However, we recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the system keychain increases security risks.
- **Identity privacy (outer identity)**: Enter the text sent in the response to an EAP identity request. This text can be any value, such as `anonymous`. During authentication, this anonymous identity is initially sent. Then, the real identification is sent in a secure tunnel.
- **LEAP**
diff --git a/memdocs/intune/copilot/copilot-devices.md b/memdocs/intune/copilot/copilot-devices.md
index df5f72f2d2d..340b0633a61 100644
--- a/memdocs/intune/copilot/copilot-devices.md
+++ b/memdocs/intune/copilot/copilot-devices.md
@@ -7,7 +7,7 @@ keywords: security copilot, intune, microsoft intune, copilot, device informatio
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 04/01/2024
+ms.date: 11/08/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice:
@@ -31,7 +31,7 @@ ms.collection:
# Use Microsoft Copilot in Intune to troubleshoot devices (public preview)
-Microsoft Copilot for Security is a generative-AI security analysis tool that can help your organization get information quickly. Copilot is [built into Microsoft Intune](copilot-intune-overview.md). It can help IT admins manage and troubleshoot devices.
+Microsoft Security Copilot is a generative-AI security analysis tool that can help your organization get information quickly. Copilot is [built into Microsoft Intune](copilot-intune-overview.md). It can help IT admins manage and troubleshoot devices.
Copilot uses your Intune data. Admins can only access the data that they have permissions to, which includes the [RBAC roles](../fundamentals/role-based-access-control.md) and [scope tags](../fundamentals/scope-tags.md) assigned to them. For more information, see [Microsoft Copilot in Intune FAQ](copilot-intune-faq.md).
@@ -50,7 +50,7 @@ This article describes how to use Copilot to manage and troubleshoot device issu
- To use Copilot in Intune, make sure Copilot is enabled. For more information, see:
- [Microsoft Copilot in Intune](../copilot/copilot-intune-overview.md#before-you-begin)
- - [Get started with Microsoft Copilot for Security](/security-copilot/get-started-security-copilot)
+ - [Get started with Microsoft Security Copilot](/security-copilot/get-started-security-copilot)
- When you use the Copilot prompts to troubleshoot your devices, you are within the scope of the device you select.
diff --git a/memdocs/intune/copilot/copilot-intune-faq.md b/memdocs/intune/copilot/copilot-intune-faq.md
index 86c00f6728e..bec286077a4 100644
--- a/memdocs/intune/copilot/copilot-intune-faq.md
+++ b/memdocs/intune/copilot/copilot-intune-faq.md
@@ -7,7 +7,7 @@ keywords: security copilot, intune, microsoft intune, copilot, faq
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 04/01/2024
+ms.date: 11/08/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice:
@@ -37,25 +37,25 @@ This article answers common questions about using Microsoft Copilot in Intune. F
### How can I control access to Copilot in Intune?
-When you set up Copilot for Security, you determine the Copilot role that your admins can have (owner or contributor), as described in [Roles and authentication in Microsoft Copilot for Security](/security-copilot/authentication). There are also Microsoft Entra roles that can control access to Copilot for Security.
+When you set up Security Copilot, you determine the Copilot role that your admins can have (owner or contributor), as described in [Roles and authentication in Microsoft Security Copilot](/security-copilot/authentication). There are also Microsoft Entra roles that can control access to Security Copilot.
-The Copilot for Security roles or the Microsoft Entra roles that you configure control access to Copilot in Intune. There aren't any Intune-specific roles-based access controls (RBAC) for Copilot in Intune.
+The Security Copilot roles or the Microsoft Entra roles that you configure control access to Copilot in Intune. There aren't any Intune-specific roles-based access controls (RBAC) for Copilot in Intune.
-After you enable Intune in Copilot for Security, your Intune admins can see the Copilot features in the Intune admin center. But they can only access the data that they have permission to. Copilot honors existing [Intune RBAC roles](../fundamentals/role-based-access-control.md) and [Intune scope tags](../fundamentals/scope-tags.md) that are assigned to your admins.
+After you enable Intune in Security Copilot, your Intune admins can see the Copilot features in the Intune admin center. But they can only access the data that they have permission to. Copilot honors existing [Intune RBAC roles](../fundamentals/role-based-access-control.md) and [Intune scope tags](../fundamentals/scope-tags.md) that are assigned to your admins.
So, if an admin tries to access Intune data that they don't have permissions to, they get the following error message:
`You don't have permission to access this feature. Reach out to your IT administrator for help.`
-If you want access to Copilot in Intune, contact the Copilot for Security workspace owner in your organization. If you want access to all your Intune data, contact your Intune administrator.
+If you want access to Copilot in Intune, contact the Security Copilot workspace owner in your organization. If you want access to all your Intune data, contact your Intune administrator.
-### Can I use Copilot for Security if I'm not an Intune admin, and vice versa?
+### Can I use Security Copilot if I'm not an Intune admin, and vice versa?
-Yes. Access to Copilot for Security is managed by using Copilot for Security or Microsoft Entra roles. For more information, see [Roles and authentication in Microsoft Copilot for Security](/security-copilot/authentication).
+Yes. Access to Security Copilot is managed by using Security Copilot or Microsoft Entra roles. For more information, see [Roles and authentication in Microsoft Security Copilot](/security-copilot/authentication).
-If you're an Intune admin and have the correct Copilot for Security or Microsoft Entra role assigned to you, you can use Copilot for Security to get insights about your Intune data.
+If you're an Intune admin and have the correct Security Copilot or Microsoft Entra role assigned to you, you can use Security Copilot to get insights about your Intune data.
-Copilot for Security is scoped to all your embedded services.
+Security Copilot is scoped to all your embedded services.
If you're an Intune admin or IT admin and only want Intune data, you should use [Copilot in Intune](copilot-intune-overview.md). Its scope is only Intune data, and its capabilities are integrated into the relevant areas of the Intune admin center.
@@ -65,44 +65,44 @@ If you're a security admin, you can use [Copilot in Intune](copilot-intune-overv
### How do I turn on Intune capabilities?
-In the [Microsoft Copilot for Security portal](https://go.microsoft.com/fwlink/?linkid=2247989), select **Sources** (prompt bar > right corner), and enable the Microsoft Intune plug-in. This plug-in allows you to access your Intune data and use the Copilot features in the Intune admin center.
+In the [Microsoft Security Copilot portal](https://go.microsoft.com/fwlink/?linkid=2247989), select **Sources** (prompt bar > right corner), and enable the Microsoft Intune plug-in. This plug-in allows you to access your Intune data and use the Copilot features in the Intune admin center.
-For more information about managing plug-ins, see [Manage plug-ins in Copilot for Security](/security-copilot/manage-plugins).
+For more information about managing plug-ins, see [Manage plug-ins in Security Copilot](/security-copilot/manage-plugins).
### Can I use capabilities for other Copilot services in the Intune admin center?
No. Copilot in Intune in the Intune admin center is available only for Intune capabilities.
-You can't get insights from other Microsoft services, like Microsoft Defender, Microsoft Entra, and Microsoft Purview. To get insights from other Microsoft services, you can use the [Copilot for Security portal](https://go.microsoft.com/fwlink/?linkid=2247989).
+You can't get insights from other Microsoft services, like Microsoft Defender, Microsoft Entra, and Microsoft Purview. To get insights from other Microsoft services, you can use the [Security Copilot portal](https://go.microsoft.com/fwlink/?linkid=2247989).
### How much does Copilot in Intune cost?
-Copilot in Intune is included with Copilot for Security. Copilot for Security uses security compute units (SCUs). There aren't any other licensing requirements or Intune-specific licenses for using Copilot in Intune.
+Copilot in Intune is included with Security Copilot. Security Copilot uses security compute units (SCUs). There aren't any other licensing requirements or Intune-specific licenses for using Copilot in Intune.
For more information about SCUs, see:
- [Get started with Microsoft Copilot](/security-copilot/get-started-security-copilot)
-- [Manage capacity in Copilot for Security](/security-copilot/manage-usage)
+- [Manage capacity in Security Copilot](/security-copilot/manage-usage)
### Is there a limit on the prompt output?
-Copilot in Intune is bound by any token limits in Copilot for Security. For more information, see [Copilot for Security FAQ - Token limits](/security-copilot/faq-security-copilot#how-is-copilot-for-security-dealing-with-a-token-limit).
+Copilot in Intune is bound by any token limits in Security Copilot. For more information, see [Security Copilot FAQ - Token limits](/security-copilot/faq-security-copilot#how-is-copilot-for-security-dealing-with-a-token-limit).
-## Copilot for Security vs. Copilot in Intune
+## Security Copilot vs. Copilot in Intune
-### Does Copilot for Security give admins more access to Intune data than is available in the Intune admin center?
+### Does Security Copilot give admins more access to Intune data than is available in the Intune admin center?
-No. The Intune capabilities in Copilot for Security are built using the existing Microsoft Graph APIs, which are the same APIs that the Intune admin center uses. Both Copilot experiences use the same Intune capabilities.
+No. The Intune capabilities in Security Copilot are built using the existing Microsoft Graph APIs, which are the same APIs that the Intune admin center uses. Both Copilot experiences use the same Intune capabilities.
-### To get Intune insights, should I use Copilot for Security or Copilot in Intune?
+### To get Intune insights, should I use Security Copilot or Copilot in Intune?
-To use Copilot with your Intune data, you can use Copilot in Intune or Copilot for Security. Here's a comparison of the two experiences:
+To use Copilot with your Intune data, you can use Copilot in Intune or Security Copilot. Here's a comparison of the two experiences:
-| Feature | Copilot in Intune | Copilot for Security |
+| Feature | Copilot in Intune | Security Copilot |
|---|---|---|
| **Access and data insights** | This Copilot is embedded in the Intune admin center and is scoped to only show Intune data.
Intune admins should use Copilot in Intune for Intune-only tasks. | This Copilot is a standalone experience. It can access other embedded services, like Microsoft Defender, Microsoft Entra ID, Microsoft Purview, and Microsoft Intune.
It accesses the same Intune capabilities as Copilot in Intune. |
| **Open prompting** | Intune provides a set of prompts you can use. There isn't an open prompt. There are plans to include an open prompt in the future (no ETA).| Can use open prompts or use [promptbooks](/security-copilot/using-promptbooks). |
-| **Prompt history** | The prompt/response history isn't available in the Intune admin center. To view the prompt history, use Copilot for Security.
The prompts can look different compared with the prompts shown in Intune, as Intune enters the prompt for you. | You can review the prompt/response history even when the prompt is submitted in the standalone or embedded experience. |
+| **Prompt history** | The prompt/response history isn't available in the Intune admin center. To view the prompt history, use Security Copilot.
The prompts can look different compared with the prompts shown in Intune, as Intune enters the prompt for you. | You can review the prompt/response history even when the prompt is submitted in the standalone or embedded experience. |
| **Target audience** | Focus is the IT admin/IT Pro. | Focus is the Security Operations Center (SOC) and can be used by IT admins. |
## Feedback and troubleshooting Copilot
@@ -122,9 +122,9 @@ Other things you can try:
- If you're working with Microsoft to debug the issue, support might ask you for the session ID. To get the session ID, you can:
- Use the F12 developer tools in your browser. This information shows the capabilities that Copilot uses.
- - In the [Copilot for Security portal](https://go.microsoft.com/fwlink/?linkid=2247989), you can view the prompt sessions and session IDs from the Intune embedded experience.
+ - In the [Security Copilot portal](https://go.microsoft.com/fwlink/?linkid=2247989), you can view the prompt sessions and session IDs from the Intune embedded experience.
## Related articles
-- [Microsoft Copilot for Security FAQ](/security-copilot/faq-security-copilot)
+- [Microsoft Security Copilot FAQ](/security-copilot/faq-security-copilot)
- [Microsoft Copilot in Intune](copilot-intune-overview.md)
\ No newline at end of file
diff --git a/memdocs/intune/copilot/copilot-intune-overview.md b/memdocs/intune/copilot/copilot-intune-overview.md
index c15da3ceec2..70ab14ec2a1 100644
--- a/memdocs/intune/copilot/copilot-intune-overview.md
+++ b/memdocs/intune/copilot/copilot-intune-overview.md
@@ -7,7 +7,7 @@ keywords: Security Copilot, Intune, Microsoft Intune, AI, Copilot, settings cata
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 04/01/2024
+ms.date: 11/08/2024
ms.topic: get-started
ms.service: microsoft-intune
ms.subservice:
@@ -36,7 +36,7 @@ ms.collection:
This feature is in [public preview](../fundamentals/public-preview.md).
-[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) is a generative-AI security analysis tool. It can help you and your organization get information quickly and make decisions that affect security and risk.
+[Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) is a generative-AI security analysis tool. It can help you and your organization get information quickly and make decisions that affect security and risk.
Intune has capabilities that are powered by Copilot. These capabilities access your Intune data and help you manage your policies and settings, understand your security posture, and troubleshoot device issues.
@@ -46,9 +46,9 @@ There are two ways to access your Intune data by using Copilot:
This experience has an IT admin/IT Pro focus.
-- **Microsoft Copilot for Security**: This option is a standalone Copilot and is available in the [Microsoft Copilot for Security portal](https://go.microsoft.com/fwlink/?linkid=2247989). You can use this portal to get insights from Copilot for Security for all your enabled services, like Intune, Microsoft Defender, Microsoft Entra ID, Microsoft Purview, and more.
+- **Microsoft Security Copilot**: This option is a standalone Copilot and is available in the [Microsoft Security Copilot portal](https://go.microsoft.com/fwlink/?linkid=2247989). You can use this portal to get insights from Security Copilot for all your enabled services, like Intune, Microsoft Defender, Microsoft Entra ID, Microsoft Purview, and more.
- This experience has a Security Operations Center (SOC) focus and can be used by IT admins. For more information, see [Access your Microsoft Intune data in Copilot for Security](security-copilot.md).
+ This experience has a Security Operations Center (SOC) focus and can be used by IT admins. For more information, see [Access your Microsoft Intune data in Security Copilot](security-copilot.md).
This article focuses on Copilot in Intune and describes the Intune features that you can use with Copilot.
@@ -56,35 +56,35 @@ This article focuses on Copilot in Intune and describes the Intune features that
To use Copilot in Intune, you should know the following information:
-- **Copilot security compute units (SCUs)**: Copilot in Intune is included with Copilot for Security. There aren't any other licensing requirements or Intune-specific licenses for using Copilot in Intune.
+- **Copilot security compute units (SCUs)**: Copilot in Intune is included with Security Copilot. There aren't any other licensing requirements or Intune-specific licenses for using Copilot in Intune.
For more information about SCUs, see:
- [Get started with Microsoft Copilot](/security-copilot/get-started-security-copilot)
- - [Manage capacity in Copilot for Security](/security-copilot/manage-usage)
+ - [Manage capacity in Security Copilot](/security-copilot/manage-usage)
-- **Copilot configuration**: Before you can use the Copilot features in Intune, Microsoft Copilot for Security must be configured, and you must complete the first run tour in the [Microsoft Copilot for Security portal](https://go.microsoft.com/fwlink/?linkid=2247989). For the setup tasks, see [Get started with Microsoft Copilot](/security-copilot/get-started-security-copilot).
+- **Copilot configuration**: Before you can use the Copilot features in Intune, Microsoft Security Copilot must be configured, and you must complete the first run tour in the [Microsoft Security Copilot portal](https://go.microsoft.com/fwlink/?linkid=2247989). For the setup tasks, see [Get started with Microsoft Copilot](/security-copilot/get-started-security-copilot).
You can check the status in the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Tenant administration** > **Copilot**.
:::image type="content" source="./media/copilot-intune-overview/tenant-administration-copilot-enabled.png" alt-text="Screenshot that shows Copilot is enabled in the Microsoft Intune tenant and Intune admin center." lightbox="./media/copilot-intune-overview/tenant-administration-copilot-enabled.png":::
-- **Copilot roles**: Access to Copilot in Intune is managed through Copilot for Security or Microsoft Entra ID. To use Copilot in Intune, you or your admin team must be assigned the appropriate role in Copilot for Security or Microsoft Entra ID. There isn't a built-in Intune role that has access to Copilot.
+- **Copilot roles**: Access to Copilot in Intune is managed through Security Copilot or Microsoft Entra ID. To use Copilot in Intune, you or your admin team must be assigned the appropriate role in Security Copilot or Microsoft Entra ID. There isn't a built-in Intune role that has access to Copilot.
- For more information, see [Roles and authentication in Microsoft Copilot for Security](/security-copilot/authentication).
+ For more information, see [Roles and authentication in Microsoft Security Copilot](/security-copilot/authentication).
-- **Intune plug-in source**: To use Copilot in Intune, you need the Intune plug-in enabled in Copilot for Security. This plug-in allows you to access your Intune data and use Copilot in the Intune admin center.
+- **Intune plug-in source**: To use Copilot in Intune, you need the Intune plug-in enabled in Security Copilot. This plug-in allows you to access your Intune data and use Copilot in the Intune admin center.
- Go to the [Copilot for Security portal](https://go.microsoft.com/fwlink/?linkid=2247989) and select **Sources** (prompt bar > right corner).
+ Go to the [Security Copilot portal](https://go.microsoft.com/fwlink/?linkid=2247989) and select **Sources** (prompt bar > right corner).
- :::image type="content" source="./media/copilot-intune-overview/security-copilot-sources.png" alt-text="Screenshot that shows the plugin sources that are available, enabled, and disabled in Microsoft Copilot for Security.":::
+ :::image type="content" source="./media/copilot-intune-overview/security-copilot-sources.png" alt-text="Screenshot that shows the plugin sources that are available, enabled, and disabled in Microsoft Security Copilot.":::
In **Manage sources**, enable Microsoft Intune.
- :::image type="content" source="./media/copilot-intune-overview/intune-plug-in-enabled.png" alt-text="Screenshot that shows the Microsoft Intune plug-in source is enabled in the Microsoft Copilot for Security portal.":::
+ :::image type="content" source="./media/copilot-intune-overview/intune-plug-in-enabled.png" alt-text="Screenshot that shows the Microsoft Intune plug-in source is enabled in the Microsoft Security Copilot portal.":::
> [!TIP]
- > Some roles can enable or disable plug-ins. For more information, see [Manage plug-ins in Microsoft Copilot for Security](/security-copilot/manage-plugins).
+ > Some roles can enable or disable plug-ins. For more information, see [Manage plug-ins in Microsoft Security Copilot](/security-copilot/manage-plugins).
- **Your Intune data**: Copilot uses your Intune data. When an Intune admin submits a prompt, Copilot can only access the data that they have permissions to, which includes the [RBAC roles](../fundamentals/role-based-access-control.md) and [scope tags](../fundamentals/scope-tags.md) assigned to them.
@@ -195,4 +195,4 @@ For a full list of supported properties in device query, go to [Device query](..
- [Use Microsoft Copilot in Intune to troubleshoot devices](../copilot/copilot-devices.md).
- [Use the settings catalog to create device configuration policies](../configuration/settings-catalog.md).
-- [Learn more about Intune capabilities in Microsoft Copilot for Security](security-copilot.md).
+- [Learn more about Intune capabilities in Microsoft Security Copilot](security-copilot.md).
diff --git a/memdocs/intune/copilot/security-copilot.md b/memdocs/intune/copilot/security-copilot.md
index 5f312d6a034..000ae4d5652 100644
--- a/memdocs/intune/copilot/security-copilot.md
+++ b/memdocs/intune/copilot/security-copilot.md
@@ -1,13 +1,13 @@
---
# required metadata
-title: Use Copilot for Security to get device and policy information
-description: You can use Copilot for Security to get information about your Intune data, including devices, apps, policies, and groups managed in Intune. You can also compare policies, get device specific details, and get target info for policies.
+title: Security Copilot in Microsoft Intune
+description: You can use Security Copilot to get information about your Intune data, including devices, apps, policies, and groups managed in Intune. You can also compare policies, get device specific details, and get target info for policies.
keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 04/01/2024
+ms.date: 11/08/2024
ms.topic: concept-article
ms.service: microsoft-intune
ms.subservice:
@@ -32,29 +32,46 @@ ms.collection:
- magic-ai-copilot
---
-# Access your Microsoft Intune data in Copilot for Security
+# Security Copilot in Microsoft Intune
-Copilot for Security is a cloud-based AI platform that provides a natural language Copilot experience. It can help support security professionals in different scenarios, like incident response, threat hunting, and intelligence gathering. For more information about what it can do, go to [What is Microsoft Copilot for Security?](/security-copilot/microsoft-security-copilot).
+Microsoft Security Copilot is a cloud-based AI platform that provides a natural language Copilot experience. It can help support security professionals in different scenarios, like incident response, threat hunting, and intelligence gathering. For more information about what it can do, go to [What is Microsoft Security Copilot?](/security-copilot/microsoft-security-copilot)
-**Copilot for Security integrates with your Microsoft Intune data**.
+## Know before you begin
-If you use [Microsoft Intune](../fundamentals/what-is-intune.md) in the same tenant as Copilot for Security, then you can use Copilot for Security to get insights about your Intune data.
+If you're new to Security Copilot, you should familiarize yourself with it by reading these articles:
+- [What is Microsoft Security Copilot?](/security-copilot/microsoft-security-copilot)
+- [Microsoft Security Copilot experiences](/security-copilot/experiences-security-copilot)
+- [Get started with Microsoft Security Copilot](/security-copilot/get-started-security-copilot)
+- [Understand authentication in Microsoft Security Copilot](/security-copilot/authentication)
+- [Prompting in Microsoft Security Copilot](/security-copilot/prompting-security-copilot)
-There are Intune capabilities built into Copilot for Security, and you can use prompts to get more information, including:
+## Security Copilot integration in Microsoft Intune
+
+If you use [Microsoft Intune](../fundamentals/what-is-intune.md) in the same tenant as Security Copilot, then you can use Security Copilot to get insights about your Intune data.
+
+There are Intune capabilities built into Security Copilot, and you can use prompts to get more information, including:
- Information about your devices, apps, compliance & configuration policies, and policy assignments managed in Intune
- Managed device attributes and hardware details
- Issue with specific devices and compare a working & non-working device
-This article shows you how to access your Microsoft Intune data in Copilot for Security and includes sample prompts.
+This article shows you how to access your Microsoft Intune data in Security Copilot and includes sample prompts.
+
+## Key features
+
+There are three areas to use Copilot in Intune:
-## Security admin focus
+- [Policy and setting management](../copilot/copilot-intune-overview.md#policy-and-setting-management)
+- [Device details and troubleshooting](../copilot/copilot-intune-overview.md#device-details-and-troubleshooting)
+- [Device query](../copilot/copilot-intune-overview.md#query-with-copilot-in-device-query)
-Copilot for Security has a Security Operations Center (SOC) or security admin focus. So, if you're a SOC analyst or security admin, then you can use Copilot for Security to get the security posture of devices that Intune manages.
+### Security admin focus
+
+Security Copilot has a Security Operations Center (SOC) or security admin focus. So, if you're a SOC analyst or security admin, then you can use Security Copilot to get the security posture of devices that Intune manages.
For example, there's a user or device that is showing signs of malicious intent. Also, you notice some events are happening after the malicious intent, like an unknown device enrolling in Intune. Maybe someone is trying to use stolen credentials to enroll and get access. You need to get more information.
-In Copilot for Security, you can use the Intune capabilities to get more information, like:
+In Security Copilot, you can use the Intune capabilities to get more information, like:
- Ask about a specific device, get all the properties about that device, including the device name, device ID, and device manufacturer.
- Determine when the device is enrolled in Intune.
@@ -62,73 +79,71 @@ In Copilot for Security, you can use the Intune capabilities to get more informa
- Determine the type of device, like a laptop or mobile phone.
- Check the compliance status, especially if a device is noncompliant, and why it's noncompliant.
-In Microsoft Defender, you can use this information, including the device type, to determine your next steps. For example, you might take different actions based on the type of device (laptop vs. mobile phone vs. tablet). Copilot for Security can also give you a link to the device in Microsoft Defender, so you can run any Defender actions.
+In Microsoft Defender, you can use this information, including the device type, to determine your next steps. For example, you might take different actions based on the type of device (laptop vs. mobile phone vs. tablet). Security Copilot can also give you a link to the device in Microsoft Defender, so you can run any Defender actions.
### What you need to know
- When an admin submits a prompt, Copilot can only access the data that the admin has permissions to, which includes the [RBAC roles](../fundamentals/role-based-access-control.md) and [Intune scope tags](../fundamentals/scope-tags.md) assigned to them.
- If you want your admins to access all your Intune data in Copilot for Security, then use the following role in Microsoft Entra ID:
+ If you want your admins to access all your Intune data in Security Copilot, then use the following role in Microsoft Entra ID:
- Intune Service Administrator (also known as Intune Administrator)
For more information on roles and authentication, go to:
- - [Roles and authentication in Microsoft Copilot for Security](/security-copilot/authentication)
+ - [Roles and authentication in Microsoft Security Copilot](/security-copilot/authentication)
- [Role based access control (RBAC) in Intune](../fundamentals/role-based-access-control.md)
- [Use RBAC and scope tags for distributed IT in Intune](../fundamentals/scope-tags.md)
-- You can access your Intune data in the [Copilot for Security portal](https://go.microsoft.com/fwlink/?linkid=2247989) and Copilot in the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). For more information on Copilot in Intune vs. Copilot for Security, and other common questions, go to the [Microsoft Copilot in Intune FAQ](copilot-intune-faq.md).
-
-## Open Copilot for Security and enable Intune
+- You can access your Intune data in the [Security Copilot portal](https://go.microsoft.com/fwlink/?linkid=2247989) and Copilot in the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). For more information on Copilot in Intune vs. Security Copilot, and other common questions, go to the [Microsoft Copilot in Intune FAQ](copilot-intune-faq.md).
-To use the Intune capabilities in Copilot for Security, enable the Intune plugin.
+## Enable the Security Copilot integration in Intune
+
+To use the Intune capabilities in Security Copilot, enable the Intune plugin.
-1. Go to [Microsoft Copilot for Security](https://go.microsoft.com/fwlink/?linkid=2247989) and sign in with your credentials.
+1. Go to [Security Copilot](https://go.microsoft.com/fwlink/?linkid=2247989) and sign in with your credentials.
2. In the prompt bar, select **Sources** (right corner).
- :::image type="content" source="./media/security-copilot/security-copilot-sources.png" alt-text="Screenshot that shows the plugin sources that are available, enabled, and disabled in Microsoft Copilot for Security.":::
+ :::image type="content" source="./media/security-copilot/security-copilot-sources.png" alt-text="Screenshot that shows the plugin sources that are available, enabled, and disabled in Microsoft Security Copilot.":::
3. In **Manage sources**, turn on Microsoft Intune:
- :::image type="content" source="./media/security-copilot/intune-plug-in-enabled.png" alt-text="Screenshot that shows the Microsoft Intune plug-in source is enabled in Microsoft Copilot for Security.":::
+ :::image type="content" source="./media/security-copilot/intune-plug-in-enabled.png" alt-text="Screenshot that shows the Microsoft Intune plug-in source is enabled in Security Copilot.":::
> [!NOTE]
- > Some roles can enable or disable plugins. For more information, go to [Manage plugins in Microsoft Copilot for Security](/security-copilot/manage-plugins).
+ > Some roles can enable or disable plugins. For more information, go to [Manage plugins in Microsoft Security Copilot](/security-copilot/manage-plugins).
-## Use the built-in features
+### Use the built-in features
-In Copilot for Security, there are built in system features that are helpful for Intune admins. For a walkthrough of Copilot for Security, go to [Navigating Microsoft Copilot for Security](/security-copilot/navigating-security-copilot).
+In Security Copilot, there are built in system features that are helpful for Intune admins. For a walkthrough of Security Copilot, go to [Navigating Microsoft Security Copilot](/security-copilot/navigating-security-copilot).
This section describes some of the features that are helpful for Intune admins.
-### System capabilities
+#### System capabilities
Capabilities are built-in features that can get data from the different plugins that you enable, including Microsoft Intune. When you use a prompt to ask something about your Intune data, like apps assigned to a user or device details, your prompts use these Intune capabilities.
To view the list of Intune built-in system capabilities for Intune, use the following steps:
-1. In the [Copilot for Security portal](https://go.microsoft.com/fwlink/?linkid=2247989) prompt bar, select the Copilot prompts icon > **See all system capabilities**.
+1. In the [Security Copilot portal](https://go.microsoft.com/fwlink/?linkid=2247989) prompt bar, select the Copilot prompts icon > **See all system capabilities**.
- :::image type="content" source="./media/security-copilot/security-copilot-system-capabilities.png" alt-text="Screenshot that shows how to select the prompts icon and system capabilities in Microsoft Copilot for Security.":::
+ :::image type="content" source="./media/security-copilot/security-copilot-system-capabilities.png" alt-text="Screenshot that shows how to select the prompts icon and system capabilities in Security Copilot.":::
2. In the Microsoft Intune section, there's a list of all the built-in capabilities for Intune. You can select any of the capabilities and get more information about that capability.
-### Sessions
-
-When you use prompts in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) or in the Copilot for Security portal, the sessions are saved. To see the saved sessions, use the following steps:
+#### Sessions
-1. In the [Copilot for Security portal](https://go.microsoft.com/fwlink/?linkid=2247989), go to the menu > **My sessions**.
+When you use prompts in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) or in the Security Copilot portal, the sessions are saved. To see the saved sessions, use the following steps:
- :::image type="content" source="./media/security-copilot/security-copilot-menu-my-sessions.png" alt-text="Screenshot that shows the Microsoft Copilot for Security menu and My sessions with previous sessions in Copilot for Security portal.":::
+1. In the [Security Copilot portal](https://go.microsoft.com/fwlink/?linkid=2247989), go to the menu at the top left > **My sessions**.
2. When you select a session, your previous prompts and results are shown. Every session also has a session ID in the URL. You can share this session ID with others to review the same prompt session.
For example, your session ID is something like `https://securitycopilot.microsoft.com/sessions/023d1c61-f3c7-4702-8924-075a1058900d`.
-## Sample prompts for Intune
+## Sample Intune prompts
-You can create your own prompts in Copilot for Security to get information about your Intune data. This section lists some ideas and examples.
+You can create your own prompts in Security Copilot to get information about your Intune data. This section lists some ideas and examples.
### Before you begin
@@ -143,8 +158,8 @@ You can create your own prompts in Copilot for Security to get information about
You can also save your prompts in a promptbook for future use. For more information, go to:
- - [Prompting in Microsoft Copilot for Security](/security-copilot/prompting-security-copilot)
- - [Using promptbooks in Microsoft Copilot for Security](/security-copilot/using-promptbooks)
+ - [Prompting in Microsoft Security Copilot](/security-copilot/prompting-security-copilot)
+ - [Using promptbooks in Microsoft Security Copilot](/security-copilot/using-promptbooks)
### General information about your Intune data
@@ -196,22 +211,22 @@ Get the **similarities and differences** between two devices, like the complianc
## Provide feedback
-Your feedback on the Intune integration with Copilot for Security helps with development. To provide feedback, in Copilot for Security, use the feedback buttons at the bottom of each completed prompt.
+Your feedback on the Intune integration with Security Copilot helps with development. To provide feedback, in Security Copilot, use the feedback buttons at the bottom of each completed prompt.
-:::image type="content" source="./media/security-copilot/security-copilot-prompt-feedback.png" alt-text="Screenshot that shows how to submit feedback on the prompt results in Microsoft Copilot for Security.":::
+:::image type="content" source="./media/security-copilot/security-copilot-prompt-feedback.png" alt-text="Screenshot that shows how to submit feedback on the prompt results in Security Copilot.":::
Whenever possible, and when the result isn't what you expect, write a few words explaining what can be done to improve the outcome. If you entered Intune-specific prompts and the results aren't Intune related, then include that information.
-## Data processing and privacy
+## Privacy and data security in Security Copilot
-For more information about data privacy in Copilot for Security, go to [Privacy and data security in Microsoft Copilot for Security](/security-copilot/privacy-data-security).
+For more information about data privacy in Security Copilot, go to [Privacy and data security in Microsoft Security Copilot](/security-copilot/privacy-data-security).
When you interact with the Security Copilot to get Intune data, the Security Copilot pulls that data from Intune. The prompts, the Intune data that's retrieved, and the output shown in the prompt results is processed and stored within the Security Copilot service.
-When you use Copilot for Security to get Intune data, Copilot for Security also has access to the data and permissions defined by the [RBAC roles](../fundamentals/role-based-access-control.md) and [Intune scope tags](../fundamentals/scope-tags.md) assigned to you.
+When you use Security Copilot to get Intune data, Security Copilot also has access to the data and permissions defined by the [RBAC roles](../fundamentals/role-based-access-control.md) and [Intune scope tags](../fundamentals/scope-tags.md) assigned to you.
## Related articles
-- [What is Microsoft Copilot for Security?](/security-copilot/microsoft-security-copilot)
-- [Privacy and data security in Microsoft Copilot for Security](/security-copilot/privacy-data-security)
+- [What is Microsoft Security Copilot?](/security-copilot/microsoft-security-copilot)
+- [Privacy and data security in Microsoft Security Copilot](/security-copilot/privacy-data-security)
- [Use Microsoft Copilot in Intune](copilot-intune-overview.md)
diff --git a/memdocs/intune/developer/app-sdk-android-phase7.md b/memdocs/intune/developer/app-sdk-android-phase7.md
index 6a74718ff22..9178f809678 100644
--- a/memdocs/intune/developer/app-sdk-android-phase7.md
+++ b/memdocs/intune/developer/app-sdk-android-phase7.md
@@ -602,7 +602,7 @@ Most notifications are [MAMUserNotification]s, which provide information specifi
- Your app called [unregisterAccountForMAM].
- An IT admin initiated a remote wipe.
-- Admin-required conditional access policies weren't satisfied.
+- Admin-required Conditional Access policies weren't satisfied.
> [!WARNING]
> An app should never register for both the `WIPE_USER_DATA` and `WIPE_USER_AUXILIARY_DATA` notifications.
diff --git a/memdocs/intune/developer/app-sdk-ios-phase3.md b/memdocs/intune/developer/app-sdk-ios-phase3.md
index b8ae1b08e10..6ce79464ba7 100644
--- a/memdocs/intune/developer/app-sdk-ios-phase3.md
+++ b/memdocs/intune/developer/app-sdk-ios-phase3.md
@@ -413,6 +413,9 @@ The return value of this method tells the SDK if the application must handle the
* If false is returned, the SDK will restart the application after this method returns. The SDK immediately shows a dialog box that tells the user to restart the application.
+>[!NOTE]
+>.NET MAUI apps do not require a restart.
+
## Exit Criteria
After you've either configured the build plugin or integrated the command line tool into your build process, validate that it's running successfully:
diff --git a/memdocs/intune/developer/app-sdk-ios-phase4.md b/memdocs/intune/developer/app-sdk-ios-phase4.md
index c6933f0c0d8..7362ec6a29f 100644
--- a/memdocs/intune/developer/app-sdk-ios-phase4.md
+++ b/memdocs/intune/developer/app-sdk-ios-phase4.md
@@ -323,6 +323,10 @@ If your app integrates with Siri Intents or makes Siri Intent Donations, please
## Printing
If your app implements printing and provides a custom print action on a custom menu, be sure to utilize `UIPrintInteractionController.isPrintingAvailable()` to determine if you should add your print action to your custom menu.
+
+ ## Screen capture blocking
+
+For apps that have updated to v19.7.6 or later for Xcode 15 and v20.2.1 or later for Xcode 16 of the SDK, screen capture block will be applied if you have configured `Send Org data to other apps` to a value other than “All apps”. You can configure app configuration policy setting “com.microsoft.intune.mam.screencapturecontrol = Disabled” if you wish to allow screen capture for your iOS devices.
## Notifications
diff --git a/memdocs/intune/developer/app-sdk-ios-phase6.md b/memdocs/intune/developer/app-sdk-ios-phase6.md
index c7ef60be087..635a0934108 100644
--- a/memdocs/intune/developer/app-sdk-ios-phase6.md
+++ b/memdocs/intune/developer/app-sdk-ios-phase6.md
@@ -7,7 +7,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/09/2023
+ms.date: 11/19/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
@@ -55,6 +55,10 @@ In addition to the Intune SDK, you need these two components to enable App Prote
:::image type="content" alt-text="Diagram of MAM-CA remediation flow." source="./media/app-sdk-ios/app-ca-flow.png" lightbox="./media/app-sdk-ios/app-ca-flow.png":::
+### MAM compliance process flow
+
+:::image type="content" alt-text="Diagram of MAM compliance process flow." source="./media/app-sdk-ios/mam-compliance-flow.png" lightbox="./media/app-sdk-ios/mam-compliance-flow.png":::
+
### New APIs
Most of the new APIs can be found in the IntuneMAMComplianceManager.h. The app needs to be aware of three differences in behavior explained below.
@@ -62,7 +66,7 @@ New behavior | Description |
-- | -- |
App → ADAL/MSAL: Acquire token | When an application tries to acquire a token, it should be prepared to receive a ERROR_SERVER_PROTECTION_POLICY_REQUIRED. The app can receive this error during their initial account add flow or when accessing a token later in the application lifecycle. When the app receives this error, it won't be granted an access token and needs to be remediated to retrieve any server data. |
App → Intune SDK: Call remediateComplianceForIdentity | When an app receives a ERROR_SERVER_PROTECTION_POLICY_REQUIRED from ADAL, or MSALErrorServerProtectionPoliciesRequired from MSAL it should call [[IntuneMAMComplianceManager instance] remediateComplianceForIdentity] to let Intune enroll the app and apply policy. The app may be restarted during this call. If the app needs to save state before restarting, it can do so in restartApplication delegate method in IntuneMAMPolicyDelegate.
remediateComplianceForIdentity provides all the functionality of registerAndEnrollAccount and loginAndEnrollAccount. Therefore, the app doesn't need to use either of these older APIs. |
-Intune → App: Delegate remediation notification |After Intune has retrieved and applied policies, it will notify the app of the result using the IntuneMAMComplianceDelegate protocol. Refer to IntuneMAMComplianceStatus in IntuneComplianceManager.h for information on how the app should handle each error. In all cases except IntuneMAMComplianceCompliant, the user won't have a valid access token.
If the app already has managed content and isn't able to enter a compliant status, the application should call selective wipe to remove any corporate content.
If we can't reach a compliant state, the app should display localized the error message and title string supplied by withErrorMessage and andErrorTitle. |
+Intune → App: Delegate remediation notification |After Intune has retrieved and applied policies, it notifies the app of the result using the IntuneMAMComplianceDelegate protocol. Refer to IntuneMAMComplianceStatus in IntuneComplianceManager.h for information on how the app should handle each error. In all cases except IntuneMAMComplianceCompliant, the user won't have a valid access token.
If the app already has managed content and isn't able to enter a compliant status, the application should call selective wipe to remove any corporate content.
If we can't reach a compliant state, the app should display localized the error message and title string supplied by withErrorMessage and andErrorTitle. |
Example for hasComplianceStatus method of IntuneMAMComplianceDelegate
@@ -157,17 +161,18 @@ guard let authorityURL = URL(string: kAuthority) else {
self.applicationContext = try MSALPublicClientApplication(configuration: msalConfiguration)
```
-To fetch the Entra object ID for the accountId parameter of the MAM SDK compliance remediation APIs you need to do the following:
+
+To fetch the Microsoft Entra object ID for the accountId parameter of the MAM SDK compliance remediation APIs, you need to do the following steps:
- First get the homeAccountId from userInfo[MSALHomeAccountIdKey] within MSALError object sent back by MSAL when it reports ERROR_SERVER_PROTECTION_POLICY_REQUIRED to the app.
-- This homeAccountId will be in the format ObjectId.TenantId. Extract the ObjectId value by spliting the string on the '.' and then use that value for the accountId parameter in remediation API remediateComplianceForAccountId.
+- This homeAccountId is in the format ObjectId.TenantId. Extract the ObjectId value by splitting the string on the '.' and then use that value for the accountId parameter in remediation API remediateComplianceForAccountId.
### Exit criteria
#### Configuring a test user for App Protection CA
-1. Log in with your administrator credentials to https://portal.azure.com.
-2. Select **Microsoft Entra ID** > **Security** > **Conditional Access** > **New policy**. Create a new conditional access policy.
-3. Configure conditional access policy by setting the following items:
+1. Sign in with your administrator credentials to https://portal.azure.com.
+2. Select **Microsoft Entra ID** > **Security** > **Conditional Access** > **New policy**. Create a new Conditional Access policy.
+3. Configure Conditional Access policy by setting the following items:
- Filling in the **Name** field.
- Enabling the policy.
- Assigning the policy to a user or group.
@@ -182,11 +187,11 @@ Test Case | How to test | Expected Outcome |
-- | -- | -- |
MAM-CA always applied | Ensure the user is targeted for both App Protection CA and MAM policy before enrolling in your app.| Verify that your app handles the remediation cases described above and the app can get an access token. |
MAM-CA applied after user enrolled | The user should be logged into the app already, but not targeted for App Protection CA. | Target the user for App Protection CA in the console and verify that you correctly handle MAM remediation |
-MAM-CA noncompliance | Set up an App Protection CA policy, but don't assign a MAM policy. | The user shouldn't be able to acquire an access token. This is useful for testing how your app handles IntuneMAMComplianceStatus error cases. |
+MAM-CA noncompliance | Setup an App Protection CA policy, but don't assign a MAM policy. | The user shouldn't be able to acquire an access token. This is useful for testing how your app handles IntuneMAMComplianceStatus error cases. |
## Next Steps
-After you've completed all the [Exit Criteria] above, your app is now successfully integrated with App Protection CA support. The subsequent section, [Stage 7: Web-view features], may or may not be required, depending on your app's desired app protection policy support.
+After you've completed all the [Exit Criteria] above, your app is now successfully integrated with App Protection CA support. The subsequent section, [Stage 7: Web-view features] may or may not be required, depending on your app's desired app protection policy support.
[Exit Criteria]:#exit-criteria
diff --git a/memdocs/intune/developer/app-wrapper-prepare-android.md b/memdocs/intune/developer/app-wrapper-prepare-android.md
index a2378c71bd4..50f0f8c1410 100644
--- a/memdocs/intune/developer/app-wrapper-prepare-android.md
+++ b/memdocs/intune/developer/app-wrapper-prepare-android.md
@@ -7,7 +7,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 11/18/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/apps-lob-app-versioning.md b/memdocs/intune/developer/apps-lob-app-versioning.md
index da5551bf220..e5f8ff6fb32 100644
--- a/memdocs/intune/developer/apps-lob-app-versioning.md
+++ b/memdocs/intune/developer/apps-lob-app-versioning.md
@@ -7,7 +7,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 11/18/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/apps-prepare-mobile-application-management.md b/memdocs/intune/developer/apps-prepare-mobile-application-management.md
index d123683ad7f..57e54191dd8 100644
--- a/memdocs/intune/developer/apps-prepare-mobile-application-management.md
+++ b/memdocs/intune/developer/apps-prepare-mobile-application-management.md
@@ -7,7 +7,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 11/18/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/data-warehouse-account-move.md b/memdocs/intune/developer/data-warehouse-account-move.md
index a7b3cb9db47..ed1127e4a20 100644
--- a/memdocs/intune/developer/data-warehouse-account-move.md
+++ b/memdocs/intune/developer/data-warehouse-account-move.md
@@ -7,7 +7,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 11/18/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
@@ -32,27 +32,27 @@ ms.collection:
[!INCLUDE [azure_portal](../includes/azure_portal.md)]
-By requesting an account move, you are requesting that your data center is changed to another location. After the move, your Data Warehouse will reset and begin recording data at the new location based on the specified day your move begins. To back up your previous Data Warehouse data, please complete the following steps **prior** to your account move. Most Data Warehouse tables retain data for 30 days, so any data gap in these tables will no longer be available 30 days after your account move. To learn more about the retention periods for specific tables, see [Data Warehouse data model](reports-ref-data-model.md).
+By requesting an account move, you're requesting that your data center is changed to another location. After the move, your Data Warehouse will reset and begin recording data at the new location based on the specified day your move begins. To back up your previous Data Warehouse data, complete the following steps **prior** to your account move. Most Data Warehouse tables retain data for 30 days, so any data gap in these tables will no longer be available 30 days after your account move. To learn more about the retention periods for specific tables, see [Data Warehouse data model](reports-ref-data-model.md).
## Back up your Data Warehouse data
To back up your Data Warehouse data, you must save your Data Warehouse data into a *.csv* file using the Data Warehouse API:
-1. If you are a first-time user of the Data Warehouse API, follow the one-time process provided in the following article, [Get data from the Intune Data Warehouse API with a REST client](reports-proc-data-rest.md).
+1. If you're a first-time user of the Data Warehouse API, follow the one-time process provided in the following article, [Get data from the Intune Data Warehouse API with a REST client](reports-proc-data-rest.md).
2. Use the PowerShell sample titled [Access the Intune Data Warehouse with PowerShell](https://github.com/Microsoft/Intune-Data-Warehouse/tree/master/Samples/PowerShell) to download all your data into CSV files.
## Back up your trend charts from the Microsoft Intune admin center
-Some trend charts in your view of the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) will reset. You may back up these charts by running the following script in **Graph**:
+Some trend charts in your view of the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) resets. You may back up these charts by running the following script in **Graph**:
### Terms & Conditions Acceptance reports
1. In the[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Tenant administration** > **Terms & Conditions**.
-2. For each **Terms & Condition** item that you select, click **Acceptance Report** > **Export**.
+2. For each **Terms & Condition** item that you select, select **Acceptance Report** > **Export**.
3. Save the report locally.
### App Protection reports
1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Apps** -> **Monitor** -> **App protection status**.
-2. Click the download icon ( ⤓ ) to save each report.
+2. Select the download icon ( ⤓ ) to save each report.
### Device Configuration charts
1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Manage devices** > **Configuration** > **Export**.
@@ -77,11 +77,11 @@ Some trend charts in your view of the [Microsoft Intune admin center](https://go
## After a Data Warehouse account move
-After the Data Warehouse account move, you'll see in Intune that the Data Warehouse was reset and your data is now stored in the new location. The charts and export options will reset, and you'll see a notification, which upon clicking will direct you to an article explaining why the charts have reset.
+After the Data Warehouse account move, you'll see in Intune that the Data Warehouse was reset, and your data is now stored in the new location. The charts and export options reset, and you see a notification, which upon clicking will direct you to an article explaining why the charts have reset.
## Data Warehouse move example
-Customer X requests an account move to begin on 1/06/2018. In response to the request, the customer will receive a link to see documentation detailing steps to take if they wish to back up their previous Data Warehouse. On 1/06/2018, the Data Warehouse and the charts it supports will reset and begin storing data in the new data center.
+Customer X requests an account move to begin on 1/06/2018. In response to the request, the customer receives a link to see documentation detailing steps to take if they wish to back up their previous Data Warehouse. On 1/06/2018, the Data Warehouse and the charts it supports will reset and begin storing data in the new data center.
## Next steps
diff --git a/memdocs/intune/developer/data-warehouse-app-only-auth.md b/memdocs/intune/developer/data-warehouse-app-only-auth.md
index 2d1e64af328..42e7c70900c 100644
--- a/memdocs/intune/developer/data-warehouse-app-only-auth.md
+++ b/memdocs/intune/developer/data-warehouse-app-only-auth.md
@@ -8,7 +8,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 11/18/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/intune-data-warehouse-collections.md b/memdocs/intune/developer/intune-data-warehouse-collections.md
index 12c586cf12f..900d388c384 100644
--- a/memdocs/intune/developer/intune-data-warehouse-collections.md
+++ b/memdocs/intune/developer/intune-data-warehouse-collections.md
@@ -7,7 +7,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 11/18/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/media/app-sdk-ios/app-ca-flow.png b/memdocs/intune/developer/media/app-sdk-ios/app-ca-flow.png
index d81553e8878..45aca0cde43 100644
Binary files a/memdocs/intune/developer/media/app-sdk-ios/app-ca-flow.png and b/memdocs/intune/developer/media/app-sdk-ios/app-ca-flow.png differ
diff --git a/memdocs/intune/developer/media/app-sdk-ios/mam-compliance-flow.png b/memdocs/intune/developer/media/app-sdk-ios/mam-compliance-flow.png
new file mode 100644
index 00000000000..48d53248d33
Binary files /dev/null and b/memdocs/intune/developer/media/app-sdk-ios/mam-compliance-flow.png differ
diff --git a/memdocs/intune/developer/reports-changelog.md b/memdocs/intune/developer/reports-changelog.md
index 3f1dd063995..539497d9a39 100644
--- a/memdocs/intune/developer/reports-changelog.md
+++ b/memdocs/intune/developer/reports-changelog.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 11/18/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/enrollment/android-corporate-owned-work-profile-enroll.md b/memdocs/intune/enrollment/android-corporate-owned-work-profile-enroll.md
index d6a511ea3a4..384f212539f 100644
--- a/memdocs/intune/enrollment/android-corporate-owned-work-profile-enroll.md
+++ b/memdocs/intune/enrollment/android-corporate-owned-work-profile-enroll.md
@@ -63,7 +63,7 @@ To set up Android Enterprise corporate-owned work profile device management, fol
### Create an enrollment profile
> [!NOTE]
-> - Tokens for corporate-owned devices with a work profile will not expire automatically. If an admin decides to revoke a token , the profile associated with it will not be displayed in **Devices** > **By platform** > **Android** > **Device onboarding** > **Enrollment** > **Corporate-owned devices with work profile**. To see all profiles associated with both active and inactive tokens, click on **Filter** and check the boxes for both "Active" and "Inactive" policy states.
+> - Tokens for corporate-owned devices with a work profile will not expire automatically. If an admin decides to revoke a token, the profile associated with it will not be displayed in **Devices** > **By platform** > **Android** > **Device onboarding** > **Enrollment** > **Corporate-owned devices with work profile**. To see all profiles associated with both active and inactive tokens, click on **Filter** and check the boxes for both "Active" and "Inactive" policy states.
> - For corporate-owned work profile (COPE) devices, the `afw#setup` enrollment method and the Near Field Communication (NFC) enrollment method are only supported on devices running Android 8-10. They are not available on Android 11. For more information, see the Google developer docs [here](https://developers.google.com/android/management/provision-device#company-owned_devices_for_work_and_personal_use:~:text=Note%3A%20DPC%20identifier%20method%20only%20supports%20full%20device%20management%20provisioning%20and%20cannot%20be%20used%20for%20corporate%2Downed%2C%20personally%20enabled,(COPE)%20provisioning%20on%20Android%2011%20devices.,-Company%2Downed).
You must create an enrollment profile so that users can enroll corporate-owned work profile devices. When the profile is created, it provides you with an enrollment token (random string) and a QR code. Depending on the Android OS and version of the device, you can use either the token or QR code to [enroll the dedicated device](#enroll-the-corporate-owned-work-profile-devices).
@@ -161,7 +161,8 @@ You can target apps and policies to either assigned or dynamic device groups. Yo
Users can now [enroll their corporate-owned work profile devices](android-dedicated-devices-fully-managed-enroll.md).
> [!NOTE]
-> The Microsoft Intune app is automatically installed during enrollment. This app is required for enrollment and can't be uninstalled. If you deploy the Intune Company Portal app to a device and the user attempts to launch the app, they will be redirected to the Microsoft Intune app, and the Company Portal app icon will be hidden.
+> The Microsoft Intune app automatically installs on corporate-owned work profile devices during enrollment. This app is required for enrollment and can't be uninstalled. If you deploy the Intune Company Portal app to a device and the user attempts to launch the app, they will be redirected to the Microsoft Intune app, and the Company Portal app icon will be hidden.
+> The Microsoft Authenticator app automatically installs on corporate-owned work profile devices during enrollment. This app is required for enrollment and can't be uninstalled.
## Token types
When you create the enrollment profile in the admin center, you have to select a token type. There are two types of tokens. Each type enables a different enrollment flow.
diff --git a/memdocs/intune/enrollment/android-enterprise-overview.md b/memdocs/intune/enrollment/android-enterprise-overview.md
index 8daa7408163..f7a0a9d27bd 100644
--- a/memdocs/intune/enrollment/android-enterprise-overview.md
+++ b/memdocs/intune/enrollment/android-enterprise-overview.md
@@ -95,7 +95,7 @@ Android Enterprise doesn't provide a default email app or native email profile o
Gmail and Nine Work are two Exchange ActiveSync (EAS) client apps in the Play Store that support Android Enterprise app configuration. Intune provides configuration templates for Gmail and Nine Work apps so you can manage them as work apps. You can configure other email apps that support app configuration profiles in an app configuration policy.
-If you're using Exchange ActiveSync conditional access for a personal or corporate-owned device, consider using the Gmail or Nine Work email app. The Microsoft Outlook for Android app, and any other email app that uses modern authentication via MSAL, is also supported. For more information, see [How to configure email settings in Microsoft Intune](../configuration/email-settings-configure.md).
+If you're using Exchange ActiveSync Conditional Access for a personal or corporate-owned device, consider using the Gmail or Nine Work email app. The Microsoft Outlook for Android app, and any other email app that uses modern authentication via MSAL, is also supported. For more information, see [How to configure email settings in Microsoft Intune](../configuration/email-settings-configure.md).
> [!TIP]
> Azure AD Authentication Library (ADAL) has been deprecated, so we recommend updating apps that currently use ADAL to MSAL. For more information, see [Update your applications to use Microsoft Authentication Library (MSAL) and Microsoft Graph API](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363).
diff --git a/memdocs/intune/enrollment/android-fully-managed-enroll.md b/memdocs/intune/enrollment/android-fully-managed-enroll.md
index 6aa7144dc92..fee1bfff1b1 100644
--- a/memdocs/intune/enrollment/android-fully-managed-enroll.md
+++ b/memdocs/intune/enrollment/android-fully-managed-enroll.md
@@ -113,7 +113,10 @@ Add these configurations to your group:
You can't use dynamic groups with the default enrollment profile. For more information about how to create a dynamic group with rules, see [Create a group membership rule](/azure/active-directory/enterprise-users/groups-create-rule#to-create-a-group-membership-rule).
-## Step 4: Enroll devices
+## Step 4: Enroll devices
+> [!NOTE]
+> The Microsoft Authenticator app automatically installs on fully managed devices during enrollment. This app is required for this enrollment method and cannot be uninstalled.
+
After you set up the enrollment profile, token, and dynamic group, you can use any of these provisioning methods to enroll devices as fully managed:
* Near Field Communication (NFC)
diff --git a/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md b/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md
index 90e0bf05376..70b06c97e41 100644
--- a/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md
+++ b/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 09/09/2024
+ms.date: 12/06/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -32,7 +32,7 @@ ms.collection:
# Set up account driven Apple User Enrollment
-Set up account driven Apple User Enrollment for personal devices enrolling in Microsoft Intune. Account driven user enrollment provides a faster and more user-friendly enrollment experience than [user enrollment with Company Portal](apple-user-enrollment-with-company-portal.md). The device user initiates enrollment by signing into their work account in the Settings app. After the user approves device management, the enrollment profile silently installs and Intune policies are applied. Intune uses just-in-time registration and the Microsoft Authenticator app for authentication to reduce the number of times users have to sign in during enrollment and when accessing work apps.
+Set up account driven Apple User Enrollment for personal devices enrolling in Microsoft Intune. Account driven user enrollment provides a faster and more user-friendly enrollment experience than [user enrollment with Company Portal](apple-user-enrollment-with-company-portal.md). The device user initiates enrollment by signing into their work account in the Settings app. After the user approves device management, the enrollment profile silently installs and Intune policies are applied. Intune uses just-in-time (JIT) registration and the Microsoft Authenticator app for authentication to reduce the number of times users have to sign in during enrollment and when accessing work apps.
This article describes how to set up account driven Apple User Enrollment in Microsoft Intune. You will:
@@ -41,7 +41,7 @@ This article describes how to set up account driven Apple User Enrollment in Mic
* Prepare employees and students for enrollment.
## Prerequisites
-Microsoft Intune supports account driven Apple User Enrollment on devices running iOS/iPadOS version 15 or later. If you assign an account driven user enrollment profile to device users running iOS/iPadOS 14.9 or earlier, Microsoft Intune will automatically enroll them via user enrollment with Company Portal.
+Microsoft Intune supports account driven Apple User Enrollment on devices running iOS/iPadOS version 15 or later. If you assign an account driven user enrollment profile to device users running iOS/iPadOS 14.9 or earlier, Microsoft Intune automatically enrolls them via user enrollment with Company Portal.
Before beginning setup, complete the following tasks:
@@ -49,9 +49,14 @@ Before beginning setup, complete the following tasks:
- [Get Apple MDM Push certificate](apple-mdm-push-certificate-get.md)
- [Create Managed Apple IDs for device users](https://support.apple.com/en-us/HT210737) (Opens Apple Support website)
-You also need to set up service discovery so that Apple can reach the Intune service and retrieve enrollment information. To do this, set up and publish an HTTP well-known resource file on the same domain that employees sign into. Apple retrieves the file via an HTTP GET request to `“https://contoso.com/.well-known/com.apple.remotemanagement”`, with your organization's domain in place of `contoso.com`. Publish the file on a domain that can handle HTTP GET requests.
+You also need to set up service discovery so that Apple can reach the Intune service and retrieve enrollment information. To complete this prerequisite, set up and publish an HTTP well-known resource file on the same domain that employees sign into. Apple retrieves the file via an HTTP GET request to `“https://contoso.com/.well-known/com.apple.remotemanagement”`, with your organization's domain in place of `contoso.com`. Publish the file on a domain that can handle HTTP GET requests.
+
+
+> [!NOTE]
+> The well-known resource file must be saved without a file extension, such as .json, to function correctly.
+
+Create the file in JSON format, with the content type set to `application/json`. We provide the following JSON samples that you can copy and paste into your file. Use the one that aligns with your environment. Replace the *YourAADTenantID* variable in the base URL with your organization's Microsoft Entra tenant ID.
-Create the file in JSON format, with the content type set to `application/json`. We've provided the following JSON samples that you can copy and paste into your file. Use the one that aligns with your environment. Replace the *YourAADTenantID* variable in the base URL with your organization's Microsoft Entra tenant ID.
Microsoft Intune environments:
```json
@@ -72,7 +77,10 @@ Create the file in JSON format, with the content type set to `application/json`.
The rest of the JSON sample is populated with all of the information you need, including:
* Version: The server version is `mdm-byod`.
-* BaseURL: This URL is the location where the Intune service resides.
+* BaseURL: This URL is the location where the Intune service resides.
+
+> [!TIP]
+> For more information about the technical requirements for service discovery, see [Implementing the simple authentication user-enrollment flow](https://developer.apple.com/documentation/devicemanagement/user_enrollment/onboarding_users_with_account_sign-in/implementing_the_simple_authentication_user-enrollment_flow) in the Apple Developer documentation.
## Best practices
We recommend extra configurations to help improve the enrollment experience for device users. This section provides more information about each recommendation.
@@ -96,7 +104,18 @@ Create an enrollment profile for devices enrolling via account driven user enrol
1. Select **Create profile** > **iOS/iPadOS**.
1. On the **Basics** page, enter a name and description for the profile so that you can distinguish it from other profiles in the admin center. Device users don't see these details.
1. Select **Next**.
-1. On the **Settings** page, for **Enrollment type**, select **Account driven user enrollment**.
+1. On the **Settings** page, for **Enrollment type**, select how you want to enroll devices. You can choose the enrollment method or allow users to make their own choice. Their choice determines the enrollment process that Microsoft Intune carries out. It's also reflected in the device ownership attribute in Microsoft Intune. To learn more about the user's experience and what they see onscreen during enrollment, see [Set up personal iOS device for work or school](../user-help/enroll-your-device-in-intune-ios.md).
+
+ Your options:
+
+ - **Account driven user enrollment**: Assigned users who initiate enrollment are enrolled via account driven user enrollment.
+
+ - **Determine based on user choice**: Assigned users who initiate enrollment can select how they want to enroll their device. Their options:
+
+ - **I own this device:** More settings appear with this selection. The user has the option to secure their entire device or only secure work-related apps and data.
+
+ - **(Company) owns this device:** The device enrolls via Apple Device Enrollment. For more information about this enrollment method, see [Device Enrollment and MDM](https://support.apple.com/guide/deployment/device-enrollment-and-mdm-depd1c27dfe6/web) on the Apple Support website.
+
1. Select **Next**.
1. On the **Assignments** page, assign the profile to all users, or select specific groups. Device groups aren't supported in user enrollment scenarios because user enrollment requires user identities.
1. Select **Next**.
@@ -112,7 +131,7 @@ This section describes the enrollment steps for device users. We recommend using
3. Select **VPN & Device Management**.
4. Sign in with your work or school account, or with the Apple ID provided to you by your organization.
5. Select **Sign In to iCloud**.
-6. Enter the password for the username that's shown on screen. Then select **Continue**.
+6. Enter the password for the username that appears onscreen. Then select **Continue**.
7. Select **Allow Remote Management**.
8. Wait a few minutes while your device is configured and the management profile is installed.
9. To confirm your device is ready to use for work, go to **VPN & Device Management**. Confirm that your work account is listed under **MANAGED ACCOUNT**.
diff --git a/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md b/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md
index 812b2fd0bcd..3cd8621aceb 100644
--- a/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md
+++ b/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md
@@ -3,12 +3,12 @@
title: Apple School Manager Program enrollment for iOS/iPadOS devices
titleSuffix: Microsoft Intune
-description: Learn how to set up Apple School Manager program enrollment for corporate-owned iOS/iPadOS devices with Intune.
+description: Learn how to set up Microsoft Intune with Apple School Manager for corporate-owned iOS/iPadOS devices.
keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 06/17/2020
+ms.date: 01/06/2025
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -20,7 +20,7 @@ ms.assetid: 4c35a23e-0c61-11e8-ba89-0ed5f89f718b
#ROBOTS:
#audience:
-ms.reviewer: tisilver
+ms.reviewer: annovich
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -33,153 +33,25 @@ ms.collection:
[!INCLUDE [azure_portal](../includes/azure_portal.md)]
-You can set up Intune to enroll iOS/iPadOS devices purchased through the [Apple School Manager](https://school.apple.com/) program. Using Intune with Apple School Manager, you can enroll large numbers of iOS/iPadOS devices without ever touching them. When a student or teacher turns on the device, Setup Assistant runs with preconfigured settings and the device enrolls into management.
+Set up Microsoft Intune to enroll iOS/iPadOS devices purchased through [Apple School Manager](https://school.apple.com/). Using Intune with Apple School Manager, you can enroll large numbers of iOS/iPadOS devices without ever touching them. When a student or teacher turns on the device, Apple Setup Assistant runs with preconfigured settings and the device enrolls into management.
-To enable Apple School Manager enrollment, you use both the Intune and Apple School Manager portals. A list of serial numbers or a purchase order number is required so you can assign devices to Intune for management. You create Automated Device Enrollment (ADE) enrollment profiles containing settings that applied to devices during enrollment.
-Apple School Manager enrollment can't be used with the [device enrollment manager](device-enrollment-manager-enroll.md).
+## Prerequisites
-**Prerequisites**
-- [Apple Mobile Device Management (MDM) Push certificate](apple-mdm-push-certificate-get.md)
-- [MDM Authority](../fundamentals/mdm-authority-set.md)
-- If using ADFS, user affinity requires [WS-Trust 1.3 Username/Mixed endpoint](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff608241(v=ws.10)). [Learn more](/powershell/module/adfs/get-adfsendpoint).
-- Devices purchased from the [Apple School Management](http://school.apple.com) program
+To enable Apple School Manager enrollment, you use both the Microsoft Intune admin center and Apple School Manager portal. You need a list of serial numbers or a purchase order number so that you can assign devices to Intune.
-## Get an Apple token and assign devices
+- Get an [Apple mobile device management (MDM) push certificate](apple-mdm-push-certificate-get.md).
+- Set up the [MDM Authority](../fundamentals/mdm-authority-set.md).
+- If using Active Directory Federation Services (AD FS), user affinity requires [WS-Trust 1.3 Username/Mixed endpoint](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff608241(v=ws.10)). For more information, see [Get ADFS endpoint](/powershell/module/adfs/get-adfsendpoint).
+- Devices must be purchased from [Apple School Manager](http://school.apple.com).
-Before you can enroll corporate-owned iOS/iPadOS devices with Apple School Manager, you need a token (.p7m) file from Apple. This token lets Intune sync information about Apple School Manager-participating devices. It also permits Intune to perform enrollment profile uploads to Apple and to assign devices to those profiles. While you are in the Apple portal, you can also assign device serial numbers to manage.
+Apple School Manager enrollment can't be used with the [device enrollment manager](device-enrollment-manager-enroll.md) account.
-### Step 1: Download the Intune public key certificate required to create an Apple token
+## Next steps
-1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**.
-1. Select the **Apple** tab.
-1. Choose **Enrollment Program Tokens**.
-1. Select **Add**.
-1. Select **Download your public key** to download and save the encryption key (.pem) file locally. The .pem file is used to request a trust-relationship certificate from the Apple School Manager portal.
+This series of articles describes how to set up Microsoft Intune for devices purchased through Apple School Manager.
-### Step 2: Download a token and assign devices
-1. Choose **Create a token via Apple School Manager**, and sign in to Apple School with your company Apple ID. You can use this Apple ID to renew your Apple School Manager token.
-2. In the [Apple School Manager portal](https://school.apple.com), go to **MDM Servers**, and then choose **Add MDM Server** (upper right).
-3. Enter the MDM server name. The server name is for your reference to identify the mobile device management (MDM) server. It isn't the name or URL of the Microsoft Intune server.
-4. Choose **Upload File...** in the Apple portal, browse to the .pem file, and choose **Save MDM Server** (lower right).
-5. Choose **Get Token** and then download the server token (.p7m) file to your computer.
-6. Go to **Device Assignments**. Choose your devices by manually entering their serial numbers or order number.
-7. Choose the action **Assign to Server**, and choose the **MDM Server** you created.
-8. Specify how to **Choose Devices**, then provide device information and details.
-9. Choose **Assign to Server** and choose the <ServerName> specified for Microsoft Intune, and then choose **OK**.
-
-### Step 3: Save the Apple ID used to create this token
-
-Return to the [admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and enter the Apple ID.
-
-
-
-### Step 4: Upload your token
-In the **Apple token** box, browse to the certificate (.pem) file, choose **Open**, and then choose **Create**. With the push certificate, Intune can enroll and manage iOS/iPadOS devices by pushing policy to enrolled mobile devices. Intune automatically synchronizes your Apple School Manager devices from Apple.
-
-## Create an Apple enrollment profile
-Now that you've installed your token, you can create an enrollment profile for Apple School devices. A device enrollment profile defines the settings applied to a group of devices during enrollment.
-
-1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**.
-1. Select the **Apple** tab.
-1. Under **Bulk Enrollment Methods**, Choose **Enrollment program tokens**.
-1. Select a token.
-1. Select **Profiles** > **Create profile** > **iOS/iPadOS**.
-
-1. Under **Create Profile**, enter a **Name** and **Description** for the profile for administrative purposes. Users don't see these details. You can use this **Name** field to create a dynamic group in Microsoft Entra ID. Use the profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile. Learn more about [Microsoft Entra dynamic groups](/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal#rules-for-devices).
-
- 
-
-1. For **User Affinity**, choose whether devices with this profile must enroll with or without an assigned user.
- - **Enroll with User Affinity** - Choose this option for devices that belong to users and that want to use the company portal for services like installing apps. This option also lets users authenticate their devices by using the company portal. If using ADFS, user affinity requires [WS-Trust 1.3 Username/Mixed endpoint](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff608241(v=ws.10)). [Learn more](/powershell/module/adfs/get-adfsendpoint). Apple School Manager's Shared iPad mode requires user enroll without user affinity.
-
- - **Enroll without User Affinity** - Choose this option for devices unaffiliated with a single user, such as a shared device. Use this option for devices that perform tasks without accessing local user data. Apps like the Company Portal app don't work.
-
-1. If you chose **Enroll with User Affinity**, you can let users authenticate with Company Portal, Setup Assistant (legacy), and Setup Assistant with modern authentication. Select the option. For more information about authentication methods, see [Authentication methods for automated device enrollment in Intune](automated-device-enrollment-authentication.md).
-
- > [!NOTE]
- > If you want do any of the following, set **Authenticate with Company Portal instead of Apple Setup Assistant** to **Yes**.
- > - use multifactor authentication
- > - prompt users who need to change their password when they first sign in
- > - prompt users to reset their expired passwords during enrollment
- >
- > These aren't supported when authenticating with Apple Setup Assistant.
-
-1. Choose **Device Management Settings** and choose if you want devices using this profile to be supervised.
- **Supervised** devices give you more management options and disabled Activation Lock by default. Microsoft recommends using ADE as the mechanism for enabling Intune's supervised mode, especially for organizations that are deploying large numbers of iOS/iPadOS devices.
-
- Users are notified that their devices are supervised in two ways:
-
- - The lock screen says: "This iPhone is managed by Contoso."
- - The **Settings** > **General** > **About** screen says: "This iPhone is supervised. Contoso can monitor your Internet traffic and locate this device."
-
- > [!NOTE]
- > A device enrolled without supervision can only be reset to supervised by using the Apple Configurator. Resetting the device in this manner requires connecting an iOS/iPadOS device to a Mac with a USB cable. Learn more about this on [Apple Configurator docs](https://support.apple.com/guide/apple-configurator-mac).
-
-1. Choose if you want locked enrollment for devices using this profile. **Locked enrollment** disables iOS/iPadOS settings that allow the management profile to be removed from the **Settings** menu. After device enrollment, you can't change this setting without wiping the device. Such devices must have the **Supervised** Management Mode set to *Yes*.
-
-1. You can let multiple users sign on to enrolled iPads by using a managed Apple ID. To do so, choose **Yes** under **Shared iPad** (this option requires **Enroll without User Affinity** and **Supervised** mode set to **Yes**.) Managed Apple IDs are created in the Apple School Manager portal. Learn more about [shared iPad](../fundamentals/education-settings-configure-ios-shared.md) and [Apple's shared iPad requirements](https://help.apple.com/classroom/ipad/2.0/#/cad7e2e0cf56).
-
-1. Choose if you want the devices using this profile to be able to **Sync with computers**. **Deny All** means that all devices using this profile won't be able to sync with any data on any computer. If you choose **Allow Apple Configurator by certificate**, you must choose a certificate under **Apple Configurator Certificates**.
-
-1. If you chose **Allow Apple Configurator by certificate** in the previous step, choose an Apple Configurator Certificate to import.
-
-1. You can specify a naming format for devices that is automatically applied when they enroll. To do so, select **Yes** under **Apply device name template**. Then, in the **Device Name Template** box, enter the template to use for the names using this profile. You can specify a template format that includes the device type and serial number.
-
-1. Choose **OK**.
-
-1. Choose **Setup Assistant Settings** to configure the following profile settings:
-
- | Setting | Description |
- |------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
- | Department Name | Appears when users tap About Configuration during activation. |
- | Department Phone | Appears when the user clicks the Need Help button during activation. |
- | Setup Assistant Options | The following optional settings can be set up later in the iOS/iPadOS Settings menu. |
- | Passcode | Prompt for passcode during activation. Always require a passcode for unsecured devices unless access is controlled in some other manner (like kiosk mode that restricts the device to one app). |
- | Location Services | If enabled, Setup Assistant prompts for the service during activation. |
- | Restore | If enabled, Setup Assistant prompts for iCloud backup during activation. |
- | iCloud and Apple ID | If enabled, Setup Assistant prompts the user to sign in an Apple ID and the Apps & Data screen will allow the device to be restored from iCloud backup. |
- | Terms and Conditions | If enabled, Setup Assistant prompts users to accept Apple's terms and conditions during activation. |
- | Touch ID | If enabled, Setup Assistant prompts for this service during activation. |
- | Apple Pay | If enabled, Setup Assistant prompts for this service during activation. |
- | Zoom | If enabled, Setup Assistant prompts for this service during activation. |
- | Siri | If enabled, Setup Assistant prompts for this service during activation. |
- | Diagnostic Data | If enabled, Setup Assistant prompts for this service during activation. |
-
-
-1. Choose **OK**.
-
-1. To save the profile, choose **Create**.
-
-## Sync managed devices
-
-After Intune has been assigned permission to manage your Apple School Manager devices, synchronize Intune with the Apple service to see your managed devices in Intune.
-
-1. Return to **Enrollment Program Tokens**.
-1. Select a token in the list.
-1. Select **Devices** > **Sync**.
-
-
-To follow Apple's terms for acceptable enrollment program traffic, Intune imposes the following restrictions:
-- A full sync can run no more than once every seven days. During a full sync, Intune refreshes every Apple serial number assigned to Intune. If a full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers that aren't already listed in Intune.
-- Any sync request is given 15 minutes to finish. During this time or until the request succeeds, the **Sync** button is disabled.
-- Intune syncs new and removed devices with Apple every 24 hours.
-
->[!NOTE]
->You can also assign Apple School Manager serial numbers to profiles from the **Enrollment Program Devices** blade.
-
-## Assign a profile to devices
-Apple School Manager devices managed by Intune must be assigned an enrollment profile before they're enrolled.
-
-1. Return to **Enrollment Program Tokens**.
-1. Select a token in the list.
-1. Select **Devices** and choose your devices.
-1. Select **Assign profile**. Then select a profile for the devices.
-1. Select **Assign**.
-
-## Distribute devices to users
-
-You have enabled management and syncing between Apple and Intune, and assigned a profile to let your Apple School devices enroll. You can now distribute devices to users. When an iOS/iPadOS Apple School Manager device is turned on, it's enrolled for management by Intune. Profiles can't be applied to activated devices currently in use until the device is wiped.
-
-## Connect School Data Sync
-Microsoft Education is transitioning to a new School Data Sync (SDS) experience with enhanced features, starting August 2024 for the Northern Hemisphere and January 2025 for the Southern Hemisphere. The current Apple School Manager support will be retired by December 31, 2024. This new experience offers various enhancements over SDS (Classic) including decoupled data ingestion, faster syncs with fewer errors, support for larger organizations, and a modern user interface. If you have further questions, please contact Microsoft Education support with questions regarding the transition to the new School Data Sync experience.
+1. 🡺 Prerequisites (*You are here*)
+1. [Get an Apple token for school devices](apple-school-manager-step-1.md)
+1. [Create an Apple enrollment profile](apple-school-manager-step-2.md)
+1. [Sync and distribute devices](apple-school-manager-step-3.md)
diff --git a/memdocs/intune/enrollment/apple-school-manager-step-1.md b/memdocs/intune/enrollment/apple-school-manager-step-1.md
new file mode 100644
index 00000000000..d423823728c
--- /dev/null
+++ b/memdocs/intune/enrollment/apple-school-manager-step-1.md
@@ -0,0 +1,72 @@
+---
+# required metadata
+
+title: Apple School Manager - get Apple token and assign devices
+titleSuffix: Microsoft Intune
+description: Get the Apple token needed to set up Apple School Manager and Microsoft Intune for corporate-owned iOS/iPadOS devices.
+keywords:
+author: Lenewsad
+ms.author: lanewsad
+manager: dougeby
+ms.date: 01/07/2025
+ms.topic: how-to
+ms.service: microsoft-intune
+ms.subservice: enrollment
+ms.localizationpriority: high
+ms.assetid: 4c35a23e-0c61-11e8-ba89-0ed5f89f718b
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: annovich
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.collection:
+- tier1
+- M365-identity-device-management
+---
+
+# Get an Apple token for school devices
+
+Before you can enroll corporate-owned iOS/iPadOS devices with Apple School Manager, you need a token (.p7m) file from Apple. This token lets Intune sync information about Apple School Manager-participating devices. It also permits Intune to perform enrollment profile uploads to Apple and to assign devices to those profiles. While you are in the Apple portal, you can also assign device serial numbers to manage.
+
+## Get Apple token
+In the first set of steps, you download the Intune public key certificate required to create an Apple token.
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Devices**.
+1. Expand **Device onboarding**, and then select **Enrollment**.
+1. Select the **Apple** tab.
+1. Choose **Enrollment program tokens**.
+1. Select **Create**.
+1. Select **I agree** to give permission to Microsoft to send user and device information to Apple.
+1. Select **Download your public key**. This step downloads and saves the encryption key (.pem) file locally. The .pem file is used to request a trust-relationship certificate from the Apple School Manager portal.
+
+ In the next set of steps, you download a token and assign devices. Keep the browser and tab with the admin center open while you're completing steps in Apple School Manager.
+
+ > [!TIP]
+ > The following steps describe what you need to do in Apple School Manager. For the specific steps, see the [Apple School Manager User Guide](https://support.apple.com/guide/apple-school-manager/device-workflow-axm6a88f692e/1/web/1) (opens Apple Support).
+
+1. Choose **Create a token via Apple School Manager**, and sign in to [Apple School Manager](https://school.apple.com) with your company Apple ID. You can use this Apple ID to renew your Apple School Manager token.
+1. In Apple School Manager, go to your MDM Server assignments to add an MDM server.
+1. Enter the mobile device management (MDM) server name. The server name is for your reference to identify the MDM server. It isn't the name or URL of the Microsoft Intune server.
+1. Upload the public key certificate file (.pem file).
+1. Save your MDM server.
+1. Select the download button to download the server token (.p7m) file to your computer.
+1. Go to **Devices** and select the devices you want to assign to this token. You can sort by various device properties, like serial number. You can also select multiple devices simultaneously.
+1. Select **Edit MDM Server**. Select the MDM server you just added, and then save your changes. This step assigns devices to the token.
+1. Return to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and enter the Apple ID you used to create the token.
+
+ 
+
+1. For **Apple token**, browse to the certificate (.pem) file. Select **Open**, and then choose **Create**. With the push certificate, Intune can enroll and manage iOS/iPadOS devices by pushing policies to enrolled mobile devices. Intune automatically syncs your Apple School Manager devices from Apple.
+
+## Next steps
+This series of articles describes how to set up Microsoft Intune for devices purchased through Apple School Manager.
+
+1. [Prerequisites](apple-school-manager-set-up-ios.md)
+1. 🡺 Get an Apple token for school devices (*You are here*)
+1. [Create an Apple enrollment profile](apple-school-manager-step-2.md)
+1. [Sync and distribute devices](apple-school-manager-step-3.md)
\ No newline at end of file
diff --git a/memdocs/intune/enrollment/apple-school-manager-step-2.md b/memdocs/intune/enrollment/apple-school-manager-step-2.md
new file mode 100644
index 00000000000..27d3b5ea28f
--- /dev/null
+++ b/memdocs/intune/enrollment/apple-school-manager-step-2.md
@@ -0,0 +1,118 @@
+---
+# required metadata
+
+title: Apple School Manager - create enrollment profile
+titleSuffix: Microsoft Intune
+description: Learn how to create the enrollment profile in Intune for Apple School Manager enrollment.
+keywords:
+author: Lenewsad
+ms.author: lanewsad
+manager: dougeby
+ms.date: 01/07/2025
+ms.topic: how-to
+ms.service: microsoft-intune
+ms.subservice: enrollment
+ms.localizationpriority: high
+ms.assetid: 4c35a23e-0c61-11e8-ba89-0ed5f89f718b
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: annovich
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.collection:
+- tier1
+- M365-identity-device-management
+---
+
+# Create an Apple enrollment profile for school devices
+After you get your Apple token, you can create an enrollment profile for school devices. An essential part of setup is creating enrollment profiles. The profiles contain the settings that apply to devices during device enrollment.
+
+## Create a profile
+
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices**.
+1. Expand **Device onboarding**, and then select **Enrollment**.
+1. Select the **Apple** tab.
+1. Under **Bulk Enrollment Methods**, choose **Enrollment program tokens**.
+1. Choose a token, and then select **Profiles**.
+1. Select **Create profile** > **iOS/iPadOS**.
+
+1. For **Basics**, give the profile a **Name** and **Description** for administrative purposes. Users don't see these details.
+
+ 
+
+ You can use the name you enter here to create a dynamic group in Microsoft Entra ID. To assign devices with this enrollment profile to a group, for example, enter the name in the *enrollmentProfileName* parameter in your dynamic group rules. For more information, see [Microsoft Entra dynamic groups](/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal#rules-for-devices).
+
+
+1. For **User Affinity**, decide if devices with this profile must enroll with an assigned user or without an assigned user.
+ - **Enroll with User Affinity** - Choose this option for devices that belong to users and that want to use the company portal for services like installing apps. This option also lets users authenticate their devices by using the company portal. If using Active Directory Federation Services (AD FS), user affinity requires [WS-Trust 1.3 Username/Mixed endpoint](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff608241(v=ws.10)). [Learn more](/powershell/module/adfs/get-adfsendpoint). Apple School Manager's Shared iPad mode requires user enroll without user affinity.
+
+ - **Enroll without User Affinity** - Choose this option for devices unaffiliated with a single user, such as a shared device. Use this option for devices that perform tasks without accessing local user data. Apps like the Company Portal app don't work.
+
+1. If you chose **Enroll with User Affinity**, select how users must authenticate: Company Portal, Setup Assistant (legacy), or Setup Assistant with modern authentication. For more information about authentication methods, see [Authentication methods for automated device enrollment in Intune](automated-device-enrollment-authentication.md).
+
+ > [!NOTE]
+ > If you want any of the following features, set **Authenticate with Company Portal instead of Apple Setup Assistant** to **Yes**.
+ > - use multifactor authentication
+ > - prompt users who need to change their password when they first sign in
+ > - prompt users to reset their expired passwords during enrollment
+ >
+ > These features aren't supported when authenticating with Apple Setup Assistant.
+
+1. Choose **Device Management Settings**. Decide if you want devices using this profile to be supervised. *Supervision* gives you more management options and disables Apple Activation Lock by default. Microsoft recommends using ADE as the mechanism for enabling Intune's supervised mode, especially for organizations that are deploying large numbers of iOS/iPadOS devices.
+
+ Users are notified that their devices are supervised in two ways:
+
+ - The lock screen says: "This iPhone is managed by Contoso."
+ - The **Settings** > **General** > **About** screen says: "This iPhone is supervised. Contoso can monitor your Internet traffic and locate this device."
+
+ > [!NOTE]
+ > A device enrolled without supervision can only be reset to supervised by using the Apple Configurator. Resetting the device in this manner requires connecting an iOS/iPadOS device to a Mac with a USB cable. For more information, see the [Apple Configurator docs](https://support.apple.com/guide/apple-configurator-mac) (opens Apple Support).
+
+1. Choose if you want locked enrollment for devices using this profile. **Locked enrollment** disables iOS/iPadOS settings that allow the management profile to be removed from the **Settings** menu. After device enrollment, you can't change this setting without wiping the device. Such devices must have the supervised management mode set to *yes*.
+
+1. You can let multiple users sign on to enrolled iPads by using a managed Apple ID. To do so, choose **Yes** under **Shared iPad** (this option requires **Enroll without User Affinity** and **Supervised** mode set to **Yes**.) Managed Apple IDs are created in the Apple School Manager portal. Learn more about [shared iPad](../fundamentals/education-settings-configure-ios-shared.md) and [shared iPad requirements for Apple](https://help.apple.com/classroom/ipad/2.0/#/cad7e2e0cf56).
+
+1. Choose if you want the devices using this profile to be able to **Sync with computers**. **Deny All** means that devices using this profile can't sync with any data on any computer.
+
+1. If you chose **Allow Apple Configurator by certificate** in the previous step, choose an Apple Configurator Certificate to import.
+
+1. You can specify a naming format for devices that is automatically applied when they enroll. To do so, select **Yes** under **Apply device name template**. Then, in the **Device Name Template** box, enter the template to use for the names using this profile. You can specify a template format that includes the device type and serial number.
+
+1. Select **OK**.
+
+1. Select **Setup Assistant Settings** to configure the following profile settings:
+
+ |Setting |Description |
+ |------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+ |**Department Name** | Appears when users tap About Configuration during activation. |
+ | **Department Phone** | Appears when the user selects the Need Help button during activation. |
+ |**Setup Assistant Options** | The following optional settings can be set up later in the iOS/iPadOS Settings menu. |
+ |**Passcode** | Prompt for passcode during activation. Always require a passcode for unsecured devices unless access is controlled in some other manner (like kiosk mode that restricts the device to one app). |
+ |**Location Services** | If enabled, Setup Assistant prompts for the service during activation. |
+ |**Restore** |If enabled, Setup Assistant prompts for iCloud backup during activation. |
+ | **iCloud and Apple ID** | If enabled, Setup Assistant prompts the user to sign in with an Apple ID, and the Apps & Data screen allows the device to be restored from iCloud backup. |
+ | **Terms and Conditions**|If enabled, Setup Assistant prompts users to accept Apple's terms and conditions during activation.|
+ |**Touch ID**|If enabled, Setup Assistant prompts for this service during activation. |
+ |**Apple Pay** | If enabled, Setup Assistant prompts for this service during activation. |
+ | **Zoom** |If enabled, Setup Assistant prompts for this service during activation. |
+ | **Siri**|If enabled, Setup Assistant prompts for this service during activation. |
+ | **Diagnostic Data** |If enabled, Setup Assistant prompts for this service during activation. |
+
+
+1. Choose **OK**.
+
+1. To save the profile, choose **Create**.
+
+## Next steps
+This series of articles describes how to set up Microsoft Intune for devices purchased through Apple School Manager.
+
+1. [Prerequisites](apple-school-manager-set-up-ios.md)
+1. [Get an Apple token for school devices](apple-school-manager-step-1.md).
+1. 🡺 Create an Apple enrollment profile (*You are here*).
+1. [Sync and distribute devices](apple-school-manager-step-3.md).
+
diff --git a/memdocs/intune/enrollment/apple-school-manager-step-3.md b/memdocs/intune/enrollment/apple-school-manager-step-3.md
new file mode 100644
index 00000000000..abc459bced2
--- /dev/null
+++ b/memdocs/intune/enrollment/apple-school-manager-step-3.md
@@ -0,0 +1,79 @@
+---
+# required metadata
+
+title: Apple School Manager - sync and distribute devices
+titleSuffix: Microsoft Intune
+description: Sync and distribute Apple School Manager devices enrolled in Microsoft Intune.
+keywords:
+author: Lenewsad
+ms.author: lanewsad
+manager: dougeby
+ms.date: 01/06/2025
+ms.topic: how-to
+ms.service: microsoft-intune
+ms.subservice: enrollment
+ms.localizationpriority: high
+ms.assetid: 4c35a23e-0c61-11e8-ba89-0ed5f89f718b
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: annovich
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.collection:
+- tier1
+- M365-identity-device-management
+---
+
+# Sync and distribute school devices
+
+After you assign Microsoft Intune permission to manage your Apple School Manager devices, sync Intune with the Apple service to see your managed devices in the admin center.
+
+## Start a sync
+
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), return to **Enrollment program tokens**.
+1. Select a token in the list.
+1. Select **Devices** > **Sync**.
+
+ > [!div class="mx-imgBorder"]
+ >
+
+To follow Apple's terms for acceptable enrollment program traffic, Intune imposes the following restrictions:
+- A full sync can run no more than once every seven days. During a full sync, Intune refreshes every Apple serial number assigned to Intune. If a full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers that aren't already listed in Intune.
+- Any sync request is given 15 minutes to finish. During this time or until the request succeeds, the **Sync** button is disabled.
+- Intune syncs new and removed devices with Apple every 24 hours.
+
+## Assign a profile to devices
+Apple School Manager devices managed by Intune must be assigned an enrollment profile before they're enrolled.
+
+1. Return to **Enrollment program tokens**.
+1. Select a token in the list.
+1. Select **Devices**, and then choose your devices.
+1. Select **Assign profile**. Then select a profile for the devices.
+1. Select **Assign**.
+
+## Distribute devices to users
+
+You enabled management and syncing between Apple and Intune, and assigned a profile that lets Apple School devices enroll. You can now distribute devices to users. When an iOS/iPadOS Apple School Manager device is turned on, it enrolls in Microsoft Intune. Profiles can't be applied to activated devices currently in use until the device is wiped.
+
+## Connect School Data Sync
+Microsoft Education is transitioning to a new School Data Sync (SDS) experience with enhanced features, starting August 2024 for the Northern Hemisphere and January 2025 for the Southern Hemisphere. The current Apple School Manager support will be retired by December 31, 2024. This new experience offers various enhancements over SDS (Classic) including:
+
+- Decoupled data ingestion
+- Faster syncs with fewer errors
+- Support for larger organizations
+- A modern user interface
+
+Please contact Microsoft Education support with questions regarding the transition to the new School Data Sync experience.
+
+## Next steps
+This series of articles describes how to set up Microsoft Intune for devices purchased through Apple School Manager.
+
+1. [Prerequisites](apple-school-manager-set-up-ios.md)
+1. [Get an Apple token for school devices](apple-school-manager-step-1.md)
+1. [Create an Apple enrollment profile](apple-school-manager-step-2.md)
+1. 🡺 Sync and distribute devices (*You are here*)
diff --git a/memdocs/intune/enrollment/apple-user-enrollment-with-company-portal.md b/memdocs/intune/enrollment/apple-user-enrollment-with-company-portal.md
index 2ceb990673d..34a98972ef4 100644
--- a/memdocs/intune/enrollment/apple-user-enrollment-with-company-portal.md
+++ b/memdocs/intune/enrollment/apple-user-enrollment-with-company-portal.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 01/23/2024
+ms.date: 12/06/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -72,14 +72,7 @@ Complete these steps to create an enrollment profile for devices enrolling via u
6. Select **Next**.
-7. On the **Settings** page, select **User enrollment with Company Portal**.
-
- Alternatively, you can select **Determine based on user choice**, which lets assigned users select the enrollment type during enrollment. Their options:
-
- * **I own this device**: As a follow-up, the user must select whether they want to secure the entire device or only secure work-related apps and data.
- * **(Company) owns this device**: The device enrolls via Apple Device Enrollment. For more information about this enrollment method, see [Device Enrollment and MDM](https://support.apple.com/guide/deployment/device-enrollment-and-mdm-depd1c27dfe6/web) on the Apple Support website.
-
- The device user's selection determines which enrollment process is carried out. Their choice is also reflected in the device ownership attribute shown in Intune. To learn more about the user experience and what they see onscreen during enrollment, see [Set up iOS/iPadOS device access to your company resources](../user-help/enroll-your-device-in-intune-ios.md).
+7. On the **Settings** page, select **User enrollment with Company Portal**.
8. Select **Next**.
diff --git a/memdocs/intune/enrollment/automated-device-enrollment-authentication.md b/memdocs/intune/enrollment/automated-device-enrollment-authentication.md
index a8fe7e65cd3..ae33fcc55ce 100644
--- a/memdocs/intune/enrollment/automated-device-enrollment-authentication.md
+++ b/memdocs/intune/enrollment/automated-device-enrollment-authentication.md
@@ -50,7 +50,7 @@ Use the Intune Company Portal app as the authentication method if you want to:
- Use multifactor authentication (MFA).
- Prompt users to change their passwords when they first sign in.
- Prompt users to reset their expired passwords during enrollment.
- - Register devices in Microsoft Entra ID and use features available with Microsoft Entra ID, such as conditional access.
+ - Register devices in Microsoft Entra ID and use features available with Microsoft Entra ID, such as Conditional Access.
- Automatically install the Company Portal app during enrollment. If your company uses the Volume Purchase Program (VPP), you can automatically install Company Portal app during enrollment without user Apple IDs.
- You want to lock the device until the Company Portal app installs.
@@ -65,7 +65,7 @@ This option provides the same security as Intune Company Portal authentication b
* Use multifactor authentication (MFA).
* Prompt users to change their passwords when they first sign in.
* Prompt users to reset their expired passwords during enrollment.
-* Register devices in Microsoft Entra ID and use features available with Microsoft Entra ID, such as conditional access.
+* Register devices in Microsoft Entra ID and use features available with Microsoft Entra ID, such as Conditional Access.
* Automatically install the Company Portal app during enrollment. If your company uses the Volume Purchase Program (VPP), you can automatically install Company Portal app during enrollment without user Apple IDs.
* Allow users to use the device even when the Company Portal app isn't installed.
@@ -86,7 +86,7 @@ In both scenarios, the Company Portal installation option is hidden from the dev
### Multifactor authentication
-Multifactor authentication (MFA) will be required if a [conditional access policy that requires it](multi-factor-authentication.md) is applied at enrollment or during Company Portal sign-in. However, MFA is optional, based on the Microsoft Entra settings in the targeted conditional access policy.
+Multifactor authentication (MFA) will be required if a [Conditional Access policy that requires it](multi-factor-authentication.md) is applied at enrollment or during Company Portal sign-in. However, MFA is optional, based on the Microsoft Entra settings in the targeted Conditional Access policy.
External authentication methods are supported in Microsoft Entra ID, which means you can use your preferred MFA solution to facilitate MFA during device enrollment. If you choose to use a third-party MFA provider, before you deploy enrollment profiles to all devices, do a test run to ensure that both the Microsoft Entra MFA screen and MFA work during enrollment. For more information and support details about external authentication methods, see [Public preview: External authentication methods in Microsoft Entra ID](https://techcommunity.microsoft.com/t5/microsoft-entra-blog/public-preview-external-authentication-methods-in-microsoft/ba-p/4078808).
@@ -96,9 +96,9 @@ After they go through the Setup Assistant screens, the device user lands on the
- Won’t be fully registered with Microsoft Entra ID.
- Won’t show up in the user’s device list in Microsoft Entra ID.
-- Won’t have access to resources protected by conditional access.
+- Won’t have access to resources protected by Conditional Access.
- Won’t be evaluated for device compliance.
-- Will be redirected to the Company Portal from other apps if the user tries to open any managed applications that are protected by conditional access.
+- Will be redirected to the Company Portal from other apps if the user tries to open any managed applications that are protected by Conditional Access.
## Option 3: Just in Time Registration for Setup Assistant with modern authentication
diff --git a/memdocs/intune/enrollment/corporate-identifiers-add.md b/memdocs/intune/enrollment/corporate-identifiers-add.md
index 83e3a98b573..9050d63eb25 100644
--- a/memdocs/intune/enrollment/corporate-identifiers-add.md
+++ b/memdocs/intune/enrollment/corporate-identifiers-add.md
@@ -9,11 +9,6 @@ ms.author: lanewsad
manager: dougeby
ms.date: 08/08/2024
ms.topic: how-to
-ms.service: microsoft-intune
-ms.subservice: enrollment
-ms.localizationpriority: high
-ms.assetid: 566ed16d-8030-42ee-bac9-5f8252a83012
-
# optional metadata
#ROBOTS:
@@ -120,7 +115,7 @@ Android serial numbers aren't guaranteed to be unique or present. Check with you
### Add Windows corporate identifiers
> [!IMPORTANT]
-> Corporate identifiers are supported for devices running Windows 10 KB5039299 (with OS Build 19045.4598) and later. If you're enrolling Windows 10 devices with an earlier build, do not use the corporate identifier feature.
+> Windows corporate identifiers only apply at enrollment time. They don't determine ownership type in Intune after enrollment. Corporate identifiers are supported for devices running Windows 10 KB5039299 (with OS Build 19045.4598) and later. If you're enrolling Windows 10 devices with an earlier build, do not use the corporate identifier feature.
To add corporate identifiers for corporate devices running Windows 11, list the manufacturer, model, and serial number for each device as shown in the following example.
@@ -131,11 +126,14 @@ Lenovo,thinkpad t14,02234567890123
Remove all periods, if applicable, from the serial number before you add it to the file.
-After you add Windows corporate identifiers, Intune marks devices that match all three identifiers as corporate-owned, and marks all other enrolling devices in your tenant as personal. This means that anything you exclude from the Windows corporate identifiers is marked personal. To change the ownership type after enrollment, you have to manually adjust it in the admin center.
+After you add Windows corporate identifiers, Intune marks devices that match all three identifiers as corporate-owned, and marks all other enrolling devices in your tenant as personal. This means that anything you exclude from the Windows corporate identifiers is marked personal, but only at enrollment time. Existing Windows logic determines the final state in Intune. For more information, see the table in this section. To change the ownership type in Intune, you have to manually adjust it in the admin center.
:::image type="content" source="./media/corporate-identifiers-add/device-enrollment-add-identifiers.png" alt-text="Screenshot of selecting and adding corporate identifiers.":::
-The following table lists the type of ownership given to devices when they enroll without corporate identifiers and when they enroll with corporate identifiers.
+The following table lists the type of ownership given to devices when they enroll without corporate identifiers and when they enroll with corporate identifiers.
+
+>[!TIP]
+> As a reminder, corporate identifiers only change the device state at enrollment time. This means that after the device enrolls, the device state matches what you see in the **Without corporate identifiers** column in the table.
|Windows enrollment types | Without corporate identifiers | With corporate identifiers |
|---|---|---|
@@ -153,7 +151,7 @@ The following table lists the type of ownership given to devices when they enrol
| [Enrollment using the Intune Company Portal app](../user-help/enroll-windows-10-device.md) | Personal | Personal, unless defined by corporate identifiers |
| Enrollment via a Microsoft 365 app, which occurs when users select the **Allow my organization to manage my device** option during app sign-in | Personal | Personal, unless defined by corporate identifiers |
-Windows corporate identifiers can only change ownership type if someone adds them to Microsoft Intune. If you don't have corporate identifiers for Windows in Intune, or if you remove them, devices that are Microsoft Entra domain joined are marked as corporate-owned. This includes devices enrolled via [automatic MDM enrollment](windows-enroll.md#enable-windows-automatic-enrollment) with:
+Windows corporate identifiers can only change ownership type if someone adds them to Microsoft Intune. If you don't have corporate identifiers for Windows in Intune, or if you remove them, devices that are Microsoft Entra domain joined are marked as corporate-owned at enrollment time. This includes devices enrolled via [automatic MDM enrollment](windows-enroll.md#enable-windows-automatic-enrollment) with:
- [Microsoft Entra join during Windows setup](/azure/active-directory/device-management-azuread-joined-devices-frx).
@@ -222,7 +220,7 @@ Follow up on imported devices to ensure that they enroll in Intune. After you ad
1. Select the device identifiers you want to delete, and choose **Delete**.
1. Confirm the deletion.
-Deleting a corporate identifier for an enrolled device does not change the device's ownership.
+Deleting a corporate identifier for an enrolled device doesn't change the device's ownership.
## Change device ownership
@@ -247,6 +245,8 @@ To confirm the reason for an enrollment failure, go to **Devices** > **Enrollmen
## Known issues and limitations
+- Windows corporate device identifiers only apply at enrollment time. This means that when a device with corporate identifiers enrolls using the *Add Work Account from Windows Settings* option, it's marked as corporate-owned only at enrollment time. Microsoft Intune treats it as a corporate device for the enrollment restriction evaluation, but then after that the device appears as a personal device in the admin center. See the table under [Add Windows corporate identifiers](#add-windows-corporate-identifiers) to help you determine the ownership type. Look to the **Without corporate identifiers** column to learn which devices remain corporate or personal in your tenant for the long-term.
+
- Windows corporate device identifiers are only supported for devices running:
- Windows 10 version 22H2 (OS build 19045.4598) or later.
@@ -261,7 +261,7 @@ To confirm the reason for an enrollment failure, go to **Devices** > **Enrollmen
- Windows currently doesn't support device details in CSV files.
-- Apple user enrollment with Company Portal and account driven user enrollment corporate identifiers are not currently supported because the MDM does not get access to the device serial number, IMEI, and UDID.
+- Apple user enrollment with Company Portal and account driven user enrollment corporate identifiers aren't currently supported because the MDM doesn't get access to the device serial number, IMEI, and UDID.
## Resources
diff --git a/memdocs/intune/enrollment/create-device-limit-restrictions.md b/memdocs/intune/enrollment/create-device-limit-restrictions.md
index 97c6e512c43..d03c2755038 100644
--- a/memdocs/intune/enrollment/create-device-limit-restrictions.md
+++ b/memdocs/intune/enrollment/create-device-limit-restrictions.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 06/27/2024
+ms.date: 01/27/2025
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
diff --git a/memdocs/intune/enrollment/create-device-platform-restrictions.md b/memdocs/intune/enrollment/create-device-platform-restrictions.md
index c41c68d3215..8c7f70a2fca 100644
--- a/memdocs/intune/enrollment/create-device-platform-restrictions.md
+++ b/memdocs/intune/enrollment/create-device-platform-restrictions.md
@@ -132,6 +132,9 @@ For example, you can use a filter to allow personal Windows devices to enroll wh
For more information about creating filters, see [Create a filter](../fundamentals/filters.md).
+> [!NOTE]
+> It takes extra time to process assignment filters during enrollment. The update between Microsoft Entra and Intune that processes user, group, and filter assignments typically happens within 15 minutes. It's not instant. This amount of time can affect enrollment assignments. You should wait and enroll devices several minutes after adding the enrolling users to a group, not immediately after.
+
### Supported filter properties
Enrollment restrictions support fewer filter properties than other group-targeted policies. This is because devices aren't yet enrolled, so Intune doesn't have the device info to support all properties. The limited selection of properties become available when you:
diff --git a/memdocs/intune/enrollment/device-enrollment-manager-enroll.md b/memdocs/intune/enrollment/device-enrollment-manager-enroll.md
index 3e621b94bc5..19f8436fbf6 100644
--- a/memdocs/intune/enrollment/device-enrollment-manager-enroll.md
+++ b/memdocs/intune/enrollment/device-enrollment-manager-enroll.md
@@ -116,8 +116,8 @@ Applying a Microsoft Entra maximum device limit of less than 1,000 to a DEM acco
### Certificates
You must use device-level certificates to manage Wi-Fi and email connections.
-### Conditional access
-Conditional access is only supported with DEM on devices running:
+### Conditional Access
+Conditional Access is only supported with DEM on devices running:
* Windows 10, version 1803 and later
* Windows 11
diff --git a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md
index 97e38d865e2..5b066beae38 100644
--- a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md
+++ b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md
@@ -140,9 +140,10 @@ Use [Apple Business Manager (ABM)](https://business.apple.com/) or [Apple School
### Step 1: Download the Intune public key certificate
-1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**.
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices**.
+1. Expand **Device onboarding**, and then select **Enrollment**.
1. Select the **Apple** tab.
-1. Select **Enrollment Program Tokens** > **Add**.
+1. Select **Enrollment Program Tokens** > **Create**.
1. On the **Basics** tab:
@@ -210,13 +211,17 @@ Now that you've installed your token, you can create an enrollment profile for a
> [!NOTE]
> Devices will be blocked from enrolling if there aren't enough Company Portal licenses for a VPP token or if the token expires. Intune alerts you when a token is about to expire or licenses are running low.
-1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**.
+1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices**.
+1. Expand **Device onboarding**, and then select **Enrollment**.
1. Select the **Apple** tab.
-1. Choose **Enrollment Program Tokens**.
+1. Choose **Enrollment program tokens**.
1. Choose a token, and then select **Profiles**.
1. Select **Create profile** > **iOS/iPadOS**.
1. For **Basics**, give the profile a **Name** and **Description** for administrative purposes. Users don't see these details.
-1. Select **Next**.
+1. Select **Next**.
+
+ > [!IMPORTANT]
+ > You must assign an enrollment policy to your devices before the devices become active. We recommend that you set a default enrollment policy as soon as possible so that as devices sync from Apple Business Manager or Apple School Manager, and then turn on, they can enroll correctly through automated device enrollment. If a device you synced from Apple is not assigned an enrollment policy and someone turns it on to set it up, enrollment will fail.
> [!IMPORTANT]
> If you make changes to an existing enrollment profile, the new settings won't take effect on assigned devices until devices are reset back to factory settings and reactivated. The device name template setting is the only setting you can change that doesn't require a factory reset to take effect. Changes to the naming template take effect at the next check-in.
@@ -308,7 +313,7 @@ Now that you've installed your token, you can create an enrollment profile for a
> [!NOTE]
> If you set **Sync with computers** to **Deny all**, the port will be limited on iOS and iPadOS devices. The port will be limited to only charging. It will be blocked from using iTunes or Apple Configurator 2.
>
- >If you set **Sync with computers** to **Allow Apple Configurator by certificate**, make sure you have a local copy of the certificate that you can use later. You won't be able to make changes to the uploaded copy, and it's important to retain an copy of this certificate. If you want to connect to the iOS/iPadOS device from a Mac device, the same certificate must be installed on the device making the connection to the iOS/iPadOS device.
+ >If you set **Sync with computers** to **Allow Apple Configurator by certificate**, make sure you have a local copy of the certificate that you can use later. You won't be able to make changes to the uploaded copy, and it's important to retain a copy of this certificate. If you want to connect to the iOS/iPadOS device from a Mac device, the same certificate must be installed on the device making the connection to the iOS/iPadOS device.
1. If you selected **Allow Apple Configurator by certificate** in the previous step, choose an Apple Configurator certificate to import. The limit is 10 certificates.
1. For **Await final configuration**, your options are:
@@ -385,7 +390,7 @@ The following table describes the Setup Assistant screens shown during automated
| **Apple Pay** | Shows the Apple Pay setup pane, which gives users the option to set up Apple Pay on their devices. For iOS/iPadOS 7.0 and later. |
| **Zoom** | Shows the zoom setup pane, which gives users the option to configure zoom settings. For iOS/iPadOS 8.3 and later, and deprecated in iOS/iPadOS 17. |
| **Siri** | Shows the Siri setup pane to users. For iOS/iPadOS 7.0 and later. |
-| **Diagnostics Data** | Shows the diagnostics pane where users can opt-in to send diagnostic data to Apple. For iOS/iPadOS 7.0 and later. |
+| **Diagnostics Data** | Shows the diagnostics pane where users can opt in to send diagnostic data to Apple. For iOS/iPadOS 7.0 and later. |
| **Display Tone** | Shows the display tone setup pane, where users can configure the display's white balance settings. For iOS/iPadOS 9.3.2 and later, and deprecated in iOS/iPadOS 15. |
| **Privacy** | Shows the privacy setup pane to the user. For iOS/iPadOS 11.3 and later. |
| **Android Migration** | Shows a setup pane meant for previous Android users. On this screen, users can migrate data from an Android device. For iOS/iPadOS 9.0 and later.|
diff --git a/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md b/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md
index 53e3bcbcc00..baf58e8c054 100644
--- a/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md
+++ b/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md
@@ -128,7 +128,10 @@ At the end of this procedure, you can assign this profile to Microsoft Entra dev
1. Select an enrollment program token.
1. Select **Profiles** > **Create profile** > **macOS**.
- 
+ 
+
+ > [!IMPORTANT]
+ > You must assign an enrollment policy to your devices before the devices become active. We recommend that you set a default enrollment policy as soon as possible so that as devices sync from Apple Business Manager or Apple School Manager, and then turn on, they can enroll correctly through automated device enrollment. If a device you synced from Apple is not assigned an enrollment policy and someone turns it on to set it up, enrollment will fail.
1. For **Basics**, enter a name and description for the profile so that you can distinguish it from other enrollment profiles. These details aren't visible to device users.
@@ -149,9 +152,9 @@ At the end of this procedure, you can assign this profile to Microsoft Entra dev
- Registers with Microsoft Entra ID.
- Is added to the user's device record in Microsoft Entra ID.
- Can be evaluated for device compliance.
- - Gains access to resources protected by conditional access.
+ - Gains access to resources protected by Conditional Access.
- If the user doesn't sign in to the Company Portal to complete registration, they'll be redirected to the Company Portal app each time they try to open a managed app with conditional access protection.
+ If the user doesn't sign in to the Company Portal to complete registration, they'll be redirected to the Company Portal app each time they try to open a managed app with Conditional Access protection.
Devices running macOS 10.15 and later can use this method. Older macOS devices fall back to using the legacy Setup Assistant method. For more information about how to get the Company Portal app to Mac users, see [Add the Company Portal for macOS app](../apps/apps-company-portal-macos.md).
@@ -215,8 +218,7 @@ At the end of this procedure, you can assign this profile to Microsoft Entra dev
The following table describes the Setup Assistant screens shown during automated device enrollment for Macs. You can show or hide these screens on supported devices during enrollment. For more information about how each Setup Assistant screen affects the user experience, see these Apple resources:
- [Apple Platform Deployment guide: Manage Setup Assistant for Apple devices](https://support.apple.com/en-mide/guide/deployment/depdeff4a547/web)
-- [Apple Developer documentation: ShipKeys](https://developer.apple.com/documentation/devicemanagement/skipkeys)
--
+- [Apple Developer documentation: ShipKeys](https://developer.apple.com/documentation/devicemanagement/skipkeys)
| Setup Assistant screen | What happens when visible |
|------------------------------------------|------------------------------------------|
@@ -281,7 +283,7 @@ Optionally, you can select a default enrollment profile. The default profile is
Distribute prepared devices throughout your organization.
-* New or wiped Macs: New or wiped Macs configured in Apple Business Manager or Apple School Manager automatically enroll in Microsoft Intune during Setup Assistant when someone turns on the device. If you assigned the device to a macOS enrollment profile with user affinity, the device user must sign in to the Company Portal after Setup Assistant is done to finish Microsoft Entra registration and conditional access requirements.
+* New or wiped Macs: New or wiped Macs configured in Apple Business Manager or Apple School Manager automatically enroll in Microsoft Intune during Setup Assistant when someone turns on the device. If you assigned the device to a macOS enrollment profile with user affinity, the device user must sign in to the Company Portal after Setup Assistant is done to finish Microsoft Entra registration and Conditional Access requirements.
* Existing Macs: You can enroll devices that already went through Setup Assistant. Complete these steps to enroll corporate-owned Macs running macOS 10.13 and later.
@@ -298,7 +300,7 @@ Distribute prepared devices throughout your organization.
1. Follow the onscreen prompts to download the Microsoft Intune management profile, certificates, and policies.
>[!TIP]
> You can confirm which profiles are on the device anytime by returning to **System Preferences** > **Profiles**.
- 1. If you assigned the device to a macOS enrollment profile with user affinity, sign in to the Company Portal app to complete Microsoft Entra registration and conditional access requirements, and finish enrollment.
+ 1. If you assigned the device to a macOS enrollment profile with user affinity, sign in to the Company Portal app to complete Microsoft Entra registration and Conditional Access requirements, and finish enrollment.
## Renew enrollment program token
Complete these steps to renew a server token that's about to expire. This procedure ensures that the associated enrollment program token in Intune remains active.
diff --git a/memdocs/intune/enrollment/device-enrollment-shared-ipad.md b/memdocs/intune/enrollment/device-enrollment-shared-ipad.md
index dc5bb6b5570..5d826bea087 100644
--- a/memdocs/intune/enrollment/device-enrollment-shared-ipad.md
+++ b/memdocs/intune/enrollment/device-enrollment-shared-ipad.md
@@ -159,7 +159,7 @@ The following limitations exist in Intune for Shared iPad:
- Company Portal and available apps not supported: Intune Company Portal app and the Intune Company Portal website are not supported with Shared iPad.
- App assignment requirements: You must assign apps as _required_ to device groups. *Available* apps are not supported with Shared iPad.
- Passcode complexity can't be managed with Shared iPad: Shared iPad passcodes must have eight alphanumeric characters, and can't be changed in Apple Business Manager. The passcode complexity and length settings available in Intune device configuration profiles don't apply to Shared iPad. An MDM administrator can set the grace period, which specifies the number of minutes a user has to unlock the iPad without a passcode.
-- Some policies not supported: These Intune policies are not supported with Shared iPad: app-based and device-based conditional access policies, app protection policies, and compliance policies.
+- Some policies not supported: These Intune policies are not supported with Shared iPad: app-based and device-based Conditional Access policies, app protection policies, and compliance policies.
- Email profile not supported: Email profiles aren't supported with Shared iPad. An error occurs when you assign an email profile to a Shared iPad device.
- User-assigned policies don't appear in reports: Intune doesn't report device status or user status in reports for Shared iPad apps and profiles assigned to Microsoft Entra user groups.
- Microsoft Entra federation requirement not enforced: The Microsoft Entra federation requirement isn't enforced. If the Managed Apple ID matches the Microsoft Entra UPN, and the Microsoft Entra user is assigned a user applicable device configuration profile, the profile will apply to the user when they sign in to a shared iPad using their Managed Apple ID.
diff --git a/memdocs/intune/enrollment/device-group-mapping.md b/memdocs/intune/enrollment/device-group-mapping.md
index 9ee17c6760f..c7e5a40e9c9 100644
--- a/memdocs/intune/enrollment/device-group-mapping.md
+++ b/memdocs/intune/enrollment/device-group-mapping.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 01/22/2024
+ms.date: 01/27/2025
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -54,13 +54,14 @@ Decide if it's necessary to show the device category selection prompt to end use
## Step 1: Create device category in Intune
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Go to **Devices** > **Device categories**.
-3. Choose **Create device category** to add a new category.
-4. Enter the name of the new category, such as `HR` and an optional description.
-5. Select **Next**.
-6. Optionally, assign a scope tag, like `US-NC IT Team` or `JohnGlenn_ITDepartment`, to limit management of the category to specific IT groups. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](../fundamentals/scope-tags.md).
-7. Select **Next**.
-8. Select **Create**. The new category is added to your **Device categories** list.
+1. Go to **Devices**.
+1. Expand **Manage devices**, and then select **Device categories**.
+1. Choose **Create device category** to add a new category.
+1. Enter the name of the new category, such as `HR` and an optional description.
+1. Select **Next**.
+1. Optionally, assign a scope tag, like `US-NC IT Team` or `JohnGlenn_ITDepartment`, to limit management of the category to specific IT groups. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](../fundamentals/scope-tags.md).
+1. Select **Next**.
+1. Select **Create**. The new category is added to your **Device categories** list.
You'll use the device category name when you create Microsoft Entra security groups in the next step.
diff --git a/memdocs/intune/enrollment/device-staging-overview.md b/memdocs/intune/enrollment/device-staging-overview.md
index 92eae35b8e7..e85d7fb5ecc 100644
--- a/memdocs/intune/enrollment/device-staging-overview.md
+++ b/memdocs/intune/enrollment/device-staging-overview.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 05/16/2024
+ms.date: 11/14/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -66,19 +66,22 @@ In the first stage, an Intune admin completes the following steps:
1. Set the token's expiration date.
-1. Optionally, in the admin center, create a dynamic device group or an assignment filter so you can assign policies and apps in the user stage. The dynamic device group feature isn't available to configure in the remaining stages.
+1. Optionally, in the admin center, create a dynamic device group or an assignment filter. Then assign policies and apps, which reach the device after stage 3.
In the second stage, an Intune admin or third-party vendor completes the following steps:
1. Unbox, assemble, and power on the new device you're enrolling.
-1. With the device, scan the staging token's QR code or enter the token string.
+2. With the device, scan the staging token's QR code or enter the token string.
-1. Complete the enrollment steps and setup wizard. When you get to the sign-in screen, stop. Don't sign in.
+> [!NOTE]
+> Manual token entry isn't supported on Android Enterprise corporate-owned work profile (also known as COPE) devices running Android 11 and later.
+
+3. Complete the enrollment steps and setup wizard. At the end of setup, you are on the device's home screen.
-1. Turn off the device and distribute it to the end user.
+4. Turn off the device and distribute it to the end user.
-During stage 2, the Intune assignment filter is the only available option for targeting policies and apps. After the final stage ends, you can use other supported targeting options. Example: User security groups and dynamic groups
+During stage 2, the Intune assignment filter on the all devices group is the only available option for targeting policies and apps. After the final stage ends, you can use other supported targeting options. Example: User security groups and dynamic groups
In the third, and final stage, an end user completes the following steps:
@@ -123,7 +126,6 @@ In the second, and final stage, an end user completes the following steps:
For detailed steps, see:
- [Set up enrollment for Android Enterprise fully managed devices](android-fully-managed-enroll.md)
--
- [Set up enrollment for corporate-owned work profile devices](android-corporate-owned-work-profile-enroll.md)
## Replace, remove, or export token
diff --git a/memdocs/intune/enrollment/enrollment-notifications.md b/memdocs/intune/enrollment/enrollment-notifications.md
index 5f18925f9f5..8e0f7b2af0c 100644
--- a/memdocs/intune/enrollment/enrollment-notifications.md
+++ b/memdocs/intune/enrollment/enrollment-notifications.md
@@ -58,7 +58,7 @@ The following example image shows what an enrollment notification looks like to
## Prerequisites
Prior to creating enrollment notifications, you must [configure Microsoft Intune branding and customization settings](../apps/company-portal-app.md) under **Tenant administration** > **Customization**.
-Enrollment notifications work with user-driven enrollment methods. They aren't supported in userless enrollment scenarios.
+Enrollment notifications work with user-driven enrollment methods. They aren't supported in userless enrollment scenarios, or when provisioning Windows 365 Cloud PCs.
## You should know
Email notifications appear in the user's inbox. Push notifications appear in the Intune Company Portal apps for iOS/iPadOS, macOS, and Android. Enrollment push notifications aren't supported in the Company Portal for Windows, so they'll never appear there.
diff --git a/memdocs/intune/enrollment/enrollment-restrictions-set.md b/memdocs/intune/enrollment/enrollment-restrictions-set.md
index 93079dc5b66..1361b00c329 100644
--- a/memdocs/intune/enrollment/enrollment-restrictions-set.md
+++ b/memdocs/intune/enrollment/enrollment-restrictions-set.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 04/02/2024
+ms.date: 12/12/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -79,7 +79,12 @@ Block devices running on a specific device platform. You can apply this restrict
In groups where both Android platforms are allowed, devices that support work profile will enroll with a work profile. Devices that don't support work profile will enroll on the Android device administrator platform. Neither work profile nor device administrator enrollment will work until you complete all prerequisites for Android enrollment.
-This restriction is in the admin center under **Enrollment device platform restrictions**.
+
+This restriction is in the admin center under **Devices** > **Device onboarding** > **Enrollment** > **Device platform restriction**.
+
+> [!NOTE]
+> Device platform enrollment restrictions use assignment filters. The update between Microsoft Entra and Intune that processes user, group, and filter assignments typically happens within 15 minutes. It's not instant. This amount of time can affect enrollment assignments. You should wait and enroll devices several minutes after adding the enrolling users to a group, not immediately after.
+
### OS version
This restriction enforces your maximum and minimum OS version requirements. This type of restriction works with the following operating systems:
@@ -91,10 +96,10 @@ This restriction enforces your maximum and minimum OS version requirements. This
\* Version restrictions are supported on these operating systems for devices enrolled via Intune Company Portal only.
-This restriction is in the admin center under **Enrollment device platform restrictions**.
+This restriction is in the admin center under **Devices** > **Device onboarding** > **Enrollment** > **Device platform restriction**.
### Device manufacturer
-This restriction blocks devices made by specific manufacturers, and is applicable to Android devices only. It is in the admin center under **Enrollment device platform restrictions**.
+This restriction blocks devices made by specific manufacturers, and is applicable to Android devices only. It is in the admin center under **Devices** > **Device onboarding** > **Enrollment** > **Device platform restriction**.
### Personally owned devices
This restriction helps prevent device users from accidentally enrolling their personal devices, and applies to devices running:
@@ -104,7 +109,7 @@ This restriction helps prevent device users from accidentally enrolling their pe
* macOS
* Windows 10/11
-This restriction is in the admin center under **Enrollment device platform restrictions**.
+This restriction is in the admin center under **Devices** > **Device onboarding** > **Enrollment** > **Device platform restriction**.
#### Blocking personal Android devices
By default, until you manually make changes in the admin center, your Android Enterprise work profile device settings and Android device administrator device settings are the same.
@@ -156,7 +161,8 @@ Intune also blocks personal devices using these enrollment methods:
* Enrollment restrictions are applied to enrollments that are user-driven. Intune enforces the default policy in enrollment scenarios that aren't user-driven, such as:
* Windows Autopilot self-deploying mode and Autopilot for pre-provisioned deployment
- * Bulk enrollment via Windows Configuration Designer
+ * Bulk enrollment via Windows Configuration Designer
+ * Co-managed enrollments
* Userless Apple automated device enrollment (without user-device affinity)
* Azure Virtual Desktop
* Windows 365
diff --git a/memdocs/intune/enrollment/enrollment-time-grouping.md b/memdocs/intune/enrollment/enrollment-time-grouping.md
index e6361212dc7..c2eb05f8235 100644
--- a/memdocs/intune/enrollment/enrollment-time-grouping.md
+++ b/memdocs/intune/enrollment/enrollment-time-grouping.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 06/01/2024
+ms.date: 01/27/2025
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -65,10 +65,11 @@ The enrollment time grouping feature only applies to new device enrollments. It
You can add one static Microsoft Entra security group per enrollment profile. As an Intune admin, you can only add Microsoft Entra groups that are authorized in the scope group for your Intune role. Make sure scope groups and group tags are assigned to the appropriate roles so that admins can see the security group during profile creation.
-1. In the Microsoft Intune admin center, go to **Devices** >**Enrollment**.
+1. In the Microsoft Intune admin center, go to **Devices**.
+1. Expand **Device onboarding**, and then select **Enrollment**.
1. Select the type of enrollment you're configuring and create a profile. For more information about how to set up the profile, see [Create Windows Autopilot device preparation policy](/autopilot/device-preparation/tutorial/user-driven/entra-join-autopilot-policy).
-After you save the profile, you can return to it at any time to edit group settings. Updates you make to the group settings don't apply to devices already enrolled with the profile. If you remove a device from the group, Microsoft Intune reevaluates policy configurations and forces the device to check in to obtain new configurations.
+After you save the profile, you can return to it at any time to edit group settings. Updates you make to the group settings don't apply to devices already enrolled with the profile. If you remove a device from the group, Microsoft Intune reevaluates policy configurations and forces the device to check in to obtain new configurations.
## Step 3: Enroll devices
diff --git a/memdocs/intune/enrollment/ios-device-enrollment.md b/memdocs/intune/enrollment/ios-device-enrollment.md
index dbdaf5aa26b..b4a5872ed0b 100644
--- a/memdocs/intune/enrollment/ios-device-enrollment.md
+++ b/memdocs/intune/enrollment/ios-device-enrollment.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 07/16/2024
+ms.date: 01/14/2025
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -56,7 +56,7 @@ The following table provides details about app and web-based enrollment.
| Device reset required| ❌|❌|
| Enrollment initiated by device user | ✔️ |✔️|
| Supervision |❌|❌|
-| Just-in-time registration | ❌ |✔️ |
+| Just-in-time registration | ✔️ |✔️ |
| Required apps | Intune Company Portal app for iOS
Microsoft Authenticator | Microsoft Authenticator |
| Enrollment location | App-based enrollment takes place in the Company Portal app, Safari, and device settings app. |Web-based enrollment takes place in Safari and the device settings app.|
@@ -85,12 +85,14 @@ For more information about how employees and students can access these actions i
## Certificates
This enrollment type supports the Automated Certificate Management Environment (ACME) protocol. When new devices enroll, the management profile from Intune receives an ACME certificate. The ACME protocol provides better protection than the SCEP protocol against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management.
-Devices that are already enrolled do not get an ACME certificate on unless they re-enroll into Microsoft Intune. ACME is supported on devices running:
+Devices that are already enrolled do not get an ACME certificate unless they re-enroll into Microsoft Intune. Acme is supported on devices running:
- iOS 16.0 or later
- iPadOS 16.1 or later
+This capability is also supported in [GCC High tenants](../fundamentals/intune-govt-service-description.md).
+
## Known issues and limitations
Intune enrollment with Apple device enrollment has the following known issues and limitations.
diff --git a/memdocs/intune/enrollment/macos-enroll.md b/memdocs/intune/enrollment/macos-enroll.md
index a363bde7593..ae6f85e17a0 100644
--- a/memdocs/intune/enrollment/macos-enroll.md
+++ b/memdocs/intune/enrollment/macos-enroll.md
@@ -90,7 +90,7 @@ You can monitor the escrow status for any enrolled Mac in the admin center. The
2. Go to **Devices** > **By platform** > **macOS**.
3. Select a device from your list of macOS devices.
4. Select **Hardware**.
-5. In your hardware details, scroll down to **Conditional access** > **Bootstrap token escrowed**.
+5. In your hardware details, scroll down to **Conditional Access** > **Bootstrap token escrowed**.
### Manage kernel extensions and software updates
diff --git a/memdocs/intune/enrollment/multi-factor-authentication.md b/memdocs/intune/enrollment/multi-factor-authentication.md
index cc9bad1e8f0..44515169671 100644
--- a/memdocs/intune/enrollment/multi-factor-authentication.md
+++ b/memdocs/intune/enrollment/multi-factor-authentication.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 01/23/2024
+ms.date: 12/11/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -34,41 +34,45 @@ ms.collection:
*Applies to*:
* Android
* iOS/iPadOS
- * macOS
- * Windows 8.1
+ * macOS
* Windows 10
* Windows 11
-You can use Intune together with Microsoft Entra Conditional Access policies to require multifactor authentication (MFA) during device enrollment. If you require MFA, employees and students wanting to enroll devices must first authenticate with a second device and two forms of credentials. MFA requires them to authenticate using two or more of these verification methods:
+You can use Intune together with Microsoft Entra Conditional Access policies to require multifactor authentication (MFA) during device enrollment. If you require MFA, employees and students wanting to enroll devices must first authenticate with a second device and two forms of credentials. MFA requires them to authenticate using two or more of these verification methods:
- Something they know, such as a password or PIN.
- Something they have that can't be duplicated, such as a trusted device or phone.
-- Something they are, such as a fingerprint.
+- Something they are, such as a fingerprint.
+
+If a device isn't compliant, the device user is prompted to make the device compliant before enrolling in Microsoft Intune.
## Prerequisites
To implement this policy, you must assign Microsoft Entra ID P1 or later to users.
## Configure Intune to require multifactor authentication at device enrollment
-Complete these steps to enable multi-factor authentication during Microsoft Intune enrollment.
+Complete these steps to enable multifactor authentication during Microsoft Intune enrollment.
> [!IMPORTANT]
> Don't configure **Device based access rules** for Microsoft Intune enrollment.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Go to **Devices** > **Conditional Access**. This area is the same as the Conditional Access area available in the Microsoft Entra admin center. For more information about the available settings, see [Building a Conditional Access policy](/entra/identity/conditional-access/concept-conditional-access-policies).
+1. Go to **Devices**.
+1. Expand **Manage devices**, and then select **Conditional Access**. This Conditional Access area is the same as the Conditional Access area available in the Microsoft Entra admin center. For more information about the available settings, see [Building a Conditional Access policy](/entra/identity/conditional-access/concept-conditional-access-policies).
1. Choose **Create new policy**.
1. Name your policy.
1. Select the **Users** category.
1. Under the **Include** tab, choose **Select users or groups**.
2. Additional options appear. Select **Users and groups**. A list of users and groups opens.
- 3. Add the users or groups you're assigning the policy to, and then choose **Select**.
+ 3. Browse and select the Microsoft Entra users or groups you want to include in the policy. Then choose **Select**.
4. To exclude users or groups from the policy, select the **Exclude** tab and add those users or groups like you did in the previous step.
-1. Select the next category, **Target resources**.
- 1. Select the **Include** tab.
- 2. Choose **Select apps** > **Select**.
- 3. Choose **Microsoft Intune Enrollment** > **Select** to add the app. Use the search bar in the app picker to find the app.
+1. Select the next category, **Target resources**. In this step, you select the resources that the policy applies to. In this case, we want the policy to apply to events where users or groups try to access the Microsoft Intune Enrollment app.
+ 1. Under **Select what this policy applies to**, choose **Resources (formerly cloud apps)**.
+ 2. Select the **Include** tab.
+ 3. Choose **Select resources**. Additional options appear.
+ 4. Under **Select**, choose **None**. A list of resources open.
+ 5. Search for **Microsoft Intune Enrollment**. Then choose **Select** to add the app.
For Apple automated device enrollments using Setup Assistant with modern authentication, you have two options to choose from. The following table describes the difference between the *Microsoft Intune* option and *Microsoft Intune Enrollment* option.
@@ -80,17 +84,20 @@ Complete these steps to enable multi-factor authentication during Microsoft Intu
> [!NOTE]
> The Microsoft Intune Enrollment cloud app isn't created automatically for new tenants. To add the app for new tenants, a Microsoft Entra administrator must create a service principal object, with app ID d4ebce55-015a-49b5-a083-c84d1797ae8c, in PowerShell or Microsoft Graph.
-1. Select the **Grant** category.
- 1. Select **Require multifactor authentication** and **Require device to be marked as compliant**.
+1. Select the **Grant** category. In this step, you grant or block access to the Microsoft Intune Enrollment app.
+ 1. Choose **Grant access**.
+ 1. Select **Require multifactor authentication**.
+ 1. Select **Require device to be marked as compliant**.
1. Under **For multiple controls**, select **Require all the selected controls**.
1. Choose **Select**.
-1. Select the **Session** category.
- 1. Select **Sign-in frequency** and choose **Every time**.
+1. Select the **Session** category. In this step, you can make use of session controls to enable limited experiences within the Microsoft Intune Enrollment app.
+ 1. Select **Sign-in frequency**. Additional options appear.
+ 1. Choose **Every time**.
1. Choose **Select**.
1. For **Enable policy**, select **On**.
1. Select **Create** to save and create your policy.
-After you apply and deploy this policy, users will see a one-time MFA prompt when they enroll their device.
+After you apply and deploy this policy, device users enrolling their devices see a one-time MFA prompt.
> [!NOTE]
> A second device or a Temporary Access Pass is required to complete the MFA challenge for these types of corporate-owned devices:
diff --git a/memdocs/intune/enrollment/terms-and-conditions-create.md b/memdocs/intune/enrollment/terms-and-conditions-create.md
index de88197377b..505cb3ae88f 100644
--- a/memdocs/intune/enrollment/terms-and-conditions-create.md
+++ b/memdocs/intune/enrollment/terms-and-conditions-create.md
@@ -7,7 +7,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 01/22/2024
+ms.date: 01/27/2025
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -37,7 +37,8 @@ This article describes how to get started with terms and conditions in Intune.
Complete these steps to create an Intune terms and conditions policy.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Go to **Tenant administration** > **Terms and conditions**.
+1. Go to **Tenant administration**.
+1. Expand **End user experiences**, and then select **Terms and conditions**.
1. Choose **Create**.
1. On the **Basics** page, enter the following information:
@@ -49,13 +50,13 @@ Complete these steps to create an Intune terms and conditions policy.
- **Title**: The display name for your terms. Users see the title in the Company Portal app.
- **Terms and conditions**: The terms and conditions that users see and must either accept or reject.
- - **Summary of Terms**: Enter a brief, high-level explanation of what the user is agreeing to. This text is visible to device users.
+ - **Summary of terms**: Enter a brief, high-level explanation of what the user is agreeing to. This text is visible to device users.
Example message: *By enrolling your device, you're agreeing to the terms of use set out by Contoso. Read the terms carefully before proceeding.*
1. Select **Next**.
-1. On the **Select scope tags**, select a scope tag from the list to add it to the terms and conditions, or select the default scope tag. Then select **Next**.
+1. Choose **Select scope tags**, and then select a scope tag from the list to add it to the terms and conditions, or select the default scope tag. Then select **Next**.
1. On the **Assignments** page, choose who you want to assign the terms to. Your options:
- **Add all users**: Choose this option to assign these terms and conditions to all device users.
@@ -86,7 +87,7 @@ An acceptance report provides the details of an individual's agreement to your t
To view and export acceptance reports:
-1. Go to **Tenant administration** > **Terms and conditions**.
+1. Go to **Terms and conditions**.
2. Select your terms from the table.
3. Select **Acceptance Reporting** to view available reports.
4. Select **Export** to save the reports to your device.
@@ -109,9 +110,9 @@ Microsoft Intune provides a version control setting so that you can track versio
To edit terms and conditions:
-1. Select **Tenant administration** > **Terms and conditions**.
+1. Go to **Terms and conditions**.
2. From the table, choose the terms and conditions you want to edit.
-3. Select **Properties** and then next to **Terms**, select **Edit.**
+3. Select **Properties**, and then next to **Terms**, select **Edit.**
4. Adjust the existing content as needed.
5. If you edit the meaning of the terms at all, select the checkbox next to **Require users to re-accept, and increment the version number to *next version*.** In place of *next step*, you'll see the actual version number.
6. Select **Review + save**.
diff --git a/memdocs/intune/enrollment/web-based-device-enrollment-ios.md b/memdocs/intune/enrollment/web-based-device-enrollment-ios.md
index 442dedd32ed..3cc006d1c52 100644
--- a/memdocs/intune/enrollment/web-based-device-enrollment-ios.md
+++ b/memdocs/intune/enrollment/web-based-device-enrollment-ios.md
@@ -79,7 +79,7 @@ Return to **Enrollment types** to see a list of your enrollment profiles. Intune
## Step 3: Prepare employees for enrollment
When an employee attempts to sign into a work app on their personal device, the app alerts them to the enrollment requirement and redirects them to the Company Portal website for enrollment.
-Alternatively, you can provide employees and students with a URL that opens the Company Portal website. If you aren't utilizing conditional access, it's important to share the enrollment link with device users so that they know how to initiate enrollment. The link to share is:
+Alternatively, you can provide employees and students with a URL that opens the Company Portal website. If you aren't utilizing Conditional Access, it's important to share the enrollment link with device users so that they know how to initiate enrollment. The link to share is:
`https://portal.manage.microsoft.com/enrollment/webenrollment/ios`
diff --git a/memdocs/intune/enrollment/windows-bulk-enroll.md b/memdocs/intune/enrollment/windows-bulk-enroll.md
index ae7609b6284..77e92c24c04 100644
--- a/memdocs/intune/enrollment/windows-bulk-enroll.md
+++ b/memdocs/intune/enrollment/windows-bulk-enroll.md
@@ -129,6 +129,6 @@ You can check for success/failure of the settings in your package in the **Provi
When not using an open network, you must use [device-level certificates](../protect/certificates-configure.md) to initiate connections. Bulk enrolled devices are unable to use to user-targeted certificates for network access.
-### Conditional access
+### Conditional Access
-Conditional access is available for devices enrolled via bulk enrollment running Windows 11 or Windows 10, version 1803 and later.
+Conditional Access is available for devices enrolled via bulk enrollment running Windows 11 or Windows 10, version 1803 and later.
diff --git a/memdocs/intune/enrollment/windows-enrollment-create-cname.md b/memdocs/intune/enrollment/windows-enrollment-create-cname.md
index 4916dce2fd6..b036dec1f51 100644
--- a/memdocs/intune/enrollment/windows-enrollment-create-cname.md
+++ b/memdocs/intune/enrollment/windows-enrollment-create-cname.md
@@ -87,7 +87,7 @@ Alternate redirection methods aren't supported with Intune. For example, you can
## Registration CNAME
-Microsoft Entra ID uses a different CNAME during device registration for iOS/iPadOS, Android, and Windows devices. Intune conditional access requires devices to be registered to Microsoft Entra ID (also called *workplace joined*). If you plan to use conditional access, you should configure the *EnterpriseRegistration* CNAME for each company name you have.
+Microsoft Entra ID uses a different CNAME during device registration for iOS/iPadOS, Android, and Windows devices. Intune Conditional Access requires devices to be registered to Microsoft Entra ID (also called *workplace joined*). If you plan to use Conditional Access, you should configure the *EnterpriseRegistration* CNAME for each company name you have.
| Type | Host name | Points to | TTL |
| --- | --- | --- | --- |
diff --git a/memdocs/intune/fundamentals/android-os-project-supported-devices.md b/memdocs/intune/fundamentals/android-os-project-supported-devices.md
index 0361383d0a3..39da1ac1d9d 100644
--- a/memdocs/intune/fundamentals/android-os-project-supported-devices.md
+++ b/memdocs/intune/fundamentals/android-os-project-supported-devices.md
@@ -57,4 +57,5 @@ Before setting up Microsoft Intune for Android Open Source Project devices, ensu
| Lenovo| ThinkReality VRX | VRX_user_S766001_2310192349_kona | AR/VR Headset | |
| DigiLens Inc.| DigiLens ARGO | DigiOS 2068 (B1.0001.2068) | AR/VR Headset | |
| Vuzix | M400 | M-Series Version 3.0.2 | AR/VR Headset | |
-| Vuzix | M4000 | M-Series Version 3.0.2 | AR/VR Headset | |
\ No newline at end of file
+| Vuzix | M4000 | M-Series Version 3.0.2 | AR/VR Headset | |
+| Meta | Quest 3s | v71 | AR/VR Headset | |
diff --git a/memdocs/intune/fundamentals/azure-virtual-desktop-multi-session.md b/memdocs/intune/fundamentals/azure-virtual-desktop-multi-session.md
index 9c207d54018..a7381ace291 100644
--- a/memdocs/intune/fundamentals/azure-virtual-desktop-multi-session.md
+++ b/memdocs/intune/fundamentals/azure-virtual-desktop-multi-session.md
@@ -45,7 +45,7 @@ Windows 10 or Windows 11 Enterprise multi-session is a new Remote Desktop Sessio
You can manage **Windows 10** and **Windows 11 Enterprise multi-session** VMs created in Azure Government Cloud in US Government Community (GCC), GCC High, and DoD.
> [!IMPORTANT]
-> Microsoft Intune support for Azure Virtual Desktop multi-session is not currently available for Citrix DaaS and VMware Horizon Cloud.
+> Microsoft Intune support for Azure Virtual Desktop multi-session is not currently available for Citrix DaaS and VMware Horizon Cloud. Because Intune cannot offer support for Citrix DaaS, review the Citrix documentation, and be aware of Citrix support options for multi-session support. All questions, concerns or help should be directed to Citrix for multi-session support. See [Citrix support](https://docs.citrix.com/en-us/citrix-daas/install-configure/machine-identities/microsoft-intune ).
## Overview
@@ -139,7 +139,7 @@ Windows 10 or Windows 11 Administrative Templates are supported for Windows 10 o
To list supported Administrative Templates, you'll need to use the filter in Settings catalog.
-## Compliance and Conditional access
+## Compliance and Conditional Access
You can secure your Windows 10 or Windows 11 Enterprise multi-session VMs by configuring compliance policies and Conditional Access policies in the Microsoft Intune admin center. The following compliance policies are supported on Windows 10 or Windows 11 Enterprise multi-session VMs:
@@ -223,7 +223,10 @@ The following Windows 10 or Windows 11 desktop device remote actions aren't supp
## Retirement
-Deleting VMs from Azure will leave orphaned device records in the Microsoft Intune admin center. They'll be automatically cleaned up according to the cleanup rules configured for the tenant.
+Deleting VMs from Azure will leave orphaned device records in the Microsoft Intune admin center. AVD machines are deleted automatically after 30 days and removed permanently after 60 days.
+For more information, see:
+- [Using Intune device cleanup rules](https://techcommunity.microsoft.com/t5/device-management-in-microsoft/using-intune-device-cleanup-rules-updated-version/ba-p/3760854).
+- [Automatically delete devices with cleanup rules](../remote-actions/devices-wipe.md#automatically-delete-devices-with-cleanup-rules)
## Security baselines
diff --git a/memdocs/intune/fundamentals/azure-virtual-desktop.md b/memdocs/intune/fundamentals/azure-virtual-desktop.md
index 052cb73e702..4a453a2f2c0 100644
--- a/memdocs/intune/fundamentals/azure-virtual-desktop.md
+++ b/memdocs/intune/fundamentals/azure-virtual-desktop.md
@@ -51,7 +51,7 @@ For more information on Azure Virtual Desktop licensing requirements, see [What
For information about working with multi-session remote desktops, see [Windows 10 or Windows 11 Enterprise multi-session remote desktops](azure-virtual-desktop-multi-session.md).
-Intune treats Azure Virtual Desktop personal VMs the same as Windows 10 or Windows 11 Enterprise physical desktops. This treatment lets you use some of your existing configurations and secure the VMs with compliance policy and conditional access. Intune management doesn't depend on or interfere with Azure Virtual Desktop management of the same virtual machine.
+Intune treats Azure Virtual Desktop personal VMs the same as Windows 10 or Windows 11 Enterprise physical desktops. This treatment lets you use some of your existing configurations and secure the VMs with compliance policy and Conditional Access. Intune management doesn't depend on or interfere with Azure Virtual Desktop management of the same virtual machine.
## Limitations
diff --git a/memdocs/intune/fundamentals/china-endpoints.md b/memdocs/intune/fundamentals/china-endpoints.md
index 159daec34e6..a3fedfc450b 100644
--- a/memdocs/intune/fundamentals/china-endpoints.md
+++ b/memdocs/intune/fundamentals/china-endpoints.md
@@ -8,7 +8,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 03/24/2023
+ms.date: 12/19/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -49,10 +49,10 @@ The following tables list the ports and services that the Intune client accesses
|**Endpoint**|**IP address**|
|---------------------|-----------|
-|*.manage.microsoftonline.cn | 40.73.38.143
139.217.97.81
52.130.80.24
40.73.41.162
40.73.58.153
139.217.95.85 |
-
+|*.manage.microsoftonline.cn | 40.73.38.143
139.217.97.81
52.130.80.24
40.73.41.162
40.73.58.153
139.217.95.85
143.64.196.128/25
40.162.2.128/25
139.219.250.128/25
163.228.221.128/25
|
## Intune customer designated endpoints in China
+
- Azure portal: https:\//portal.azure.cn/
- Microsoft 365: https:\//portal.partner.microsoftonline.cn/
- Intune Company Portal: https:\//portal.manage.microsoftonline.cn/
@@ -69,6 +69,7 @@ If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also n
## Partner service endpoints
Intune operated by 21Vianet depends on the following partner service endpoints:
+
- Azure AD Sync service: https:\//syncservice.partner.microsoftonline.cn/DirectoryService.svc
- Evo STS: https:\//login.chinacloudapi.cn/
- Azure AD Graph: https:\//graph.chinacloudapi.us
@@ -80,5 +81,6 @@ Intune operated by 21Vianet depends on the following partner service endpoints:
[!INCLUDE [Intune notices](../includes/apple-device-network-information.md)]
## Next steps
+
[Learn more about Intune operated by 21Vianet in China](china.md)
diff --git a/memdocs/intune/fundamentals/china.md b/memdocs/intune/fundamentals/china.md
index d9e6afa6738..b8b3167d0a3 100644
--- a/memdocs/intune/fundamentals/china.md
+++ b/memdocs/intune/fundamentals/china.md
@@ -8,7 +8,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 08/21/2024
+ms.date: 11/25/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -35,7 +35,7 @@ ms.collection:
Intune operated by 21Vianet is designed to meet the needs for secure, reliable, and scalable cloud services in China. Intune as a service is built on top of Microsoft Azure. Microsoft Azure operated by 21Vianet is a physically separated instance of cloud services located in China. It's independently operated and transacted by 21Vianet. This service is powered by technology that Microsoft has licensed to 21Vianet.
-Microsoft doesn't operate the service itself. 21Vianet operates, provides, and manages delivery of the service. 21Vianet is an Internet data center services provider in China. It provides hosting, managed network services, and cloud computing infrastructure services. By licensing Microsoft technologies, 21Vianet operates local datacenters to provide you the ability to use Intune service while keeping your data within China. 21Vianet also provides your subscription, billing, and support services.
+Microsoft doesn't operate the service itself. 21Vianet operates, provides, and manages delivery of the service. 21Vianet is an Internet data center services provider in China. It provides hosting, managed network services, and cloud computing infrastructure services. By licensing Microsoft technologies, 21Vianet operates local datacenters to provide you with the ability to use Intune service while keeping your data within China. 21Vianet also provides your subscription, billing, and support services.
[!INCLUDE [GDPR-related guidance](../includes/gdpr-dsr-and-stp-note.md)]
@@ -46,10 +46,10 @@ Because the China services are operated by a partner from inside China, there ar
- Intune operated by 21Vianet only supports standalone deployments. Customers can use co-management to attach their existing Configuration Manager deployment to the Microsoft Intune cloud.
- Migrations from public clouds to sovereign clouds aren't supported. Customers interested in moving to Intune operated by 21Vianet must migrate manually.
- The tenant attach feature (syncing devices to Intune without enrollment to support cloud console scenarios) isn't currently supported.
-- Derived Credentials are not supported with Intune operated by 21Vianet.
+- Derived Credentials aren't supported with Intune operated by 21Vianet.
- Management of Windows 10 is supported by using the modern MDM channel.
- Intune operated by 21Vianet doesn't support on-premises Exchange Connector.
-- Windows Autopilot and Business Store features aren't currently available.
+- Windows Autopilot and Business Store features aren't currently available. As part of the 2409 Intune service release, we announced support for Windows Autopilot Device Preparation policy in Intune operated by 21Vianet in China cloud. For more information, see [(What's new in Windows Autopilot device preparation | Microsoft Learn](/autopilot/device-preparation/whats-new#windows-autopilot-device-preparation-deployment-status-report-available-in-the-monitor-tab-under-enrollment)
- Intune operated by 21Vianet supports the Company Portal for Windows app. Use WinGet to download the Company portal package and dependencies and then deploy as a Line-of-Business app via Intune. [Use the WinGet tool to install and manage applications](/windows/package-manager/winget/).
- Microsoft Intune Endpoint Analytics and Log Analytics features aren't currently available.
- Because Google Mobile Services isn't available in China, customers in Intune operated by 21Vianet can't use features that require Google Mobile Services. These features include:
@@ -60,7 +60,7 @@ Because the China services are operated by a partner from inside China, there ar
- To follow local regulations and provide improved functionality, the Intune client experience (Company Portal app) may differ in China.
- Fencing isn't available.
- Mobile Application Management (MAM) availability is conditional on those apps being available in People's Republic of China.
-- Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices are supported for the MTD partners that also support the 21Vianet environment. When you sign in to a 21Vianet tenant, you will see the connectors that are available in that environment.
+- Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices are supported for the MTD partners that also support the 21Vianet environment. When you sign in to a 21Vianet tenant, you can see the connectors that are available in that environment.
- Intune operated by 21Vianet doesn't support Android (AOSP) management for corporate devices.
- Intune operated by 21Vianet doesn't support partner device management integration with Jamf for macOS devices.
diff --git a/memdocs/intune/fundamentals/compliance-in-intune.md b/memdocs/intune/fundamentals/compliance-in-intune.md
new file mode 100644
index 00000000000..692e4b6801c
--- /dev/null
+++ b/memdocs/intune/fundamentals/compliance-in-intune.md
@@ -0,0 +1,101 @@
+---
+title: Compliance in Microsoft Intune
+titleSuffix:
+description: Learn about compliance, dependencies, and features in Microsoft Intune supporting data protection and regulatory requirements.
+keywords:
+author: Erikre
+ms.author: erikre
+manager: dougeby
+ms.date: 12/03/2024
+ms.topic: overview
+ms.service: microsoft-intune
+ms.subservice: fundamentals
+ms.localizationpriority: high
+ms.collection:
+ - tier1
+ - highpri
+ - essentials-compliance
+
+---
+
+# Compliance in Microsoft Intune
+
+Intune supports compliance features to help organizations meet national, regional, and industry-specific regulations. Intune aligns with Microsoft's commitment to data protection, privacy, and compliance by offering tools to help secure and manage data effectively.
+
+## Shared responsibility model
+
+Microsoft ensures that Intune complies with various industry standards and regulatory frameworks. However, customers are responsible for implementing their data protection and compliance strategies to align with their specific organizational requirements.
+
+## Compliance certifications
+
+Intune is covered under several compliance certifications, and regulatory standards. The following table provides a sample of the key certifications that are covered:
+
+| Certification or Standard | Description | Applicability |
+|---------------------------|-------------|---------------|
+| [GDPR](/compliance/regulatory/gdpr) | EU General Data Protection Regulation for data privacy | European Union |
+| [ISO 27001](/compliance/regulatory/offering-iso-27001) | International standard for information security management | Global |
+| [HIPAA](/compliance/regulatory/offering-hipaa-hitech) | U.S. Health Insurance Portability and Accountability Act | United States |
+| [SOC 2 Type 2](/compliance/regulatory/offering-soc-2) | Service Organization Controls for data security | Global |
+
+> [!NOTE]
+> Microsoft Intune helps your organization meet regulatory compliance standards. Intune supports additional certifications, such as [ISO 22301](/compliance/regulatory/offering-iso-22301), [ISO/IEC 27017](/compliance/regulatory/offering-iso-27017), [ISO/IEC 27018](/compliance/regulatory/offering-iso-27018), [ISO/IEC 27701](/compliance/regulatory/offering-iso-27701), [SOC 1 Type 2](/compliance/regulatory/offering-soc-1), [SOC 3](/compliance/regulatory/offering-soc-3), and [WCAG](/compliance/regulatory/offering-wcag-2-1).
+
+For a complete list, see [Microsoft compliance offerings](/compliance/regulatory/offering-home).
+
+## Compliance dependencies
+
+Intune leverages other Microsoft services for compliance, including:
+
+- [Microsoft Purview](/purview/purview): A suite of data governance and compliance tools.
+- [Microsoft Entra ID](/entra/fundamentals/whatis): Identity and access management, formerly known as Azure Active Directory (Azure AD).
+- [Microsoft Purview Compliance Manager](/purview/compliance-manager): Tools for managing compliance across your organization.
+- [Microsoft Defender for Endpoint](../protect/advanced-threat-protection.md): An enterprise endpoint security platform.
+
+## Microsoft Intune capabilities for compliance
+
+Microsoft Intune helps enforce compliance policies and protect organizational data specifically for Intune:
+
+- **Conditional Access**: Ensures only compliant devices and apps managed by Intune can access sensitive data. See [Conditional Access](/mem/intune/protect/conditional-access).
+- **Device Compliance Enforcement**: Enforces device compliance policies to meet organizational security requirements. See [Device Compliance Policies](/mem/intune/protect/device-compliance-get-started).
+
+For more information about Intune compliance capabilities, visit the [Microsoft Intune documentation](/mem/intune).
+
+## Data residency and protection
+
+Intune supports compliance with data residency requirements by supporting Microsoft Cloud's regional and global data storage policies. These policies include:
+
+- **Data location**: Data is stored in Microsoft-managed data centers. For more information, see [Data storage and processing in Intune](../protect/privacy-data-store-process.md).
+- **EU Data Boundary**: Ensures that data belonging to EU customers is stored and processed within the EU. For more information, see [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn) and [Configure Microsoft Tunnel for Intune](../protect/microsoft-tunnel-configure.md).
+- **Encryption**: Data is encrypted at rest and in transit. For more information, see [Access requirements policy mapping from Basic Mobility and Security to Intune](../fundamentals/policy-map-access-requirements.md).
+
+## Compliance features
+
+Intune includes several compliance features that help organizations meet regulatory requirements, manage data lifecycles, and protect sensitive information. These features are designed to ensure your organization can effectively monitor, classify, and safeguard its data while maintaining compliance with industry standards.
+
+### Data lifecycle management
+
+> [!IMPORTANT]
+> Microsoft Intune doesn't use any personal data collected as part of providing the service for profiling, advertising, or marketing purposes.
+
+Intune supports data lifecycle management through retention policies and labels. These features help organizations retain or delete data based on compliance requirements. For more information, see [Privacy and personal data in Intune](../fundamentals/intune-service-servicing-information.md#privacy-and-personal-data-in-intune).
+
+### Auditing and reporting
+
+Microsoft Purview (included in the **Microsoft 365 E5** license) supports auditing and reporting for Intune. IT administrators can monitor data usage and ensure adherence to organizational compliance policies. Features include:
+
+- eDiscovery: Enables organizations to locate data for legal or regulatory needs.
+- Data Retention Policies: Helps organizations manage data lifecycles.
+
+For more information, see the [Protect your sensitive data with Microsoft Purview](/purview/information-protection).
+
+### Privacy controls
+
+Intune includes privacy controls to manage data collection, storage, and sharing:
+
+For details about privacy, see [Privacy and personal data in Intune](../protect/privacy-personal-data.md).
+
+## Related articles
+
+- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
+- [Microsoft Trust Center](https://www.microsoft.com/trust-center)
+- [Microsoft Purview compliance portal](https://compliance.microsoft.com/)
\ No newline at end of file
diff --git a/memdocs/intune/fundamentals/deployment-guide-enroll.md b/memdocs/intune/fundamentals/deployment-guide-enroll.md
index ef72e3c7235..23487ca7d84 100644
--- a/memdocs/intune/fundamentals/deployment-guide-enroll.md
+++ b/memdocs/intune/fundamentals/deployment-guide-enroll.md
@@ -105,7 +105,7 @@ If you're looking for more control, including where the terms appear, consider c
For more information, see [Terms and conditions for user access](../enrollment/terms-and-conditions-create.md).
### Require multifactor authentication
-Require users to authenticate via multi-factor authentication (MFA) during enrollment. If you require MFA, people wanting to enroll devices must authenticate with a second device and two forms of credentials before they can enroll their device. This is a one-time conditional step, and ensures that the person on the device is who they say they are. You can enable this behavior for all platforms except Linux by using a conditional access policy with an MFA policy. Microsoft Entra ID P1 or P2 is required.
+Require users to authenticate via multi-factor authentication (MFA) during enrollment. If you require MFA, people wanting to enroll devices must authenticate with a second device and two forms of credentials before they can enroll their device. This is a one-time conditional step, and ensures that the person on the device is who they say they are. You can enable this behavior for all platforms except Linux by using a Conditional Access policy with an MFA policy. Microsoft Entra ID P1 or P2 is required.
For more information, see [Require multifactor authentication for Intune device enrollments](../enrollment/multi-factor-authentication.md).
diff --git a/memdocs/intune/fundamentals/deployment-guide-enrollment-ios-ipados.md b/memdocs/intune/fundamentals/deployment-guide-enrollment-ios-ipados.md
index f2f4ec2cd4a..e5ea2229c42 100644
--- a/memdocs/intune/fundamentals/deployment-guide-enrollment-ios-ipados.md
+++ b/memdocs/intune/fundamentals/deployment-guide-enrollment-ios-ipados.md
@@ -385,7 +385,7 @@ This list provides an overview of the tasks required of administrators.
- **Web based device enrollment**: Starting with iOS 15 and newer. This option is just like device enrollment with Company Portal, but enrollment takes place on the web version of Intune Company Portal, eliminating the need for the app. Additionally, this option enables employees and students without managed Apple IDs to enroll devices and access volume-purchased apps.
- - **Determine based on user choice**: Gives end users a choice when they enroll. Depending on their selection, **User enrollment** or **Device enrollment** is used.
+ - **Determine based on user choice**: Gives end users a choice when they enroll. Depending on their selection, **Account driven user enrollment** or **Device enrollment** is used.
- **Account driven user enrollment**: Starting with iOS 13 and newer. This option configures a specific set of features and organization apps, like password, per-app VPN, Wi-Fi, and Siri. If you use this method, and to help secure apps and their data, then we recommend also using app protection policies.
diff --git a/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md b/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md
index 9084fe3d7ae..1f99dc1646f 100644
--- a/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md
+++ b/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 04/23/2024
+ms.date: 01/09/2025
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -18,7 +18,7 @@ ms.localizationpriority: high
#ROBOTS:
#audience:
#ms.devlang:
-ms.reviewer: ilwu
+ms.reviewer: arnab
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -48,7 +48,7 @@ Use for personal/BYOD and organization-owned devices running Linux.
---
| Feature | Use this enrollment option when |
| --- | --- |
-| You use Ubuntu Desktop (20.04 or 22.04 LTS on x86/64). | ✅ |
+| You use Ubuntu Desktop (24.04, 22.04, or 20.04 LTS on x86/64). | ✅ |
| You use Ubuntu Server. | ❌ |
| You use RedHat Enterprise Linux 8 or 9. |✅ |
| Devices are owned by the organization or school. | ✅ |
diff --git a/memdocs/intune/fundamentals/deployment-guide-enrollment-macos.md b/memdocs/intune/fundamentals/deployment-guide-enrollment-macos.md
index 45cbe84fbbc..bed921c0dc4 100644
--- a/memdocs/intune/fundamentals/deployment-guide-enrollment-macos.md
+++ b/memdocs/intune/fundamentals/deployment-guide-enrollment-macos.md
@@ -149,14 +149,14 @@ This task list provides an overview. For more specific information, go to [Autom
- You want to use multifactor authentication (MFA).
- You want to prompt users to update their expired password when they first sign in.
- You want to prompt users to reset their expired passwords during enrollment.
- - You want devices registered in Microsoft Entra ID. When they're registered, you can use features available with Microsoft Entra ID, such as conditional access.
+ - You want devices registered in Microsoft Entra ID. When they're registered, you can use features available with Microsoft Entra ID, such as Conditional Access.
> [!NOTE]
> During the Setup Assistant, users must enter their organization Microsoft Entra credentials (`user@contoso.com`). When they enter their credentials, the enrollment starts. If you want, users can also enter their Apple ID to access Apple specific features, such as Apple Pay.
>
> After the Setup Assistant completes, users can use the device. When the home screen shows, the enrollment is complete, and user affinity is established. The device isn't fully registered with Microsoft Entra ID, and doesn't show in a user's device list in Microsoft Entra ID.
>
- > If users need access to resources protected by conditional access or should be fully registered with Microsoft Entra ID, then [install the Company Portal app](../apps/apps-company-portal-macos.md). After it's installed, users open the Company Portal app, and sign in with their organization Microsoft Entra account (`user@contoso.com`). During this second login, any conditional access policies are evaluated, and Microsoft Entra registration is complete. Users can install and use organizational resources, including LOB apps.
+ > If users need access to resources protected by Conditional Access or should be fully registered with Microsoft Entra ID, then [install the Company Portal app](../apps/apps-company-portal-macos.md). After it's installed, users open the Company Portal app, and sign in with their organization Microsoft Entra account (`user@contoso.com`). During this second login, any Conditional Access policies are evaluated, and Microsoft Entra registration is complete. Users can install and use organizational resources, including LOB apps.
- In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apple Configurator** enrollment and create an enrollment profile. Choose to **Enroll with user affinity** (associate a user to the device), or **Enroll without user affinity** (user-less devices or shared devices).
diff --git a/memdocs/intune/fundamentals/deployment-guide-platform-linux.md b/memdocs/intune/fundamentals/deployment-guide-platform-linux.md
index e1001eff858..cb18146dbeb 100644
--- a/memdocs/intune/fundamentals/deployment-guide-platform-linux.md
+++ b/memdocs/intune/fundamentals/deployment-guide-platform-linux.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 07/22/2024
+ms.date: 11/04/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -35,14 +35,14 @@ This guide describes everything you need to do to protect and manage Linux apps
* Prepare your tenant for device enrollment.
* Create Linux device compliance policies.
* Add custom compliance settings.
-* Enforce conditional access policies in Microsoft Edge.
+* Enforce Conditional Access policies in Microsoft Edge.
* Support employees and students enrolling their desktops.
-For each section in this guide, review the associated tasks. Some tasks are required and some, like setting up conditional access, are optional. Select the provided links in each section to go to our recommended help docs on Microsoft Learn, where you can find more detailed information and how-to instructions.
+For each section in this guide, review the associated tasks. Some tasks are required and some, like setting up Conditional Access, are optional. Select the provided links in each section to go to our recommended help docs on Microsoft Learn, where you can find more detailed information and how-to instructions.
## Step 1: Prerequisites
- Microsoft Intune, Microsoft Entra ID, and Microsoft Edge power the feature and capabilities for Linux desktop management. Microsoft Intune powers the device management and compliance capabilities. Microsoft Entra ID powers conditional access, which is used alongside Microsoft Intune compliance policies. Microsoft Edge is the web browser app used to provide protected access to Microsoft 365 web apps.
+ Microsoft Intune, Microsoft Entra ID, and Microsoft Edge power the feature and capabilities for Linux desktop management. Microsoft Intune powers the device management and compliance capabilities. Microsoft Entra ID powers Conditional Access, which is used alongside Microsoft Intune compliance policies. Microsoft Edge is the web browser app used to provide protected access to Microsoft 365 web apps.
Complete the following prerequisites as an Intune administrator to enable your tenant's endpoint management capabilities:
@@ -71,17 +71,17 @@ You can enforce device compliance policies based on Linux distribution type, ver
| [Create a device compliance policy](../protect/create-compliance-policy.md)|Get step-by-step guidance on how to create and assign a device compliance policy for Linux devices. |
| [Add custom compliance settings](../protect/compliance-use-custom-settings.md) | With custom compliance settings, you can write your own Bash scripts to address compliance scenarios not yet included in the device compliance options built into Microsoft Intune. This article describes how to create, monitor, and troubleshoot custom compliance policies for Linux devices. Custom compliance settings require you to [create a custom script](../protect/compliance-custom-script.md) that identifies the settings and value pairs.|
| [Add actions for noncompliance](../protect/actions-for-noncompliance.md) |Choose what happens when devices no longer meet the conditions of your compliance policy. Examples of actions include sending alerts, remotely locking devices, or retiring devices. You can add actions for noncompliance when you configure a device compliance policy, or later by editing the policy. |
-| Create [a device-based](../protect/create-conditional-access-intune.md) or [app-based](../protect/app-based-conditional-access-intune-create.md) conditional access policy| Set up a conditional access policy to protect and grant access to Microsoft 365 web apps in the Microsoft Edge browser for Linux. Conditional access blocks noncompliant devices from accessing protected work apps in Edge, and grants access to compliant devices. You must have a device compliance policy for conditional access to work with Linux devices. |
+| Create [a device-based](../protect/create-conditional-access-intune.md) or [app-based](../protect/app-based-conditional-access-intune-create.md) Conditional Access policy| Set up a Conditional Access policy to protect and grant access to Microsoft 365 web apps in the Microsoft Edge browser for Linux. Conditional Access blocks noncompliant devices from accessing protected work apps in Edge, and grants access to compliant devices. You must have a device compliance policy for Conditional Access to work with Linux devices. |
## Step 4: Enroll devices
Enrollment is supported on Linux desktops running:
-* Ubuntu LTS, version 22.04 or 20.04.
+* Ubuntu LTS, version 24.04, 22.04 or 20.04.
* RedHat Enterprise Linux 8
* RedHat Enterprise Linux 9
-Employees assigned Intune licenses can enroll their personal Linux devices into Microsoft Intune whenever they want. During enrollment, their device is registered with Microsoft Entra ID and evaluated for compliance. If you've applied a conditional access policy to Edge, users will be prompted to enroll their devices before they can access Microsoft 365 web apps with their work account.
+Employees assigned Intune licenses can enroll their personal Linux devices into Microsoft Intune whenever they want. During enrollment, their device is registered with Microsoft Entra ID and evaluated for compliance. If you've applied a Conditional Access policy to Edge, users will be prompted to enroll their devices before they can access Microsoft 365 web apps with their work account.
As an Intune administrator, you don't need to do anything to enable enrollment for employees, other than what's described under [Prerequisites](deployment-guide-platform-linux.md#step-1-prerequisites). However, it's important to provide them with help resources in case they need guidance during enrollment.
@@ -93,7 +93,7 @@ As an Intune administrator, you don't need to do anything to enable enrollment f
|[Install Microsoft Intune app for Linux](../user-help/microsoft-intune-app-linux.md)| Employees must install the Microsoft Intune app on their personal device for enrollment. This article describes how to install, update, and remove the Microsoft Intune app for Linux in the Terminal app. |
|[Install Microsoft Edge web browser)](https://www.microsoft.com/edge)| To access protected websites and files, employees must have Microsoft Edge web browser, version 102.*X* or later. After they enroll their device, employees can sign into Microsoft Edge with their work account and access websites and files. |
|[Enroll Linux device in Intune](../user-help/enroll-device-linux.md)| This article is for device users and describes how to enroll a device with the Microsoft Intune app, and includes system requirements, prerequisites, and next steps. During this step, Microsoft Intune registers the device with Microsoft Entra ID and creates a device record in Intune. After registration is complete, device compliance checks begin. |
-|[Check device status and resolve compliance issues](../user-help/check-status-linux.md)| This article is for device users and describes how to resolve compliance issues in the Microsoft Intune app. Compliance checks happen during enrollment and thereafter when the device checks in with Intune. The Intune app notifies employees when they have a noncompliant setting on their device. Intune determines compliance and actions for noncompliance by using your device compliance and conditional access policies. |
+|[Check device status and resolve compliance issues](../user-help/check-status-linux.md)| This article is for device users and describes how to resolve compliance issues in the Microsoft Intune app. Compliance checks happen during enrollment and thereafter when the device checks in with Intune. The Intune app notifies employees when they have a noncompliant setting on their device. Intune determines compliance and actions for noncompliance by using your device compliance and Conditional Access policies. |
## Next steps
diff --git a/memdocs/intune/fundamentals/deployment-guide-platform-windows.md b/memdocs/intune/fundamentals/deployment-guide-platform-windows.md
index a5c2b973cf4..cd62749c294 100644
--- a/memdocs/intune/fundamentals/deployment-guide-platform-windows.md
+++ b/memdocs/intune/fundamentals/deployment-guide-platform-windows.md
@@ -64,7 +64,7 @@ You can use Microsoft Entra Conditional Access policies in conjunction with devi
| ---- | ------ |
| [Create a compliance policy](../protect/create-compliance-policy.md)|Get step-by-step guidance on how to create and assign a compliance policy to user and device groups. |
| [Add actions for noncompliance](../protect/actions-for-noncompliance.md) |Choose what happens when devices no longer meet the conditions of your compliance policy. Examples of actions include sending alerts, remotely locking devices, or retiring devices. You can add actions for noncompliance when you configure a device compliance policy, or later by editing the policy. |
-| Create [a device-based](../protect/create-conditional-access-intune.md) or [app-based](../protect/app-based-conditional-access-intune-create.md) conditional access policy| Select the apps or services you want to protect and define the conditions for access. |
+| Create [a device-based](../protect/create-conditional-access-intune.md) or [app-based](../protect/app-based-conditional-access-intune-create.md) Conditional Access policy| Select the apps or services you want to protect and define the conditions for access. |
|[Block access to apps that don't use modern authentication](../protect/app-modern-authentication-block.md) | Create an app-based Conditional Access policy to block apps that use authentication methods other than OAuth2; for example, those apps that use basic and form-based authentication. Before you block access, however, sign in to Microsoft Entra ID and review the [authentication methods activity report](/azure/active-directory/authentication/howto-authentication-methods-activity) to see if users are using basic authentication to access essential things you forgot about or are unaware of. For example, things like meeting room calendar kiosks use basic authentication. |
| [Add custom compliance settings](../protect/compliance-use-custom-settings.md) | With custom compliance settings, you can write your own Bash scripts to address compliance scenarios not yet included in the device compliance options built into Microsoft Intune. This article describes how to create, monitor, and troubleshoot custom compliance policies for Windows devices. Custom compliance settings require you to [create a custom script](../protect/compliance-custom-json.md) that identifies the settings and value pairs.|
diff --git a/memdocs/intune/fundamentals/deployment-plan-compliance-policies.md b/memdocs/intune/fundamentals/deployment-plan-compliance-policies.md
index b486c540b5e..dd6cee60baf 100644
--- a/memdocs/intune/fundamentals/deployment-plan-compliance-policies.md
+++ b/memdocs/intune/fundamentals/deployment-plan-compliance-policies.md
@@ -40,14 +40,14 @@ ms.collection:
### Defender for Endpoint
-### Conditional access ?
+### Conditional Access ?
-->
# Step 3 – Plan for compliance policies
Previously, you set up your Intune subscription and created app protection policies. Next, plan for and configure device compliance settings and policies to help protect organizational data by requiring devices to meet requirements that you set.
-:::image type="content" source="./media/deployment-plan-compliance-policies/deployment-plan-compliance-conditional-access.png" alt-text="Diagram that shows getting started with Microsoft Intune with step 3, which is creating compliance and conditional access policies.":::
+:::image type="content" source="./media/deployment-plan-compliance-policies/deployment-plan-compliance-conditional-access.png" alt-text="Diagram that shows getting started with Microsoft Intune with step 3, which is creating compliance and Conditional Access policies.":::
If you’re not yet familiar with compliance policies, see [Compliance overview](../protect/device-compliance-get-started.md).
@@ -198,7 +198,7 @@ With robust device compliance policies in place, you can then implement more adv
- Integrating device compliance status with *Conditional Access* to help gate which devices are allowed to access email, other cloud services, or on-premises resources.
-- Including compliance data from *third-party compliance partners*. With such a configuration, compliance data from those devices can be used with your [conditional access policies](../protect/device-compliance-get-started.md#integrate-with-conditional-access).
+- Including compliance data from *third-party compliance partners*. With such a configuration, compliance data from those devices can be used with your [Conditional Access policies](../protect/device-compliance-get-started.md#integrate-with-conditional-access).
- Expanding on built-in device compliance policies by defining custom compliance settings that aren't available natively through the Intune compliance policy UI.
diff --git a/memdocs/intune/fundamentals/deployment-plan-protect-apps.md b/memdocs/intune/fundamentals/deployment-plan-protect-apps.md
index 73427bba58d..043334a5e3a 100644
--- a/memdocs/intune/fundamentals/deployment-plan-protect-apps.md
+++ b/memdocs/intune/fundamentals/deployment-plan-protect-apps.md
@@ -187,7 +187,7 @@ For more information about app configuration, go to the following topics:
The Outlook for iOS and Android app is designed to enable users in your organization to do more from their mobile devices, by bringing together email, calendar, contacts, and other files.
-The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as conditional access. At a minimum, you will want to deploy a conditional access policy that allows connectivity to Outlook for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected.
+The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as Conditional Access. At a minimum, you will want to deploy a Conditional Access policy that allows connectivity to Outlook for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected.
For more information about configuring Microsoft Outlook, go to the following topic:
diff --git a/memdocs/intune/fundamentals/filters-device-properties.md b/memdocs/intune/fundamentals/filters-device-properties.md
index 23deca8fafb..ff45ddbc769 100644
--- a/memdocs/intune/fundamentals/filters-device-properties.md
+++ b/memdocs/intune/fundamentals/filters-device-properties.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 08/21/2024
+ms.date: 11/14/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -374,13 +374,17 @@ You can use the following app properties in your managed app filter rules:
- `(app.deviceModel -eq "Surface Duo")`
- `(app.deviceModel -in ["Surface Duo", "Surface Duo 2"])`
- `(app.deviceModel -startsWith "Surface Duo")`
+ - `(app.deviceModel -startsWith "RealityDevice")`
This property applies to:
- Android
- - iOS/iPadOS
+ - iOS/iPadOS/visionOS
- Windows
+ > [!NOTE]
+ > The `app.deviceModel -startsWith "RealityDevice"` property is in preview and is only supported on the Microsoft Teams app. If your app protection policy is targeted to the iOS/iPadOS platform, it will also apply to visionOS. However, when targeting specific conditional launch settings to visionOS, such as "Min/Max OS version" or "Min app version", you can use the app property `app.deviceModel -startsWith "RealityDevice"` in your managed app filter rules.
+
- **`operatingSystemVersion` (Operating System Version)**: Create a filter rule based on the Intune device operating system (OS) version. Enter a version value (using `-eq`, `-ne`, `-gt`, `-ge`, `-lt`, `-le` operators).
Examples:
diff --git a/memdocs/intune/fundamentals/filters-performance-recommendations.md b/memdocs/intune/fundamentals/filters-performance-recommendations.md
index ac621616ac3..85ad1746335 100644
--- a/memdocs/intune/fundamentals/filters-performance-recommendations.md
+++ b/memdocs/intune/fundamentals/filters-performance-recommendations.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 07/22/2024
+ms.date: 12/11/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -89,6 +89,8 @@ These recommendations focus on improving performance and reducing latency in wor
Larger groups take longer to sync membership updates between Microsoft Entra ID and Intune. The **All users** and **All devices** are usually the largest groups you have. If you assign Intune workloads to large Microsoft Entra groups that have many users or devices, then synchronization backlogs can happen in your Intune environment. This backlog impacts policy and app deployments, which take longer to reach managed devices.
+The update from Microsoft Entra to Intune typically happens within 5 minutes. It's not instant. This time can affect enrollment assignments. Admins should enroll devices after several minutes, not immediately after adding the enrolling users to a group.
+
The built-in **All users** and **All devices** groups are Intune-only grouping objects that don't exist in Microsoft Entra ID. There isn't a continuous sync between Microsoft Entra ID and Intune. So, group membership is instant.
> [!NOTE]
diff --git a/memdocs/intune/fundamentals/filters-reports-troubleshoot.md b/memdocs/intune/fundamentals/filters-reports-troubleshoot.md
index 33adbeb7714..e69d84362a8 100644
--- a/memdocs/intune/fundamentals/filters-reports-troubleshoot.md
+++ b/memdocs/intune/fundamentals/filters-reports-troubleshoot.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 12/05/2023
+ms.date: 11/20/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -17,7 +17,7 @@ ms.localizationpriority: high
#ROBOTS:
#audience:
#ms.devlang:
-ms.reviewer: gokarthi
+ms.reviewer: gokarthi, abalwan
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -101,6 +101,7 @@ In the following example, you can see this information for the **Microsoft Word*
> - In the **Device install status** report, apps deployed as "Available" aren't shown. To troubleshoot if a user/device is filtered in or out of an Available assignment, use the **Filter evaluation report for devices**. To generate filter evaluation results, the end user must go to the list of apps in the Company portal app or website.
> - When assigning a policy, you can add devices to the "Excluded groups". These excluded devices aren't shown in the workload device status reports.
> - In the **Apps** and **Settings Catalog** device status reports, there's a column that shows any filter evaluation. Currently, the filter evaluation information isn't available for all Intune workloads.
+> - If you use the `operatingSystemVersion` filter for available apps on any Android, AOSP, or iOS platforms the evaluation result is inconclusive. This behavior is a known issue and will be fixed in a future release. No ETA.
## Reports for managed apps
diff --git a/memdocs/intune/fundamentals/get-started-with-intune.md b/memdocs/intune/fundamentals/get-started-with-intune.md
index 5cfa06bac1c..92f66fe2403 100644
--- a/memdocs/intune/fundamentals/get-started-with-intune.md
+++ b/memdocs/intune/fundamentals/get-started-with-intune.md
@@ -39,7 +39,7 @@ Microsoft Intune is a cloud-based service that helps you manage your devices and
This article provides an overview of the steps to start your Intune deployment.
-:::image type="content" source="./media/get-started-with-intune/get-started-overview.png" alt-text="Diagram that shows the different steps to get started with Microsoft Intune, including set up, adding apps, using compliance & conditional access, configuring device features, and then enrolling devices to be managed.":::
+:::image type="content" source="./media/get-started-with-intune/get-started-overview.png" alt-text="Diagram that shows the different steps to get started with Microsoft Intune, including set up, adding apps, using compliance & Conditional Access, configuring device features, and then enrolling devices to be managed.":::
> [!TIP]
> As a companion to this article, the Microsoft 365 admin center also has some setup guidance. The guide customizes your experience based on your environment. To access this deployment guide, go to the [Microsoft Intune setup guide in the Microsoft 365 admin center](https://go.microsoft.com/fwlink/?linkid=2224812), and sign in with the **Global Reader** (at a minimum). For more information on these deployment guides and the roles needed, go to [Advanced deployment guides for Microsoft 365 and Office 365 products](/microsoft-365/enterprise/setup-guides-for-microsoft-365).
diff --git a/memdocs/intune/fundamentals/groups-add.md b/memdocs/intune/fundamentals/groups-add.md
index b745cac0a4d..aff95a6f320 100644
--- a/memdocs/intune/fundamentals/groups-add.md
+++ b/memdocs/intune/fundamentals/groups-add.md
@@ -8,7 +8,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 10/18/2023
+ms.date: 01/14/2025
ms.topic: how-to
#customer intent: As an IT admin, I want to add groups, so that users and devices are organized.
ms.service: microsoft-intune
@@ -40,7 +40,7 @@ Intune uses Microsoft Entra groups to manage devices and users. As an Intune adm
You can add the following types of groups:
-- **Assigned groups** - Manually add users or devices into a static group.
+- **Assigned groups** - Manually add users or devices into a static group.
- **Dynamic groups** (Requires Microsoft Entra ID P1 or P2) - Automatically add users or devices to user groups or device groups based on an expression you create.
For example, when a user is added with the manager title, the user is automatically added to an **All managers** users group. Or, when a device has the iOS/iPadOS device OS type, the device is automatically added to an **All iOS/iPadOS devices** devices group.
@@ -98,6 +98,29 @@ Consider some of the other dynamic user and device groups you can create, such a
- Human Resources
- All Charlotte employees
+## Edit a group
+
+As an Intune admin, you can edit groups, such as changing the group members, owner, and properties.
+
+Use the following steps to edit an existing group:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Groups** > **All groups** > *select the name of a group to edit*.
+3. Under the **Manage** menu group, select an area of the group to edit, such as **Properties**, **Members**, or **Owners**.
+
+When you add new members, you can choose from **Users**, **Groups**, **Devices**, and **Enterprise applications**.
+
+## Delete a group
+
+As an Intune admin, you can delete groups that are no longer needed.
+
+Use the following steps to delete an existing group:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Groups** > **All groups** > *select the name of a group to delete* > **Delete**.
+
+To view a list of recently deleted groups, select **Groups** > **Deleted groups**. Note that after deleting a group, the deleted groups list may may take time to update.
+
## Device groups
You can create **device groups** when you need to run administrative tasks based on the device identity, not the user identity. They're useful for managing devices that don't have dedicated users, such as kiosk devices, devices shared by shift workers, or devices assigned to a specific location.
@@ -111,7 +134,7 @@ You can also use [device categories](../enrollment/device-group-mapping.md) to a
## Intune All users and All devices groups
-When assigning policies and apps in the Intune admin center, you can choose to assign to **All users** or **All devices** groups, which are automatically created by Intune.
+When assigning policies and apps in the Intune admin center, you can choose to assign to **All users** or **All devices** groups, which are automatically created by Intune.
The **All devices** group targets all devices that are enrolled into management. The **All users** group is a simple way to target all users that are assigned an Intune license. These groups are considered "virtual" because you don't create them or view them in Microsoft Entra ID. They're convenient to use because they're already in your tenant, and they're a faster targeting unit than Microsoft Entra groups.
@@ -123,7 +146,7 @@ When assigning policies and applications to large groups, such as **All users**
For more guidance on using Filters, go to:
- [Use filters when assigning your apps, policies, and profiles in Microsoft Intune](filters.md)
-- [Performance recommendations for Grouping, Targeting and Filtering in large Microsoft Intune environments](filters-performance-recommendations.md)
+- [Performance recommendations for Grouping, Targeting, and Filtering in large Microsoft Intune environments](filters-performance-recommendations.md)
## See also
diff --git a/memdocs/intune/fundamentals/guided-scenarios-office-mobile.md b/memdocs/intune/fundamentals/guided-scenarios-office-mobile.md
index d7cc3df9326..0f76f1f27fe 100644
--- a/memdocs/intune/fundamentals/guided-scenarios-office-mobile.md
+++ b/memdocs/intune/fundamentals/guided-scenarios-office-mobile.md
@@ -50,13 +50,13 @@ You can use App protection policies to prevent users from saving work files in u
- Data relocation policies like **Save copies of org data**, and **Restrict cut, copy, and paste**.
- Access policy settings to require simple PIN for access, and block managed apps from running on jailbroken or rooted devices.
-App-based conditional access and client app management add a security layer by making sure only client apps that support Intune app protection policies can access Exchange online and other Microsoft 365 services.
+App-based Conditional Access and client app management add a security layer by making sure only client apps that support Intune app protection policies can access Exchange online and other Microsoft 365 services.
You can block the built-in mail apps on iOS/iPadOS and Android when you allow only the Microsoft Outlook app to access Exchange Online. Additionally, you can block apps that don't have Intune app protection policies applied from accessing SharePoint Online.
-In this example, the admin has applied app protection policies to the Outlook app followed by a conditional access rule that adds the Outlook app to an approved list of apps that can be used when accessing corporate e-mail.
+In this example, the admin has applied app protection policies to the Outlook app followed by a Conditional Access rule that adds the Outlook app to an approved list of apps that can be used when accessing corporate e-mail.
-
+
## Prerequisites
@@ -120,7 +120,7 @@ The following settings are applied when using the **Enhanced data protection** s
In this step, you can choose the user groups that you want to include to ensure that they have access to your corporate data. App protection is assigned to users, and not devices, so your corporate data will be secure regardless of the device used and its enrollment status.
-Users without app protection policies and conditional access settings assigned will be able to save data from their corporate profile to personal apps and nonmanaged local storage on their mobile devices. They could also connect to corporate data services, such as Microsoft Exchange, with personal apps.
+Users without app protection policies and Conditional Access settings assigned will be able to save data from their corporate profile to personal apps and nonmanaged local storage on their mobile devices. They could also connect to corporate data services, such as Microsoft Exchange, with personal apps.
## Step 6 - Review + create
@@ -131,4 +131,4 @@ The final step allows you to review a summary of the settings you configured. On
## Next steps
-- Enhance the security of work files by assigning users an App-based conditional access policy to protect cloud services from sending work files to unprotected apps. For more information, see [Set up app-based Conditional Access policies with Intune](../protect/app-based-conditional-access-intune-create.md).
+- Enhance the security of work files by assigning users an App-based Conditional Access policy to protect cloud services from sending work files to unprotected apps. For more information, see [Set up app-based Conditional Access policies with Intune](../protect/app-based-conditional-access-intune-create.md).
diff --git a/memdocs/intune/fundamentals/in-development.md b/memdocs/intune/fundamentals/in-development.md
index 4e975e33bbc..a695a91edba 100644
--- a/memdocs/intune/fundamentals/in-development.md
+++ b/memdocs/intune/fundamentals/in-development.md
@@ -7,11 +7,11 @@ keywords:
author: dougeby
ms.author: dougeby
manager: dougeby
-ms.date: 10/29/2024
+ms.date: 01/03/2025
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
-
+
# optional metadata
#audience:
@@ -61,6 +61,14 @@ You can use RSS to be notified when this article is updated. For more informatio
## Microsoft Intune Suite
+### Endpoint Privilege Manager support for Arm64
+
+You'll soon be able to use [Endpoint Protection Manager](/mem/intune/protect/epm-overview) (EPM) file elevations on devices that run on Arm64 architecture.
+
+Applies to:
+
+- Windows
+
### Use Copilot with Endpoint Privilege Manager to help identify potential elevation risks
We’re adding support for Copilot to help you investigate Endpoint Privilege Manager (EPM) elevation details. Copilot will help you evaluate information from you EPM elevation requests to identify potential indicators of compromise by using information from [Microsoft Defender](/defender-endpoint/microsoft-defender-endpoint).
@@ -77,13 +85,30 @@ EPM is available as an [Intune Suite add-on-capability](../fundamentals/intune-a
## App management
-### Additional reporting details for LOB apps on AOSP devices
+### Apple VPP using new API v2.0
-Additional details will be provided for app installation reporting of Line of Business (LOB) apps on Android Open Source Project (AOSP) devices. You will be able to see error codes and detailed error messages for LOB apps. For information about app status details, see [Monitor app information and assignments with Microsoft Intune](../apps/apps-monitor.md).
+Apple recently updated how apps and books are managed through the Apple volume purchase program (VPP). Apple has updated their related API to version 2.0 and deprecated version 1.0. To support the Apple updates, Microsoft Intune will soon use the new API, which is faster and more scalable than the previous version.
Applies to:
-- Android Open Source Project (AOSP) devices
+- iOS/iPadOS
+- macOS
+
+
+### Update to Apps workload experience in Intune
+
+The Apps workload in Intune will be updated to provide a more consistent UI and improved navigation structure so you can find the information you need faster. To find the **App** workload in Intune, navigate to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Apps**.
+
+
+### Add Enterprise App Catalog apps to ESP blocking apps list
+
+Enterprise App Catalog apps will be supported with Windows Autopilot. Microsoft Intune Enterprise App Management enables IT admins to easily manage applications from the Enterprise App Catalog. Using Windows Autopilot, you'll be able to select blocking apps from the Enterprise App Catalog in the Enrollment Status Page (ESP) and the Device Preparation Page (DPP) profiles. This allows you to update apps more easily without needing to update those profiles with the latest versions.
+
+For related information, see [Set up the Enrollment Status Page](../enrollment/windows-enrollment-status.md), [Overview of Windows Autopilot device preparation](/autopilot/device-preparation/overview), and [Add an Enterprise App Catalog app to Microsoft Intune](../apps/apps-add-enterprise-app.md).
+
+Applies to:
+
+- Windows
### Added protection for iOS/iPadOS app widgets
@@ -97,99 +122,124 @@ Applies to:
## Device configuration
-### Device Firmware Configuration Interface (DFCI) support for Samsung devices
+### Android settings in the Settings Catalog
-We're adding support to use DFCI profiles to manage UEFI (BIOS) settings for Samsung devices that run Windows 10 or Windows 11. Not all Samsung devices running Windows are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.
+The settings catalog will soon support Android Enterprise and AOSP.
-You can manage DFCI profiles from within the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by going to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows 10 and later** for platform > **Templates** > **Device Firmware Configuration Interface** for profile type. For more information about DFCI profiles, see:
+Currently, to configure Android settings, you use the built-in templates. The settings from these templates are also available in the settings catalog. More settings will continue to be added.
-- [Configure Device Firmware Configuration Interface (DFCI) profiles on Windows devices in Microsoft Intune](../configuration/device-firmware-configuration-interface-windows.md)
-- [Device Firmware Configuration Interface (DFCI) management with Windows Autopilot](../../autopilot/dfci-management.md)
+In the Intune admin center, when you create a device configuration profile, you select the **Profile Type** (**Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > select your **Platform** > **Profile Type**). All the profile types are moved to **Profile Type** > **Templates**.
+
+This change:
+
+- Will be a UI change with no impact on your existing policies. Your existing policies won't changing. You will still be able to create, edit, and assign these policies the same way.
+- Will be the same UI experience as iOS/iPadOS, macOS, and Windows templates.
+
+To get started with settings catalog, go to [Use the settings catalog to configure settings on your devices](../configuration/settings-catalog.md).
Applies to:
-- Windows
+- Android Enterprise
+- AOSP
-### New settings for Windows 24H2 in the Windows settings catalog
-The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. You can view these Windows settings in the Microsoft Intune admin center by going to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows 10 and later for platform** > **Settings catalog** for profile type.
+### The Settings Catalog lists all the settings you can configure in a device policy
-We're working on the addition of new settings for Window 24H2.
+The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.
+
+There will soon be new settings in the Settings Catalog to *Configure Multiple Display Mode* for Windows 24H2. To see available settings, in the Microsoft Intune admin center, go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows 10 and later for platform** > **Settings catalog** for profile type.
+
+The **Configure Multiple Display Mode** setting allows monitors to extend or clone the display by default, facilitating the need for manual setup. It streamlines the multi-monitor configuration process, ensuring a consistent and user-friendly experience.
Applies to:
-- Windows
+- Windows
-### New settings available in the Apple settings catalog
+### Low privileged account for Intune Connector for Active Directory for Hybrid join Autopilot flows
-The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see [Create a policy using settings catalog](../configuration/settings-catalog.md).
+We're updating the Intune Connector for Active Directory to use a low privileged account to increase the security of your environment. The old connector will no longer be available for download but will continue to work until deprecation.
-We're adding new settings to the Settings Catalog. To view available settings, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type.
+For more information, see [Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot](../../autopilot/windows-autopilot-hybrid.md).
-#### iOS/iPadOS
+
-**Restrictions**:
+
-- Allow Apps To Be Hidden
-- Allow Apps To Be Locked
-- Allow Call Recording
-- Allow Mail Summary
-- Allow RCS Messaging
+
-##### macOS
+## Device management
-**Declarative Device Management (DDM) > Math Settings**:
+### Remote actions with multiple administrative approval (MAA)
-- Calculator
- - Input Mode - RPN
+Intune *access policies* help protect against a compromised administrative account by requiring that a second administrative account is used to approve a change before the change is applied. This capability is known as multiple administrative approval (MAA). The remote actions **Retire**, **Wipe** and **Delete** will support MAA. Onboarding Remote device actions to MAA, will help mitigate the risk of unauthorized or compromised remote actions being taken on device(s) by a single administrative account thereby enhancing the overall security posture of the environment.
-**Restrictions**:
+For more information on multiple administrative approval, see [Use multiple administrative approvals in Intune](../fundamentals/multi-admin-approval.md).
-- Allow Mail Summary
-- Allow Media Sharing Modification
+### Remote Help supports Azure Virtual Desktop muti-session
-The following settings have been deprecated by Apple and will be marked as deprecated in the Settings Catalog:
+Currently, Remote Help supports Azure Virtual Desktop (AVD) sessions with one user on one virtual machine (VM). Going forward, Remote Help will enable support for multi-session AVD with several users on a single virtual machine.
-#### macOS
+For more information, see:
-**Security > Firewall**:
+- [Remote Help](../fundamentals/remote-help.md)
+- [Using Azure Virtual Desktop multi-session with Microsoft Intune](../fundamentals/azure-virtual-desktop-multi-session.md)
-- Enable Logging
-- Logging Option
+### Introducing platform level targeting of Device Cleanup rule
-
+We're adding a feature that will allow a customer to:
+
+- Configure one device cleanup rule per platform (Windows, iOS/macOS,iPadOS, Android, Linux)
+- Configure a different RBAC permission and assign the permission to different RBAC roles
+
+Platform level targeting of the Device Cleanup rule will help administrators to remove stale and inactive devices from their tenant based on the active days rule specified by the admin. Scoped and targeted Device cleanup rules add an intermediate stage where an admin will be able to target removing stale devices by having a rule configured at the platform or OS level.
+
+For more information, see [device cleanup rules](../remote-actions/devices-wipe.md#automatically-delete-devices-with-cleanup-rules).
-
+### Copilot assistant for device query
+
+You'll soon be able to use Copilot to generate a KQL query to help you get data from across multiple devices in Intune. This capability will be available in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Devices** > **Device query** > **Query with Copilot**.
-## Device management
+## Device security
-### Store macOS certificates in user keychain
+### Updated security baseline for Microsoft Edge v128
+
+We’re working on an update to add an Intune security baseline for Microsoft Edge v128. This update will bring support for recent settings so you can continue to maintain best-practice configurations for Microsoft Edge.
-Soon you'll have the option to store macOS certificates in the user keychain. Currently, Microsoft Intune automatically stores user and device certificates in the *device* keychain. The enhancement will strengthen system security, and will improve the user experience by reducing certificate prompts.
+For information about security baselines with Intune, see [Use security baselines to configure Windows devices in Intune](../protect/security-baselines.md).
Applies to:
-- macOS
+- Windows
-### Device Inventory for Windows
+### Updated security baseline for Windows version 24H2
-Device inventory lets you collect and view additional hardware properties from your managed devices to help you better understand the state of your devices and make business decisions.
+We're working on an update to add an Intune security baseline for **Windows version 24H2**. The new baseline version will use the unified settings platform seen in the Settings Catalog, which features an improved user interface and reporting experience, consistency and accuracy improvements with setting tattooing, and the new ability to support assignment filters for profiles.
-You'll soon be able to choose what you want to collect from your devices, using the catalog of properties and then view the collected properties in the Resource Explorer view.
+Use of [Intune security baselines](../protect/security-baselines.md) can help you maintain best-practice configurations for your Windows devices and can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft.
-Applies to:
+As with all baselines, the default baseline will represent the recommended configurations for each setting, which you can modify to meet the requirements of your organization.
-- Windows (Corporate owned devices managed by Intune)
+Applies to:
-
+- Windows
-## Device security
+### Security baselines for HoloLens 2 in public preview
+
+We’re working to release a public preview of two security baselines for HoloLens 2. These baselines represent Microsoft’s best practice guidelines and experience from deploying and supporting HoloLens 2 devices to customers across various industries. The baselines include:
+
+- **Standard Security Baseline for HoloLens 2**:
+ The standard security baseline for HoloLens 2 represents the recommendations for configuring security settings that are applicable to all types of customers irrespective of HoloLens 2 use case scenarios.
+
+- **Advanced Security Baseline for HoloLens 2**:
+ The advanced security baseline for HoloLens 2 represents the recommendations for configuring security settings for the customers who have strict security controls of their environment and require stringent security policies to be applied to any device used in their environment.
+
+To learn more about security baselines with Intune, see [Use security baselines to configure Windows devices in Intune](../protect/security-baselines.md).
### Linux support for Endpoint detection and response exclusion settings
-We are adding a new Endpoint Security template under Endpoint detection and response (EDR) for the Linux platform, that will be supported through the [Microsoft Defender for Endpoint security settings management](../protect/mde-security-integration.md) scenario.
+We're adding a new Endpoint Security template under Endpoint detection and response (EDR) for the Linux platform, that will be supported through the [Microsoft Defender for Endpoint security settings management](../protect/mde-security-integration.md) scenario.
The template will support settings related to global exclusion settings. Applicable to antivirus and EDR engines on the client, the settings can configure exclusions to stop associated real time protection EDR alerts for the excluded items. Exclusions can be defined by the file path, folder, or process explicitly defined by the admin in the policy.
@@ -203,7 +253,6 @@ We're updating the [Microsoft Tunnel readiness tool](../protect/microsoft-tunnel
For more information on *auditd* and how to install it on your Microsoft Tunnel server, see [Linux system auditing](../protect/microsoft-tunnel-prerequisites.md#linux-system-auditing).
-
### Support for Intune Device control policy for devices managed by Microsoft Defender for Endpoint
You'll be able to use the endpoint security policy for *Device control* (Attack surface reduction policy) from the Microsoft Intune with the devices you manage through the [Microsoft Defender for Endpoint security settings management](../protect/mde-security-integration.md) capability.
@@ -229,19 +278,6 @@ When this change takes effect, devices that are assigned this policy while manag
## Monitor and troubleshoot
-### New device actions for single device query
-
-We're adding the Intune remote device actions to Single device query to help you manage your devices remotely. From the device query interface, you'll be able to run device actions based on query results for faster and more efficient troubleshooting.
-
-Applies to:
-
-- Windows
-
-For more information, see:
-
-- [Device query in Microsoft Intune](../../analytics/device-query.md)
-- [Run remote actions on devices with Microsoft Intune](../remote-actions/device-management.md)
-
### Device Query for Multiple Devices
We're adding Device query for multiple devices. This feature allows you to gain comprehensive insights about your entire fleet of devices using Kusto Query Language (KQL) to query across collected inventory data for your devices.
@@ -252,16 +288,6 @@ Applies to:
- Windows
-### ICCID will be inventoried for Android Enterprise Dedicated and Fully Managed
-
-We're adding the ability to view a device's ICCID number for devices enrolled as Android Enterprise Dedicated or Android Fully Managed. Admins can view ICCID numbers in their device inventory.
-
-When available, you can find the ICCID number for Android devices by navigating to **Devices** > **Android**. Select a device of interest. In the side panel, under **Monitor** select **Hardware**. The ICCID number will be in the **Network details** group. The ICCID number isn't supported for Android Corporate-Owned Work Profile devices.
-
-Applies to:
-
-- Android
-
diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md
index 60f00240b75..a6a780125e2 100644
--- a/memdocs/intune/fundamentals/intune-endpoints.md
+++ b/memdocs/intune/fundamentals/intune-endpoints.md
@@ -8,7 +8,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 09/24/2024
+ms.date: 01/09/2025
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -19,7 +19,7 @@ ms.localizationpriority: high
#ROBOTS:
#audience:
-ms.reviewer: srink
+ms.reviewer: davidra
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -97,7 +97,7 @@ The data columns shown in the tables are:
ID |Desc |Category |ER |Addresses |Ports
-- |---------------------------------------------------------------- |---------------------|--- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------|
-163 | Intune client and host service| Allow
Required | False | `*.manage.microsoft.com`
`manage.microsoft.com`
`EnterpriseEnrollment.manage.microsoft.com`
`104.46.162.96/27, 13.67.13.176/28, 13.67.15.128/27, 13.69.231.128/28, 13.69.67.224/28, 13.70.78.128/28, 13.70.79.128/27, 13.71.199.64/28, 13.73.244.48/28, 13.74.111.192/27, 13.77.53.176/28, 13.86.221.176/28,13.89.174.240/28, 13.89.175.192/28, 20.189.229.0/25, 20.191.167.0/25, 20.37.153.0/24, 20.37.192.128/25, 20.38.81.0/24, 20.41.1.0/24, 20.42.1.0/24, 20.42.130.0/24, 20.42.224.128/25, 20.43.129.0/24, 20.44.19.224/27, 20.49.93.160/27, 40.119.8.128/25, 40.67.121.224/27, 40.70.151.32/28, 40.71.14.96/28, 40.74.25.0/24, 40.78.245.240/28, 40.78.247.128/27, 40.79.197.64/27, 40.79.197.96/28, 40.80.180.208/28, 40.80.180.224/27, 40.80.184.128/25, 40.82.248.224/28, 40.82.249.128/25, 52.150.137.0/25, 52.162.111.96/28, 52.168.116.128/27, 52.182.141.192/27, 52.236.189.96/27, 52.240.244.160/27, 20.204.193.12/30, 20.204.193.10/31, 20.192.174.216/29, 20.192.159.40/29` | **TCP:** 80, 443|
+163 | Intune client and host service| Allow
Required | False | `*.manage.microsoft.com`
`manage.microsoft.com`
`EnterpriseEnrollment.manage.microsoft.com`
`104.46.162.96/27, 13.67.13.176/28, 13.67.15.128/27, 13.69.231.128/28, 13.69.67.224/28, 13.70.78.128/28, 13.70.79.128/27, 13.74.111.192/27, 13.77.53.176/28, 13.86.221.176/28,13.89.174.240/28, 13.89.175.192/28, 20.189.229.0/25, 20.191.167.0/25, 20.37.153.0/24, 20.37.192.128/25, 20.38.81.0/24, 20.41.1.0/24, 20.42.1.0/24, 20.42.130.0/24, 20.42.224.128/25, 20.43.129.0/24, 20.44.19.224/27, 40.119.8.128/25, 40.67.121.224/27, 40.70.151.32/28, 40.71.14.96/28, 40.74.25.0/24, 40.78.245.240/28, 40.78.247.128/27, 40.79.197.64/27, 40.79.197.96/28, 40.80.180.208/28, 40.80.180.224/27, 40.80.184.128/25, 40.82.248.224/28, 40.82.249.128/25, 52.150.137.0/25, 52.162.111.96/28, 52.168.116.128/27, 52.182.141.192/27, 52.236.189.96/27, 52.240.244.160/27, 20.204.193.12/30, 20.204.193.10/31, 20.192.174.216/29, 20.192.159.40/29, 104.208.197.64/27, 172.160.217.160/27, 172.201.237.160/27, 172.202.86.192/27, 172.205.63.0/25, 172.212.214.0/25, 172.215.131.0/27, 20.168.189.128/27, 20.199.207.192/28, 20.204.194.128/31, 20.208.149.192/27, 20.208.157.128/27, 20.214.131.176/29, 20.43.129.0/24, 20.91.147.72/29, 4.145.74.224/27, 4.150.254.64/27, 4.154.145.224/27, 4.200.254.32/27, 4.207.244.0/27, 4.213.25.64/27, 4.213.86.128/25, 4.216.205.32/27, 4.237.143.128/25, 40.84.70.128/25, 48.218.252.128/25, 57.151.0.192/27, 57.153.235.0/25, 57.154.140.128/25, 57.154.195.0/25, 57.155.45.128/25, 68.218.134.96/27, 74.224.214.64/27, 74.242.35.0/25, 172.208.170.0/25, 74.241.231.0/25, 74.242.184.128/25` | **TCP:** 80, 443|
172 | MDM Delivery Optimization | Default
Required | False | `*.do.dsp.mp.microsoft.com`
`*.dl.delivery.mp.microsoft.com`
| **TCP:** 80, 443|
170 | MEM - Win32Apps| Default
Required | False | `swda01-mscdn.manage.microsoft.com`
`swda02-mscdn.manage.microsoft.com`
`swdb01-mscdn.manage.microsoft.com`
`swdb02-mscdn.manage.microsoft.com`
`swdc01-mscdn.manage.microsoft.com`
`swdc02-mscdn.manage.microsoft.com`
`swdd01-mscdn.manage.microsoft.com`
`swdd02-mscdn.manage.microsoft.com`
`swdin01-mscdn.manage.microsoft.com`
`swdin02-mscdn.manage.microsoft.com` | **TCP:** 443|
97 | Consumer Outlook.com, OneDrive, Device authentication and Microsoft account | Default
Required | False | `account.live.com`
`login.live.com`
|**TCP:** 443 |
@@ -113,7 +113,7 @@ ID |Desc |Category |ER |Addresses |Ports|
165 | Autopilot - NTP Sync | Default
Required | False | `time.windows.com` |**UDP:** 123|
169 | Autopilot - WNS Dependencies| Default
Required | False | `clientconfig.passport.net`
`windowsphone.com`
`*.s-microsoft.com`
`c.s-microsoft.com` | **TCP:** 443 |
173 | Autopilot - Third party deployment dependencies| Default
Required | False | `ekop.intel.com`
`ekcert.spserv.microsoft.com`
`ftpm.amd.com`
| **TCP:** 443|
-182 | Autopilot - Diagnostics upload| Default
Required | False | `lgmsapeweu.blob.core.windows.net`
| **TCP:** 443|
+182 | Autopilot - Diagnostics upload | Default
Required | False | `lgmsapeweu.blob.core.windows.net`
`lgmsapewus2.blob.core.windows.net`
`lgmsapesea.blob.core.windows.net`
`lgmsapeaus.blob.core.windows.net`
`lgmsapeind.blob.core.windows.net`
| **TCP:** 443|
### Remote Help
@@ -153,10 +153,9 @@ For Intune-managed Windows devices managed using Mobile Device Management (MDM),
| --- | ---- | -------- | ----- | --------- | ----- |
| 172 | MDM - Delivery Optimization Dependencies | Default
Required | False | `*.do.dsp.mp.microsoft.com`
`*.dl.delivery.mp.microsoft.com`
| **TCP:** 80, 443 |
-**Port requirements** - For peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP. It uses Teredo on port 3544 for NAT traversal (use of Teredo is optional)
-For client-service communication, it uses HTTP or HTTPS over port 80/443.
+**Port requirements** - For client-service communication, it uses HTTP or HTTPS over port 80/443. Optionally, for peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP and Teredo on port 3544 for NAT traversal. For more information, see [Delivery Optimization documentation](/windows/deployment/do/)
-**Proxy requirements** - To use Delivery Optimization, you must allow Byte Range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting).
+**Proxy requirements** - To use Delivery Optimization, you must allow Byte Range requests. For more information, see [Proxy requirements for Delivery Optimization](/windows/deployment/do/waas-delivery-optimization-faq#what-are-the-requirements-if-i-use-a-proxy).
**Firewall requirements** - Allow the following hostnames through your firewall to support Delivery Optimization. For communication between clients and the Delivery Optimization cloud service:
@@ -170,9 +169,10 @@ For Delivery Optimization metadata:
| ID | Desc | Category | ER | Addresses | Ports |
| --- | ---- | -------- | ----- | --------- | ----- |
-| 178 | MEM - Apple Dependencies | Default
Required | False | `itunes.apple.com`
`*.itunes.apple.com`
`*.mzstatic.com`
`*.phobos.apple.com`
`phobos.itunes-apple.com.akadns.net`
`5-courier.push.apple.com`
`phobos.apple.com`
`ocsp.apple.com`
`ax.itunes.apple.com`
`ax.itunes.apple.com.edgesuite.net`
`s.mzstatic.com`
`a1165.phobos.apple.com`
|**TCP:** 80, 443, 5223|
+| 178 | MEM - Apple Dependencies | Default
Required | False | `itunes.apple.com`
`*.itunes.apple.com`
`*.mzstatic.com`
`*.phobos.apple.com`
`phobos.itunes-apple.com.akadns.net`
`*.push.apple.com`
`phobos.apple.com`
`ocsp.apple.com`
`ax.itunes.apple.com`
`ax.itunes.apple.com.edgesuite.net`
`s.mzstatic.com`
`a1165.phobos.apple.com`
|**TCP:** 80, 443, 5223|
For more information, see the following resources:
+
- [Use Apple products on enterprise networks](https://support.apple.com/HT210060)
- [TCP and UDP ports used by Apple software products](https://support.apple.com/HT202944)
- [About macOS, iOS/iPadOS, and iTunes server host connections and iTunes background processes](https://support.apple.com/HT201999)
@@ -185,7 +185,7 @@ For more information, see the following resources:
| 179 | MEM - Android AOSP Dependency | Default
Required | False | `intunecdnpeasd.azureedge.net`
| **TCP:** 443 |
> [!NOTE]
-> Because Google Mobile Services isn't available in China, devices in China managed by Intune can't use features that require Google Mobile Services. These features include: Google Play Protect capabilities such as SafetyNet device attestation, Managing apps from the Google Play Store,
+> Because Google Mobile Services isn't available in China, devices in China managed by Intune can't use features that require Google Mobile Services. These features include: Google Play Protect capabilities such as Play Integrity Verdict, Managing apps from the Google Play Store,
Android Enterprise capabilities (see this [Google documentation](https://support.google.com/work/android/answer/6270910)). Additionally, the Intune Company Portal app for Android uses Google Mobile Services to communicate with the Microsoft Intune service. Because Google Play services isn't available in China, some tasks can require up to 8 hours to finish. For more information, see [Limitations of Intune management when GMS is unavailable](../apps/manage-without-gms.md#limitations-of-intune-management-when-gms-is-unavailable).
**Android port information** - Depending on how you choose to manage Android devices, you may need to open the Google Android Enterprise ports and/or the Android push notification. For more information on Android management methods supported, see the [Android enrollment documentation](deployment-guide-enrollment-android.md).
@@ -288,23 +288,35 @@ The following tables list the ports and services that the Intune client accesses
|Domains |IP address |
|-----------|----------------|
| login.microsoftonline.com
*.officeconfig.msocdn.com
config.office.com
graph.windows.net
enterpriseregistration.windows.net | More information [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) |
-|*.manage.microsoft.com
manage.microsoft.com
|104.46.162.96/27
13.67.13.176/28
13.67.15.128/27
13.69.231.128/28
13.69.67.224/28
13.70.78.128/28
13.70.79.128/27
13.71.199.64/28
13.73.244.48/28
13.74.111.192/27
13.77.53.176/28
13.86.221.176/28
13.89.174.240/28
13.89.175.192/28
20.189.172.160/27
20.189.229.0/25
20.191.167.0/25
20.37.153.0/24
20.37.192.128/25
20.38.81.0/24
20.41.1.0/24
20.42.1.0/24
20.42.130.0/24
20.42.224.128/25
20.43.129.0/24
20.44.19.224/27
20.49.93.160/27
20.192.174.216/29
20.192.159.40/29
20.204.193.12/30
20.204.193.10/31
40.119.8.128/25
40.67.121.224/27
40.70.151.32/28
40.71.14.96/28
40.74.25.0/24
40.78.245.240/28
40.78.247.128/27
40.79.197.64/27
40.79.197.96/28
40.80.180.208/28
40.80.180.224/27
40.80.184.128/25
40.82.248.224/28
40.82.249.128/25
52.150.137.0/25
52.162.111.96/28
52.168.116.128/27
52.182.141.192/27
52.236.189.96/27
52.240.244.160/27|
+|*.manage.microsoft.com
manage.microsoft.com
|104.46.162.96/27
13.67.13.176/28
13.67.15.128/27
13.69.231.128/28
13.69.67.224/28
13.70.78.128/28
13.70.79.128/27
13.74.111.192/27
13.77.53.176/28
13.86.221.176/28
13.89.174.240/28
13.89.175.192/28
20.189.172.160/27
20.189.229.0/25
20.191.167.0/25
20.37.153.0/24
20.37.192.128/25
20.38.81.0/24
20.41.1.0/24
20.42.1.0/24
20.42.130.0/24
20.42.224.128/25
20.43.129.0/24
20.44.19.224/27
20.192.174.216/29
20.192.159.40/29
20.204.193.12/30
20.204.193.10/31
40.119.8.128/25
40.67.121.224/27
40.70.151.32/28
40.71.14.96/28
40.74.25.0/24
40.78.245.240/28
40.78.247.128/27
40.79.197.64/27
40.79.197.96/28
40.80.180.208/28
40.80.180.224/27
40.80.184.128/25
40.82.248.224/28
40.82.249.128/25
52.150.137.0/25
52.162.111.96/28
52.168.116.128/27
52.182.141.192/27
52.236.189.96/27
52.240.244.160/27|
-->
## Network requirements for PowerShell scripts and Win32 apps
-If you're using Intune to deploy PowerShell scripts or Win32 apps, you also need to grant access to endpoints in which your tenant currently resides.
+If you are using Intune for scenarios that use the Intune management extension, like deploying [Win32 apps](../apps/apps-win32-app-management.md), [Powershell scripts](../apps/intune-management-extension.md), [Remediations](../fundamentals/remediations.md), [Endpoint analytics](../../analytics/overview.md), [Custom compliance policies](../protect/compliance-use-custom-settings.md) or [BIOS configuration profiles](../configuration/bios-configuration.md), you also need to grant access to endpoints in which your tenant currently resides.
-To find your tenant location (or Azure Scale Unit (ASU), sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Tenant details**. The location is under **Tenant location** as something like North America 0501 or Europe 0202. Look for the matching number in the following table. That row tells you which storage name and CDN endpoints to grant access to. The rows are differentiated by geographic region, as indicated by the first two letters in the names (na = North America, eu = Europe, ap = Asia Pacific). Your tenant location is one of these three regions although your organization's actual geographic location might be elsewhere.
+Different endpoints are used depending on your tenant location. To find your tenant location, sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Tenant details** > **Tenant location** with a value of *North America 0501* or similar. Using the region in the location (North America in *North America 0501*), review the table below for the CDN endpoints and ports required:
> [!NOTE]
> **Allow HTTP Partial response** is required for Scripts & Win32 Apps endpoints.
-|Azure Scale Unit (ASU) | Storage name | CDN | Port |
-| --- | --- |--- | --- |
-|AMSUA0601
AMSUA0602
AMSUA0101
AMSUA0102
AMSUA0201
AMSUA0202
AMSUA0401
AMSUA0402
AMSUA0501
AMSUA0502
AMSUA0601
AMSUA0701
AMSUA0702
AMSUA0801
AMSUA0901 | naprodimedatapri
naprodimedatasec
naprodimedatahotfix | naprodimedatapri.azureedge.net
naprodimedatasec.azureedge.net
naprodimedatahotfix.azureedge.net | **TCP:** 443 |
-| AMSUB0101
AMSUB0102
AMSUB0201
AMSUB0202
AMSUB0301
AMSUB0302
AMSUB0501
AMSUB0502
AMSUB0601
AMSUB0701 | euprodimedatapri
euprodimedatasec
euprodimedatahotfix | euprodimedatapri.azureedge.net
euprodimedatasec.azureedge.net
euprodimedatahotfix.azureedge.net | **TCP:** 443 |
-| AMSUC0101
AMSUC0201
AMSUC0301
AMSUC0501
AMSUC0601
AMSUD0101| approdimedatapri
approdimedatasec
approdimedatahotifx | approdimedatapri.azureedge.net
approdimedatasec.azureedge.net
approdimedatahotfix.azureedge.net |**TCP:** 443 |
+|Region | CDN | Port |
+| --- |------------- | --- |
+|North America | naprodimedatapri.azureedge.net
naprodimedatasec.azureedge.net
naprodimedatahotfix.azureedge.net
imeswda-afd-primary.manage.microsoft.com
imeswda-afd-secondary.manage.microsoft.com
imeswda-afd-hotfix.manage.microsoft.com | **TCP:** 443 |
+|Europe | euprodimedatapri.azureedge.net
euprodimedatasec.azureedge.net
euprodimedatahotfix.azureedge.net
imeswdb-afd-primary.manage.microsoft.com
imeswdb-afd-secondary.manage.microsoft.com
imeswdb-afd-hotfix.manage.microsoft.com | **TCP:** 443 |
+|Asia Pacific | approdimedatapri.azureedge.net
approdimedatasec.azureedge.net
approdimedatahotfix.azureedge.net
imeswdc-afd-primary.manage.microsoft.com
imeswdc-afd-secondary.manage.microsoft.com
imeswdc-afd-hotfix.manage.microsoft.com |**TCP:** 443 |
+
+## Network requirements for macOS app and script deployments
+
+If you're using Intune to deploy apps or scripts on macOS, you also need to grant access to endpoints in which your tenant currently resides.
+
+Different endpoints are used depending on your tenant location. To find your tenant location, sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Tenant details** > **Tenant location** with a value of *North America 0501* or similar. Using the region in the location (North America in *North America 0501*), review the table below for the CDN endpoints and ports required:
+
+|Region | CDN | Port |
+| --- |------------- | --- |
+|North America | macsidecar.manage.microsoft.com
macsidecarprod.azureedge.net
(azureedge.net domains will be disabled after 3/31/2025) | **TCP:** 443 |
+|Europe | macsidecareu.manage.microsoft.com
macsidecarprodeu.azureedge.net
(azureedge.net domains will be disabled after 3/31/2025) | **TCP:** 443 |
+|Asia Pacific| macsidecarap.manage.microsoft.com
macsidecarprodap.azureedge.net
(azureedge.net domains will be disabled after 3/31/2025) |**TCP:** 443 |
## Microsoft Store
diff --git a/memdocs/intune/fundamentals/intune-govt-service-description.md b/memdocs/intune/fundamentals/intune-govt-service-description.md
index 1f49422a6ff..5c574418725 100644
--- a/memdocs/intune/fundamentals/intune-govt-service-description.md
+++ b/memdocs/intune/fundamentals/intune-govt-service-description.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 10/30/2024
+ms.date: 01/21/2025
ms.topic: article
ms.service: microsoft-intune
ms.suite: ems
@@ -89,6 +89,7 @@ The following features are currently not available and aren't supported in GCC H
| Expedited updates | For more information on this feature, go to [Expedite Windows quality updates in Microsoft Intune](../protect/windows-10-expedite-updates.md). |
| Feature updates | For more information on this feature, go to [Feature updates for Windows in Intune](../protect/windows-10-feature-updates.md). |
| Windows Autopilot | The following features are in the planning phase: - Customize out-of-box experience (OOBE) and rename devices during provisioning based on organizational structure - Self-deploying and pre-provisioning mode - More admin-specified configurations delivered before allowing desktop access. - Enhanced optional desktop onboarding experience inside the Windows Company Portal app - The ability to associate a device with a tenant. For information about Windows Autopilot, go to [Windows Autopilot overview](/autopilot/overview). |
+| BIOS configuration policies on Windows | For more information on this feature, go to [Use BIOS configuration profiles on Windows devices in Microsoft Intune](../configuration/bios-configuration.md). |
### Not available
diff --git a/memdocs/intune/fundamentals/intune-planning-guide.md b/memdocs/intune/fundamentals/intune-planning-guide.md
index 2d39a8ba885..364d89ec669 100644
--- a/memdocs/intune/fundamentals/intune-planning-guide.md
+++ b/memdocs/intune/fundamentals/intune-planning-guide.md
@@ -332,7 +332,7 @@ Managing devices is a relationship with different services. Intune includes the
- **[Microsoft Copilot in Intune](../copilot/copilot-intune-overview.md)** is a generative-AI security analysis tool. It accesses your Intune data and can help you manage your policies and settings, understand your security posture, and troubleshoot device issues.
- Copilot in Intune is licensed through Microsoft Copilot for Security. For more information, go to [Get started with Microsoft Copilot for Security](/copilot/security/get-started-security-copilot).
+ Copilot in Intune is licensed through Microsoft Security Copilot. For more information, go to [Get started with Microsoft Security Copilot](/copilot/security/get-started-security-copilot).
- **[Intune Suite](intune-add-ons.md)** provides advanced endpoint management and security features, like remote help, Microsoft Cloud PKI, Endpoint Privilege Management, and more. The Intune Suite is available as a separate license.
diff --git a/memdocs/intune/fundamentals/intune-us-government-endpoints.md b/memdocs/intune/fundamentals/intune-us-government-endpoints.md
index a98b4d7793d..a5632c16243 100644
--- a/memdocs/intune/fundamentals/intune-us-government-endpoints.md
+++ b/memdocs/intune/fundamentals/intune-us-government-endpoints.md
@@ -8,7 +8,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 10/04/2021
+ms.date: 1/16/2025
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -44,7 +44,7 @@ You can modify proxy server settings on individual client computers. You can als
Managed devices require configurations that let **All Users** access services through firewalls.
> [!NOTE]
-> The inspection of SSL traffic is not supported on 'manage.microsoft.us', or 'has.spserv.microsoft.com' endpoint.
+> The inspection of SSL traffic is not supported on '*.manage.microsoft.us', or 'has.spserv.microsoft.com' endpoint.
For more information about Windows 10 auto-enrollment and device registration for US government customers, see [Set up automatic enrollment for Windows](../enrollment/windows-enroll.md).
@@ -52,14 +52,16 @@ The following tables list the ports and services that the Intune client accesses
| Endpoint | IP address |
|---------------------|-----------|
-|*.manage.microsoft.us | 52.227.99.114
20.141.108.112
13.72.17.166
52.126.185.115
52.227.211.91
23.97.10.212
52.227.29.124
52.247.174.16
52.227.29.244
52.227.208.144
52.227.1.233
20.141.104.221
52.247.134.218
20.141.78.227
13.77.236.201 |
+|*.manage.microsoft.us | 52.227.99.114
20.141.108.112
13.72.17.166
52.126.185.115
52.227.211.91
23.97.10.212
52.227.29.124
52.247.174.16
52.227.29.244
52.227.208.144
52.227.1.233
20.141.104.221
52.247.134.218
20.141.78.227
13.77.236.201
62.10.86.128/25
62.10.87.128/25
20.159.110.0/25
20.159.111.0/25
|
| enterpriseregistration.microsoftonline.us | 13.72.188.239
13.72.55.179 |
-## US Government customer designated endpoints:
+## US Government customer designated endpoints
+
- Azure portal: https:\//portal.azure.us/
- Microsoft 365: https:\//portal.office365.us/
- Intune Company Portal: https:\//portal.manage.microsoft.us/
- Microsoft Intune admin center: https:\//intune.microsoft.us/
+
## Network requirements for PowerShell scripts and Win32 apps
If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also need to grant access to endpoints in which your tenant currently resides.
@@ -68,8 +70,20 @@ If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also n
| --- | --- |--- |
|FXPASU01 | sovereignprodimedatapri
sovereignprodimedatasec
sovereignprodimedatahotfix | sovereignprodimedatapri.azureedge.net
sovereignprodimedatasec.azureedge.net
sovereignprodimedatahotfix.azureedge.net |
+## Microsoft Defender for Endpoint
+
+For more information about configuring Defender for Endpoint connectivity, see [Connectivity Requirements](../protect/mde-security-integration.md#connectivity-requirements).
+
+To support Defender for Endpoint security settings management, allow the following hostnames through your firewall.
+For communication between clients and the cloud service:
+
+- \*.dm.microsoft.us - The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.
+
+ > [!IMPORTANT]
+ > SSL Inspection is not supported on endpoints required for Microsoft Defender for Endpoint.
+
+## Partner service endpoints that Intune depends on
-## Partner service endpoints that Intune depends on:
- Azure AD Sync service: https:\//syncservice.gov.us.microsoftonline.com/DirectoryService.svc
- Evo STS: https:\//login.microsoftonline.us
- Directory Proxy: https:\//directoryproxy.microsoftazure.us/DirectoryProxy.svc
@@ -82,5 +96,6 @@ If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also n
[!INCLUDE [Intune notices](../includes/apple-device-network-information.md)]
## Next steps
+
[Network endpoints for Microsoft Intune](intune-endpoints.md)
diff --git a/memdocs/intune/fundamentals/licenses-assign.md b/memdocs/intune/fundamentals/licenses-assign.md
index 61176de9ddc..8a66a825461 100644
--- a/memdocs/intune/fundamentals/licenses-assign.md
+++ b/memdocs/intune/fundamentals/licenses-assign.md
@@ -6,7 +6,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 05/20/2024
+ms.date: 01/24/2025
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -30,32 +30,24 @@ ms.collection:
# Assign licenses to users so they can enroll devices in Intune
-Whether you manually add users or synchronize from your on-premises Active Directory, you must first assign each user an Intune Plan 1 license before users can enroll their devices in Intune. For a list of licenses, see [Microsoft Intune licensing](licenses.md).
+Whether you manually add users or synchronize from your on-premises Active Directory, you must first assign each user license before users can enroll their devices in Intune. For a list of licenses, see [Microsoft Intune licensing](licenses.md).
> [!NOTE]
-> Users assigned Intune app protection policy and not enrolling their devices into Microsoft Intune will also require an Intune license to receive policy.
+> Users assigned Intune app protection policy and not enrolling their devices into Microsoft Intune will also require an Intune license to receive the policy.
-## Assign an Intune license in the Microsoft Intune admin center
+## Assign an Intune license in the Microsoft 365 admin center
-You can use the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) to manually add cloud-based users and assign licenses to both cloud-based user accounts and accounts synchronized from your on-premises Active Directory to Microsoft Entra ID.
+You can use the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?LinkId=698854) to manually add cloud-based users and assign licenses to both cloud-based user accounts and accounts synchronized from your on-premises Active Directory to Microsoft Entra ID.
-1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Users** > **All Users** > choose a user > **Licenses** > **Assignments**.
+1. In the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?LinkId=698854), select **Users** > **Active users** > *choose an unlicensed user* > **Licenses and apps**.
-2. Choose the box for **Intune** > **Save**. If you want to use the Enterprise Mobility + Security E5 or other license, choose that box instead.
+2. Choose the box for **Intune** > **Save changes**. If you want to use the Enterprise Mobility + Security E5 or other license, choose that box instead. For more information about Microsoft Intune licenses, see [Microsoft Intune licensing](licenses.md).
- 
-
-3. The user account now has the permissions needed to use the service and enroll devices into management.
-
-
-
-## Assign an Intune license by using Microsoft Entra ID
-
-You can also assign Intune licenses to users by using Microsoft Entra ID. For more information, see the [License users in Microsoft Entra article](/azure/active-directory/active-directory-licensing-group-assignment-azure-portal).
+The user account now has the permissions needed to use the service and enroll devices into Intune management.
## Use School Data Sync to assign licenses to users in Intune for Education
-If you are an educational organization, you can use School Data Sync (SDS) to assign Intune for Education licenses to synced users. Just choose the Intune for Education checkbox when you're setting up your SDS profile.
+If you're an educational organization, you can use School Data Sync (SDS) to assign Intune for Education licenses to synced users. Just choose the Intune for Education checkbox when you're setting up your SDS profile.
@@ -68,13 +60,13 @@ See this [overview of School Data Sync](https://support.office.com/article/Overv
## How user and device licenses affect access to services
- Each **user** that you assign a user software license to may access and use the online services and related software (including System Center software) to manage applications and up to 15 MDM devices.
-- You can purchase licenses for any devices separately from user licenses. Device licenses do not need to be assigned to the devices. Each device that accesses and uses the online services and related software (including System Center software) must have a device license available in the Microsoft 365 tenant.
+- You can purchase licenses for any devices separately from user licenses. Device licenses don't need to be assigned to the devices. Each device that accesses and uses the online services and related software (including System Center software) must have a device license available in the Microsoft 365 tenant.
- If a device is used by more than one user, each device requires a device based software license or all users require a user software license.
- If you remove a license from a user that has managed devices, it may affect the compliance or management of those devices.
## How to restore users accidentally unlicensed
-- If you have accidentally removed the license for one or more users, you can restore their device compliance and management by re-assigning the license for those users. For more information, see [Assign Microsoft Intune licenses](#assign-an-intune-license-in-the-microsoft-intune-admin-center).
+- If you have accidentally removed the license for one or more users, you can restore their device compliance and management by re-assigning the license for those users. For more information, see [Assign Microsoft Intune licenses](#assign-an-intune-license-in-the-microsoft-365-admin-center).
## Understanding the type of licenses you have purchased
@@ -84,6 +76,26 @@ How you purchased Intune determines your subscription information:
- If you purchased Intune through a Cloud Solution Provider, check with your reseller.
- If you purchased Intune with a CC# or Invoice, then your licenses will be user-based.
+## Look up current licenses
+
+You must use [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?LinkId=698854) to manage your licenses. However, you can view license details in Microsoft Intune admin center and Microsoft Entra admin center.
+
+### Microsoft 365 admin center
+
+Using the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?LinkId=698854), you can manage the subscription licenses your organization has available. To find these details, sign-in to the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?LinkId=698854), select **Billing** > **Licenses**, then select the **Subscriptions** tab. Additionally, you can view the products owned by your organization in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?LinkId=698854) by selecting **Billing** > **Your products**, then select the **Products** tab. The [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?LinkId=698854) also provides licenses details for users by selecting **Users** > **Active users** > *select a user* > **Licenses and apps**.
+
+> [!NOTE]
+> Managing licenses is only available with in the Microsoft 365 Admin Center.
+
+### Microsoft Intune admin center
+
+Using the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you can view the **Total licensed users** and the **Total Intune licenses**. To find these details, sign-in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Tenant administration** > **Tenant status** and select the **Tenant details** tab. Additionally, you can view the assigned licenses available for a user in Intune by selecting **Users** > *select a user* > **Licenses**.
+
+### Microsoft Entra admin center
+
+Much like Microsoft Intune admin center, you can use the [Microsoft Entra admin center](https://entra.microsoft.com) to view available product licenses and assigned user license. To view product licenses in the [Microsoft Entra admin center](https://entra.microsoft.com), select **Licenses** under the **Billing** section, and select **All products**. To view the assigned licenses available for a user, select **Users** > **All users** > *select a user* > **Licenses**.
+
+
## Look up current licenses using PowerShell
To view the number of free and used licenses on a Microsoft Intune subscription, you can use the following steps to run PowerShell commands.
@@ -116,9 +128,9 @@ A list of the **Account ID**, the **Active Units**, and the **Consumed Units** w
Organizations that use Microsoft Enterprise Mobility + Security (formerly Enterprise Mobility Suite) might have users who only require Microsoft Entra ID P1 or P2 or Intune services in the EMS package. You can assign one or a subset of services using [Microsoft Graph PowerShell cmdlets](/powershell/module/microsoft.graph.users.actions/set-mguserlicense).
-To selectively assign user licenses for EMS services, open PowerShell as an administrator on a computer with the [Microsoft Graph PowerShel](/powershell/microsoftgraph/installation) installed. You can install PowerShell on a local computer or on an ADFS server.
+To selectively assign user licenses for EMS services, open PowerShell as an administrator on a computer with the [Microsoft Graph PowerShell](/powershell/microsoftgraph/installation) installed. You can install PowerShell on a local computer or on an ADFS server.
-You must create a new license SKU definition that applies only to the desired service plans. To do this, disable the plans you don't want to apply. For example, you might create a license SKU definition that does not assign an Intune license. To see a list of available services, type:
+You must create a new license SKU definition that applies only to the desired service plans. To do this, disable the plans you don't want to apply. For example, you might create a license SKU definition that doesn't assign an Intune license. To see a list of available services, type:
```powershell
(Get-MgSubscribedSku | Where {$_.SkuPartNumber -eq "EMS"}).ServiceStatus
diff --git a/memdocs/intune/fundamentals/licenses.md b/memdocs/intune/fundamentals/licenses.md
index bd538e0c96f..da78ff7a575 100644
--- a/memdocs/intune/fundamentals/licenses.md
+++ b/memdocs/intune/fundamentals/licenses.md
@@ -109,7 +109,7 @@ You can purchase device licenses based on your estimated usage. Microsoft Intune
When a device is enrolled by using a device license, the following Intune functions aren't supported:
- [Intune app protection policies](../apps/app-protection-policy.md)
-- [Conditional access](../protect/conditional-access.md)
+- [Conditional Access](../protect/conditional-access.md)
- User-based management features, such as email and calendaring
## Confirm your licenses
diff --git a/memdocs/intune/fundamentals/microsoft-intune-service-description.md b/memdocs/intune/fundamentals/microsoft-intune-service-description.md
index f5b6f80f952..9000bd78154 100644
--- a/memdocs/intune/fundamentals/microsoft-intune-service-description.md
+++ b/memdocs/intune/fundamentals/microsoft-intune-service-description.md
@@ -66,7 +66,7 @@ Because the mobile device management ecosystem changes frequently with operating
* [What's new in Microsoft Intune](whats-new.md). This topic is updated with the monthly service update and weekly when, for example, apps such as the Company Portal app are released.
-* Important service updates are also announced in the [Microsoft 365 admin center](https://admin.microsoft.com/) Message Center. If you install the companion [Microsoft 365 Admin mobile app](https://support.office.com/article/Office-365-Admin-Mobile-App-e16f6421-2a1a-4142-bf9d-9846600a060a), you can receive notifications on your mobile device. Learn more about how to work with the [Microsoft 365 Message Center](https://support.office.com/client/results?Shownav=true&ns=O365ENTADMIN&version=15&ver=15&HelpID=O365E_MCManageUpdates).
+* Important service updates are also announced in the [Microsoft 365 admin center](https://admin.microsoft.com/) Message Center. If you install the companion [Microsoft 365 Admin mobile app](https://support.office.com/article/Office-365-Admin-Mobile-App-e16f6421-2a1a-4142-bf9d-9846600a060a), you can receive notifications on your mobile device. Learn more about how to work with the [Microsoft 365 Message Center](/microsoft-365/admin/manage/message-center).
A few helpful hints:
diff --git a/memdocs/intune/fundamentals/migrate-to-intune.md b/memdocs/intune/fundamentals/migrate-to-intune.md
index edb56701467..740aac8b982 100644
--- a/memdocs/intune/fundamentals/migrate-to-intune.md
+++ b/memdocs/intune/fundamentals/migrate-to-intune.md
@@ -136,7 +136,7 @@ To evaluate and migrate policies from Basic Mobility and Security to Intune:
:::image type="content" source="./media/migrate-to-intune/recommendations-page.png" alt-text="Screenshot of migration evaluation example in the Microsoft Intune admin center after migrating Microsoft 365 Basic Mobility and Security policies to Intune":::
- Not all device settings correspond exactly to Intune settings and values. So, they can't be moved with precise one-to-one mapping. You need to review and possibly adjust these settings.
- - The conditional access (CA) settings that control the Office 365 services are the same CA policies in Microsoft Entra ID. So, you don't need to review or make changes to them unless you want to.
+ - The Conditional Access (CA) settings that control the Office 365 services are the same CA policies in Microsoft Entra ID. So, you don't need to review or make changes to them unless you want to.
4. Select an item in the list. The **Compliance policy recommendation overview** page opens. Review the instructions.
5. Select **Details** to review the recommended settings and group assignments:
@@ -206,13 +206,13 @@ This section describes what happens behind the scenes when you migrate from Basi
- [Configurations policy mapping from Basic Mobility and Security to Intune](policy-map-configurations.md)
- [Miscellaneous policy mapping from Basic Mobility and Security to Intune](policy-map-miscellaneous.md)
-- When you complete the migration, your migrated policies are in Microsoft Intune admin center. The new policies include compliance policies, device configuration profiles, and conditional access policies. The new policies are in the following locations:
+- When you complete the migration, your migrated policies are in Microsoft Intune admin center. The new policies include compliance policies, device configuration profiles, and Conditional Access policies. The new policies are in the following locations:
| Intune policy type | Intune location |
| --- | --- |
| [Compliance policies](../protect/device-compliance-get-started.md)Specify the device settings as access requirements. | [Microsoft Intune Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Compliance** |
| [Configuration profiles](../configuration/device-profiles.md) Specify other settings that aren't part of the access requirements, including email profiles. | [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Manage devices** > **Configuration** |
- | [Conditional access policies]( ../protect/conditional-access.md) Microsoft Entra Conditional Access blocks access if the settings aren't compliant. | [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Conditional access** > **Classic policies** |
+ | [Conditional Access policies]( ../protect/conditional-access.md) Microsoft Entra Conditional Access blocks access if the settings aren't compliant. | [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Conditional Access** > **Classic policies** |
## Known issues
diff --git a/memdocs/intune/fundamentals/multi-admin-approval.md b/memdocs/intune/fundamentals/multi-admin-approval.md
index 7da061c925f..6925f3e27cf 100644
--- a/memdocs/intune/fundamentals/multi-admin-approval.md
+++ b/memdocs/intune/fundamentals/multi-admin-approval.md
@@ -51,7 +51,7 @@ To create an access policy, your account must be assigned the [*Intune Service A
To be an approver for access policies, an account must be in the approver group that’s assigned to the access policy for a specific type of resource.
-If your organization allows unlicensed administrators for Intune roles, all approver groups must also be a member group of one or more Intune role assignments.
+If your organization allows unlicensed administrators for Intune roles, all approver groups must also be a member group of one or more Intune role assignments. There is no specific requirement for which role assignment the approver group must be added to. If the approver group is not added to a role assignment this will result in approver group members being removed from the group periodically.
## How multi admin approval and Access policies work
diff --git a/memdocs/intune/fundamentals/policy-map-miscellaneous.md b/memdocs/intune/fundamentals/policy-map-miscellaneous.md
index c0d9687ca8e..1610d6b7828 100644
--- a/memdocs/intune/fundamentals/policy-map-miscellaneous.md
+++ b/memdocs/intune/fundamentals/policy-map-miscellaneous.md
@@ -83,7 +83,7 @@ These settings are backed by the Conditional Access policy [GraphAggregatorServi
This setting modifies one classic Conditional Access policy:
-- **Endpoint security** > **Conditional access** > **Classic policies** > **[GraphAggregatorService] Device policy** > **Conditions** > **Client apps (Preview)** > **Mobile apps and desktop clients** > **Exchange ActiveSync clients** > **Apply policy only to supported platform**
+- **Endpoint security** > **Conditional Access** > **Classic policies** > **[GraphAggregatorService] Device policy** > **Conditions** > **Client apps (Preview)** > **Mobile apps and desktop clients** > **Exchange ActiveSync clients** > **Apply policy only to supported platform**
### Are there any security groups you want to exclude from access control?
@@ -95,7 +95,7 @@ This setting modifies five classic Conditional Access policies:
- [Office 365 SharePoint Online] Device policy
- [Outlook Service for OneDrive] Device policy
-- **Endpoint security** > **Conditional access** > policy name > **Users and groups** > **Exclude**
+- **Endpoint security** > **Conditional Access** > policy name > **Users and groups** > **Exclude**
## Device security policy Name and Description
diff --git a/memdocs/intune/fundamentals/remote-help-android.md b/memdocs/intune/fundamentals/remote-help-android.md
index 681ad9aca70..650e82bf80b 100644
--- a/memdocs/intune/fundamentals/remote-help-android.md
+++ b/memdocs/intune/fundamentals/remote-help-android.md
@@ -233,13 +233,7 @@ In this section:
> [!IMPORTANT]
> If the device is running in kiosk mode, the Settings app (which is where the permission is granted) needs to be designated as a system app so that it can launch. See [Granting overlay permissions to Managed Home Screen for Android Enterprise dedicated devices](https://techcommunity.microsoft.com/t5/intune-customer-success/granting-overlay-permissions-to-managed-home-screen-for-android/ba-p/3247041) for detailed instructions.
-The Remote Help app needs the **Display over other apps** or **Appear on top** permission to display the Remote Help session UI. To grant this permission, complete the following steps:
-
-1. After installing the Remote Help app, launch it.
-
-2. If the permission isn't already granted, the app displays a prompt that launches **Settings** to grant the permission.
-
-3. Tap **Grant** on the prompt, scroll down to **Appear on top** and turn the setting **On**. (The specific UI may differ depending on your device.)
+The Remote Help app needs the **Display over other apps** or **Appear on top** permission to display the Remote Help session UI. To grant this permission, create an OEMConfig profile that configures the permissions in the OEMConfig app.
##### Knox KLMS Agent consent
diff --git a/memdocs/intune/fundamentals/remote-help-macos.md b/memdocs/intune/fundamentals/remote-help-macos.md
index 1965687d518..61c43edbacd 100644
--- a/memdocs/intune/fundamentals/remote-help-macos.md
+++ b/memdocs/intune/fundamentals/remote-help-macos.md
@@ -56,7 +56,7 @@ The Remote Help web app supports the following capabilities on macOS:
- **Use Remote Help with unenrolled devices**: Disabled by default, you can choose to allow help to devices that aren't enrolled with Intune.
-- **Conditional access**: Administrators can now utilize conditional access capability when setting up policies and conditions for Remote Help. For more information on setting up conditional access, see [Setup Conditional Access for Remote Help](remote-help-windows.md#setup-conditional-access-for-remote-help).
+- **Conditional Access**: Administrators can now utilize Conditional Access capability when setting up policies and conditions for Remote Help. For more information on setting up Conditional Access, see [Setup Conditional Access for Remote Help](remote-help-windows.md#setup-conditional-access-for-remote-help).
- **Compliance Warnings**: Remote Help will show non-compliance warnings if the device the helper is connecting to isn't compliant with its assigned policies. This warning doesn't block access but provides transparency about the risk of using sensitive data like administrative credentials during the session.
@@ -88,7 +88,6 @@ General prerequisites for Remote Help are listed here [Prerequisites for Remote
### Remote Help Native macOS App supported operating systems
-- macOS 12 (Monterey)
- macOS 13 (Ventura)
- macOS 14 (Sonoma)
- macOS 15 (Sequoia)
diff --git a/memdocs/intune/fundamentals/remote-help-webapp.md b/memdocs/intune/fundamentals/remote-help-webapp.md
index 2f7e86b7e2a..55e1e2002e8 100644
--- a/memdocs/intune/fundamentals/remote-help-webapp.md
+++ b/memdocs/intune/fundamentals/remote-help-webapp.md
@@ -45,7 +45,7 @@ The Remote Help web app supports the following capabilities:
Use Remote Help with unenrolled devices: Disabled by default, you can choose to allow help to devices that aren't enrolled with Intune.
-- **Conditional access**: Administrators can now utilize conditional access capability when setting up policies and conditions for Remote Help. For more information on setting up conditional access, go to [Setup Conditional Access for Remote Help](remote-help-windows.md#setup-conditional-access-for-remote-help).
+- **Conditional Access**: Administrators can now utilize Conditional Access capability when setting up policies and conditions for Remote Help. For more information on setting up Conditional Access, go to [Setup Conditional Access for Remote Help](remote-help-windows.md#setup-conditional-access-for-remote-help).
- **Compliance Warnings**: Before connecting to a user's device, a helper will see a non-compliance warning about that device if it's not compliant with its assigned policies. This warning doesn’t block access but provides transparency about the risk of using sensitive data like administrative credentials during the session.
diff --git a/memdocs/intune/fundamentals/remote-help-windows.md b/memdocs/intune/fundamentals/remote-help-windows.md
index 568e10cd49a..f7ab9b00ab2 100644
--- a/memdocs/intune/fundamentals/remote-help-windows.md
+++ b/memdocs/intune/fundamentals/remote-help-windows.md
@@ -48,7 +48,7 @@ The Remote Help app is available from Microsoft to install on both devices enrol
The Remote Help app supports the following capabilities on Windows:
-- **Conditional access**: Administrators can now utilize conditional access capability when setting up policies and conditions for Remote Help. For example, multi-factor authentication, installing security updates, and locking access to Remote Help for a specific region or IP addresses. For more information on setting up conditional access, go to [Setup Conditional Access for Remote Help](#setup-conditional-access-for-remote-help)
+- **Conditional Access**: Administrators can now utilize Conditional Access capability when setting up policies and conditions for Remote Help. For example, multi-factor authentication, installing security updates, and locking access to Remote Help for a specific region or IP addresses. For more information on setting up Conditional Access, go to [Setup Conditional Access for Remote Help](#setup-conditional-access-for-remote-help)
- **Compliance Warnings**: Before a helper can connect to a user's device, the helper sees a non-compliance warning about that device if it's not compliant with its assigned policies. This warning doesn't block access but provides transparency about the risk of using sensitive data like administrative credentials during the session.
@@ -117,6 +117,10 @@ Download the latest version of Remote Help direct from Microsoft at [aka.ms/down
The most recent version of Remote Help is **5.1.1419.0**
+### Deploy Remote Help as an Enterprise App Catalog app
+The Enterprise App Catalog is a collection of prepackaged Win32 apps that have been designed and prepared by Microsoft to support Intune. An Enterprise App Catalog app is a Windows app that you can add via the Enterprise App Catalog in Intune. This app type leverages the Win32 platform and has support for customizable capabilities. Remote Help is available in the Enterprise App Catalog. To learn more, see [Add an Enterprise App Catalog app to Microsoft Intune](/mem/intune/apps/apps-add-enterprise-app#add-a-windows-catalog-app-win32-to-intune).
+
+
### Deploy Remote Help as a Win32 app
To deploy Remote Help with Intune, you can add the app as a Windows Win32 app, and define a detection rule to identify devices that don't have the most current version of Remote Help installed. Before you can add Remote Help as a Win32 app, you must repackage *remotehelpinstaller.exe* as a *.intunewin* file, which is a Win32 app file you can deploy with Intune. For information on how to repackage a file as a Win32 app, see [Prepare the Win32 app content for upload](../apps/apps-win32-prepare.md).
@@ -275,9 +279,9 @@ Depending on the environment that Remote Help is utilized in, it may be necessar
- C:\Program Files\Remote help\RHService.exe
- C:\Program Files\Remote help\RemoteHelpRDP.exe
-## Setup conditional access for Remote Help
+## Setup Conditional Access for Remote Help
-This section outlines the steps for provisioning the Remote Help service on the tenant for conditional access.
+This section outlines the steps for provisioning the Remote Help service on the tenant for Conditional Access.
1. Open PowerShell in admin mode.
- It may be necessary to install [Microsoft Graph PowerShell](/powershell/microsoftgraph/installation)
diff --git a/memdocs/intune/fundamentals/remote-help.md b/memdocs/intune/fundamentals/remote-help.md
index 988ed027dc7..193cc02faaa 100644
--- a/memdocs/intune/fundamentals/remote-help.md
+++ b/memdocs/intune/fundamentals/remote-help.md
@@ -87,19 +87,18 @@ For specific prerequisites based on the platform that you're using, go to:
Limitations:
+- You cannot establish a Remote Help session from one tenant to a different tenant.
+- Remote Help might not be available in all markets or localizations.
- Remote Help is supported in Government Community Cloud (GCC) environments on the following platforms:
- Windows 10/11
- Windows 10/11 on ARM64 devices
- Windows 365
- Samsung and Zebra devices enrolled as Android Enterprise dedicated devices
- - macOS 12, 13, 14, and 15
+ - macOS 13, 14, and 15
Remote Help isn't supported on GCC High or DoD (U.S. Department of Defense) tenants. For more information, go to [Microsoft Intune for US Government GCC High and DoD service description](intune-govt-service-description.md).
- - You cannot establish a Remote Help session from one tenant to a different tenant.
- - Remote Help might not be available in all markets or localizations.
-
## Supported platforms and devices
This feature applies to:
@@ -109,7 +108,7 @@ This feature applies to:
- Windows 10 on ARM64 devices
- Windows 365
- Android Enterprise Dedicated (Samsung and Zebra devices)
-- macOS 12, 13, 14, and 15
+- macOS 13, 14, and 15
## Data and privacy
diff --git a/memdocs/intune/fundamentals/role-based-access-control-reference.md b/memdocs/intune/fundamentals/role-based-access-control-reference.md
index 14ea9f58d98..66921ba74d5 100644
--- a/memdocs/intune/fundamentals/role-based-access-control-reference.md
+++ b/memdocs/intune/fundamentals/role-based-access-control-reference.md
@@ -186,7 +186,7 @@ Application Managers manage mobile and managed applications, can read device inf
## Endpoint Security Manager
-Manages security and compliance features such as security baselines, device compliance, conditional access, and Microsoft Defender ATP.
+Manages security and compliance features such as security baselines, device compliance, Conditional Access, and Microsoft Defender ATP.
| Permission | Action |
| ---------- | ------ |
diff --git a/memdocs/intune/fundamentals/role-based-access-control.md b/memdocs/intune/fundamentals/role-based-access-control.md
index b5bef210f22..40fc2b496b5 100644
--- a/memdocs/intune/fundamentals/role-based-access-control.md
+++ b/memdocs/intune/fundamentals/role-based-access-control.md
@@ -7,7 +7,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 06/20/2024
+ms.date: 12/02/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -18,7 +18,7 @@ ms.localizationpriority: high
#ROBOTS:
#audience:
-ms.reviewer:
+ms.reviewer: davidra
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -59,7 +59,7 @@ You can assign built-in roles to groups without further configuration. You can't
- **Application Manager**: Manages mobile and managed applications, can read device information and can view device configuration profiles.
- **Endpoint Privilege Manager**: Manages Endpoint Privilege Management policies in the Intune console.
- **Endpoint Privilege Reader**: Endpoint Privilege Readers can view Endpoint Privilege Management policies in the Intune console.
-- **Endpoint Security Manager**: Manages security and compliance features, such as security baselines, device compliance, conditional access, and Microsoft Defender for Endpoint.
+- **Endpoint Security Manager**: Manages security and compliance features, such as security baselines, device compliance, Conditional Access, and Microsoft Defender for Endpoint.
- **Help Desk Operator**: Performs remote tasks on users and devices, and can assign applications or policies to users or devices.
- **Intune Role Administrator**: Manages custom Intune roles and adds assignments for built-in Intune roles. It's the only Intune role that can assign permissions to Administrators.
- **Policy and Profile Manager**: Manages compliance policy, configuration profiles, Apple enrollment, corporate device identifiers, and security baselines.
@@ -77,7 +77,7 @@ You can create your own roles with custom permissions. For more information abou
### Microsoft Entra roles with Intune access
-Microsoft recommends following the principle of least-permissions by only assigning the minimum required permissions for an administrator to perform their duties. Global Administrator and Intune Service Administrator
+Microsoft recommends following the principle of least-permissions by only assigning the minimum required permissions for an administrator to perform their duties. Global Administrator and Intune Service Administrator
are [privileged roles](/entra/identity/role-based-access-control/privileged-roles-permissions) and assignment should be limited.
| Microsoft Entra role | All Intune data | Intune audit data |
@@ -97,6 +97,16 @@ are [privileged roles](/entra/identity/role-based-access-control/privileged-role
> [!TIP]
> Intune also shows three Microsoft Entra extensions: **Users**, **Groups**, and **Conditional Access**, which are controlled using Microsoft Entra RBAC. Additionally, the **User Account Administrator** only performs Microsoft Entra user/group activities and does not have full permissions to perform all activities in Intune. For more information, see [RBAC with Microsoft Entra ID](/azure/active-directory/active-directory-assign-admin-roles).
+## Privileged Identity Management for Intune
+
+Intune supports two methods of role elevation. There are performance and least privilege differences between the two methods.
+
+- **Method 1**: Create a just-in-time (JIT) policy with [Microsoft Entra Privileged Identity Management (PIM)](/entra/id-governance/privileged-identity-management/pim-configure) for the Microsoft Entra built-in **Intune Administrator** role and assign it an administrator account.
+
+- **Method 2**: Utilize [Privileged Identity Management (PIM) for Groups](/entra/id-governance/privileged-identity-management/concept-pim-for-groups) with an Intune RBAC role assignment. For more information about using PIM for Groups with Intune RBAC roles, see: [Configuring Microsoft Intune just-in-time admin access with Microsoft Entra PIM for Groups | Microsoft Community Hub](https://techcommunity.microsoft.com/blog/intunecustomersuccess/configuring-microsoft-intune-just-in-time-admin-access-with-azure-ad-pim-for-gro/3843972)
+
+When using PIM elevation for Microsoft Entra ID built-in Intune Administrator role, elevation typically happens within 10 seconds. PIM Groups based elevation for Intune Custom Roles can take up to 15 minutes to be applied.
+
## Role assignments
A role assignment defines:
diff --git a/memdocs/intune/fundamentals/scope-tags.md b/memdocs/intune/fundamentals/scope-tags.md
index dfba98b9037..97c19ce0e90 100644
--- a/memdocs/intune/fundamentals/scope-tags.md
+++ b/memdocs/intune/fundamentals/scope-tags.md
@@ -8,7 +8,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 09/29/2023
+ms.date: 11/26/2023
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -55,6 +55,8 @@ The default scope tag feature is similar to the security scopes feature in Micro
## To create a scope tag
+Creating, updating or deleting scope tags requires an administrator assigned the Global Administrator or Intune Adminstrator Entra ID role. Administrators with a scope tag in their role assignment cannot update or delete the scope tag from the master list of scope tags.
+
1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Roles** > **Scope (Tags)** > **Create**.
2. On the **Basics** page, provide a **Name** and optional **Description**. Choose **Next**.
3. On the **Assignments** page, choose the groups containing the devices that you want to assign this scope tag. Choose **Next**.
@@ -88,7 +90,7 @@ For objects that support scope tags, scope tags usually appear under **Propertie
1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Manage devices** > **Configuration** > choose a profile.
2. Choose **Properties** > **Scope (Tags)** > **Edit** > **Select scope tags** > choose the tags that you want to add to the profile. You can assign a maximum of 100 scope tags to an object.
-4. Choose **Select** > **Review + save**.
+3. Choose **Select** > **Review + save**.
## Scope tag details
diff --git a/memdocs/intune/fundamentals/tenant-status.md b/memdocs/intune/fundamentals/tenant-status.md
index 450af88d909..5254171d81a 100644
--- a/memdocs/intune/fundamentals/tenant-status.md
+++ b/memdocs/intune/fundamentals/tenant-status.md
@@ -85,7 +85,7 @@ For example, if you select the **VPP Expiry Date** connector, the **iOS Volume-P
## Service health and message center
-The Service health and message center page are where you can view details about the Intune *Service health*, *Issues in your environment that require action*, and *Message center* posts that can provide information about updates and planned changes.
+The Service health and message center page is where you can view details about the Intune *Service health*, *Issues in your environment that require action*, and *Message center* posts that can provide information about updates and planned changes.
You can only set up your communication preferences for Intune Message center through the Microsoft 365 admin center. To do so, sign in to the [Microsoft 365 admin center](https://admin.microsoft.com/) and go to **Health** > **Service health**. Select **Customize**, and then open the **Email** tab. On the *Email* tab, select the checkbox for **Send me email notifications about service health**, and then configure the additional preferences to meet your requirements.
### Service health
diff --git a/memdocs/intune/fundamentals/tutorial-walkthrough-endpoint-manager.md b/memdocs/intune/fundamentals/tutorial-walkthrough-endpoint-manager.md
index c9dea49e46f..265e92e9a8b 100644
--- a/memdocs/intune/fundamentals/tutorial-walkthrough-endpoint-manager.md
+++ b/memdocs/intune/fundamentals/tutorial-walkthrough-endpoint-manager.md
@@ -108,7 +108,7 @@ Follow the steps below to better understand Intune in the Microsoft Intune admin
5. From the **Devices - Overview** pane, select **Conditional Access** to display details about access policies.
- :::image type="content" alt-text="Screenshot of the Microsoft Intune admin center - Conditional access." source="./media/tutorial-walkthrough-endpoint-manager/tutorial-walkthrough-mem-05.png" lightbox="./media/tutorial-walkthrough-endpoint-manager/tutorial-walkthrough-mem-05.png":::
+ :::image type="content" alt-text="Screenshot of the Microsoft Intune admin center - Conditional Access." source="./media/tutorial-walkthrough-endpoint-manager/tutorial-walkthrough-mem-05.png" lightbox="./media/tutorial-walkthrough-endpoint-manager/tutorial-walkthrough-mem-05.png":::
> [!TIP]
> If you have previously used Intune in the Azure portal, you found the above details in the Azure portal by signing in to [Intune](https://go.microsoft.com/fwlink/?linkid=2090973) and selecting **Conditional Access**.
diff --git a/memdocs/intune/fundamentals/users-add.md b/memdocs/intune/fundamentals/users-add.md
index 1942dd322dc..fbf4a501b2f 100644
--- a/memdocs/intune/fundamentals/users-add.md
+++ b/memdocs/intune/fundamentals/users-add.md
@@ -7,7 +7,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 09/27/2023
+ms.date: 01/23/2025
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -30,72 +30,105 @@ ms.collection:
# Add users and grant administrative permission to Intune
-As an administrator, you can add users directly or synchronize users from your on-premises Active Directory. Once added, users can enroll devices and access company resources. You can also give users more permissions including *global administrator* and *service administrator* permissions.
+As an administrator, you can add users directly or synchronize users from your on-premises Active Directory. Once added and enabled, users can enroll devices and access company resources. You can also give users more permissions including *global administrator* and *service administrator* permissions.
## Add users to Intune
-You can manually add users to your Intune subscription via the [Microsoft 365 admin center](https://admin.microsoft.com) or the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). An administrator can edit user accounts to assign Intune licenses. You can assign licenses in either the Microsoft 365 admin center or the Microsoft Intune admin center. For more information on using the Microsoft 365 admin center, see [Add users individually or in bulk to the Microsoft 365 admin center](https://support.office.com/article/Add-users-individually-or-in-bulk-to-Office-365-Admin-Help-1970f7d6-03b5-442f-b385-5880b9c256ec).
-
-### Add Intune users in the Microsoft 365 admin center
-
-1. Sign in to [Microsoft 365 admin center](https://admin.microsoft.com) with a global administrator or user management administrator account.
-2. In the Microsoft 365 menu, select **Users** > **Active users** > **Add a user**.
-3. Provide the following user details:
- - **First name**
- - **Last name**
- - **Display name**
- - **User name** - Universal principle name (UPN) stored in Microsoft Entra ID used to access the service.
- - **Password** - Autogenerate or create.
-4. Choose **Next**.
-5. In the **Assign product licenses** page, select a **Location** and then choose a license for this user. A license including Intune is required.
-6. Choose **Next**.
-7. In the **Optional settings** page, you can
- - Assign the new user more roles (by default the new user is given the User role).
- - Provide profile information.
-8. Choose **Next**.
-9. On the **Review and finish** page, select **Finish adding** to add the user. Choose **Close** to close the **Add a user** page.
-
-> [!NOTE]
-> If you're moving to Microsoft 365 from an Office 365 subscription, your users and groups are already in Microsoft Entra ID. Intune uses the same Microsoft Entra ID, and can use the existing users and groups.
+You can manually add users to your Intune subscription via the [Microsoft 365 admin center](https://admin.microsoft.com), the [Microsoft Entra admin center](https://entra.microsoft.com), or the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). In addition, an administrator can edit user accounts to assign Intune licenses. You can assign licenses in either the Microsoft 365 admin center or the Microsoft Intune admin center. For more information on using the Microsoft 365 admin center, see [Add users individually or in bulk to the Microsoft 365 admin center](https://support.office.com/article/Add-users-individually-or-in-bulk-to-Office-365-Admin-Help-1970f7d6-03b5-442f-b385-5880b9c256ec). For more information on using the Microsoft Entra admin center, see [How to create, invite, and delete users](/entra/fundamentals/how-to-create-delete-users).
### Add individual Intune users in the Microsoft Intune admin center
1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Users** > **All users** > **New user** > **Create new user**.
-2. Specify the following user details:
- - **User name** - The new name that the user will use to sign in to Microsoft Entra ID.
- - **Name** - The user's given name.
- - **First name** - The user's first name.
- - **Last name** - The user's last name.
-3. Choose whether you want to create the password for the new user or have it autogenerated.
-4. To assign the new user to groups (optional), choose **0 groups selected** to open the **Groups** pane. Here you can select the groups you want to assign to the user. When finished selecting groups, choose **Select**.
-5. By default, the new user is assigned the role of **User**. If you want to add roles to the user, select **User** under **Groups and roles**. In the **Directory roles** pane, select the roles you want to assign to the user and then choose **Select**.
-6. If you want to block the user from signing in, you can select **Yes** for **Block sign in**. Make sure to switch this back to **No** when you're ready to let the user sign in.
-7. Choose a **Usage location** for the new user. Usage location is required before you can assign the new user an Intune license.
-8. Optionally, you can provide information for the **Job title**, **Department**, **Company name**, and **Manager** fields.
-9. Select **Create** to add the new user to Intune.
+2. On the **Basics** tab, add the following user details:
+ - **User principal name** - Universal principle name (UPN) stored in Microsoft Entra ID used to access the service.
+ - **Mail nickname** - If you need to enter an email nickname that is different from the user principal name you entered, uncheck the **Derive from user principal name** option, then enter the mail nickname..
+ - **Display name** - The user's name, , such as Chris Green or Chris A. Green.
+ - **Password** - Add a password for the new user or choose to have it autogenerated.
+ - **Account enabled** - Choose to enable the account once it is created. If not checked, this user will be blocked from signing in. This can be updated after user creation.
+
+ Either select the **Review + create** button to create the new user or **Next: Properties** to complete the next section.
+
+3. On the **Properties** tab, add the following details:
+ - **Identity:**
+ - **FirstName**
+ - **Last name**
+ - **User type** - Choose either **Member** or **Guest**. Both of these user types are internal to your organization. Members are commonly full-time employees in your organization. Guests have an account in your tenant, but have guest-level privileges. It's possible they were created within your tenant prior to the availability of B2B collaboration.
+ - **Authorization info** - You can add up to 5 certificate user IDs. These are used as a part of Certificate Based Authentication and require a specific format. For more information, see [Mapping to the certificateUserIds attribute in Microsoft Entra ID](/entra/identity/authentication/concept-certificate-based-authentication-certificateuserids).
+ - **Job information:** Add any job-related information, such as the user's job title, department, or manager.
+ - **Contact information:** Add any relevant contact information for the user.
+ - **Parental controls:** For organizations like K-12 school districts, the user's age group may need to be provided. *Minors* are 12 and under, *Not adult* are 13-18 years old, and *Adults* are 18 and over. The combination of age group and consent provided by parent options determine the Legal age group classification. The Legal age group classification may limit the user's access and authority.
+ - **Settings:** The **Usage location** specify the user's global location.
+
+ Either select the **Review + create** button to create the new user or **Next: Assignments** to complete the next section.
+
+4. On the **Assignments** tab, add the following details:
+ You can assign the user to an administrative unit, group, or Microsoft Entra role when the account is created. You can assign the user to up to 20 groups or roles. You can only assign the user to one administrative unit. Assignments can be added after the user is created.
+
+ **To assign a group to the new user**:
+
+ 1. Select **+ Add group**.
+ 1. From the menu that appears, choose up to 20 groups from the list and select the **Select** button.
+ 1. Select the **Review + create** button.
+
+ **To assign a role to the new user**:
+
+ 1. Select **+ Add role**.
+ 1. From the menu that appears, choose up to 20 roles from the list and select the **Select** button.
+ 1. Select the **Review + create** button.
+
+ **To add an administrative unit to the new user**:
+
+ 1. Select **+ Add administrative unit**.
+ 1. From the menu that appears, choose one administrative unit from the list and select the **Select** button.
+ 1. Select the **Review + create** button.
+
+5. On the **Review + Create** tab, review the details to be sure the information is correct and details passed validation.
+ Review the details and select the **Create** button if everything looks good.
> [!NOTE]
+> If you're moving to Microsoft 365 from an Office 365 subscription, your users and groups are already in Microsoft Entra ID. Intune uses the same Microsoft Entra ID, and can use the existing users and groups.
+>
> You can also invite guest users to your Intune tenant. For more information, see [Add Microsoft Entra B2B collaboration users in the Microsoft Entra admin center](/entra/external-id/add-users-administrator).
### Add multiple Intune users in the Microsoft Intune admin center
-You can add Intune users in bulk by uploading a csv file containing the full list of users. The following steps allow you to add multiple users to Intune:
+You can add Intune users in bulk by uploading a *csv* file containing the full list of users. The following steps allow you to add multiple users to Intune:
-1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Users** > **All users** > **Bulk operations** > **Bulk create**. The **Bulk create user** pane is displayed.
-2. Download, edit, and upload a *csv* template containing a list of users that you want to add to Intune.
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as at least a [User Administrator](/entra/identity/role-based-access-control/permissions-reference#user-administrator).
+2. Select **Users** > **All users** > **Bulk operations** > **Bulk create**. The **Bulk create users** pane is displayed.
+3. Download, edit, and upload a *csv* template containing a list of users that you want to add to Intune.
The *csv* file is a comma-separated value list that can be edited in Notepad or Excel. For more information about using a *csv* file to add Intune users, see [Bulk create users in Microsoft Entra ID](/azure/active-directory/enterprise-users/users-bulk-add).
> [!NOTE]
> You can also invite multiple guest users to your Intune tenant. For more information, see [Tutorial: Bulk invite Microsoft Entra B2B collaboration users](/entra/external-id/tutorial-bulk-invite).
+## Delete user from Intune
+
+When a user has left your organization, you can delete them from your Intune tenant. If needed, you can choose to delete multiple users using **Bulk operations**.
+
+To delete an individual user from Intune:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as at least a [User Administrator](/entra/identity/role-based-access-control/permissions-reference#user-administrator).
+2. Browse to **Users** > **All users**.
+3. Select the user you want to delete.
+4. Select **Delete**.
+
+To delete multiple users from Intune:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as at least a [User Administrator](/entra/identity/role-based-access-control/permissions-reference#user-administrator).
+2. Select **Users** > **All users** > **Bulk operations** > **Bulk delete**. The **Bulk delete users** pane is displayed.
+4. Download, edit, and upload a *csv* template containing a list of users that you want to delete from Intune.
+
+For related information, see [Bulk delete users in Microsoft Entra ID](/entra/identity/users/users-bulk-delete).
+
## Grant admin permissions
After you've added users to your Intune subscription, we recommend that you grant a few users administrative permission. To grant admin permissions, follow these steps:
### Give admin permissions in Microsoft 365
-1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) with a global administrator account > select **Users** > **Active users** > choose the user to give admin permissions.
+1. Sign in to the[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) with a global administrator account > select **Users** > **Active users** > choose the user to give admin permissions.
2. In the user pane, choose **Manage roles** under **Roles**.
3. In the **Manage roles** pane, choose the admin permission to grant from the list of available roles.
4. Choose **Save changes**.
@@ -127,15 +160,13 @@ You can configure directory synchronization to import user accounts from your on
Be sure your AD admins have access to your Microsoft Entra subscription, and are trained to complete common AD and Microsoft Entra tasks.
-
-
### How to sync on-premises users with Microsoft Entra ID
- To move existing users from on-premises Active Directory to Microsoft Entra ID, you can set up [hybrid identity](/azure/active-directory/hybrid/whatis-hybrid-identity). Hybrid identities exist in both services - on-premises AD and Microsoft Entra ID.
- You can also export Active Directory users using the UI or through script. An internet search can help you find the best option for your organization.
-- To synchronize your user accounts with Microsoft Entra ID, use the [Microsoft Entra Connect wizard](https://www.microsoft.com/download/details.aspx?id=47594). The Microsoft Entra Connect wizard provides a simplified and guided experience for connecting your on-premises identity infrastructure to the cloud. Choose your topology and needs (single or multiple directories, password hash sync, pass-through authentication, or federation). The wizard deploys and configures all components required to get your connection up and running. Including: sync services, Active Directory Federation Services (AD FS), and the [Microsoft Graph PowerShell](/powershell/microsoftgraph/overview?view=graph-powershell-1.0&branch=main) module.
+- To synchronize your user accounts with Microsoft Entra ID, use the [Microsoft Entra Connect wizard](https://www.microsoft.com/download/details.aspx?id=47594). The Microsoft Entra Connect wizard provides a simplified and guided experience for connecting your on-premises identity infrastructure to the cloud. Choose your topology and needs (single or multiple directories, password hash sync, pass-through authentication, or federation). The wizard deploys and configures all components required to get your connection up and running. Including: sync services, Active Directory Federation Services (AD FS), and the [Microsoft Graph PowerShell](/powershell/microsoftgraph/overview?view=graph-powershell-1.0) module.
> [!TIP]
> Microsoft Entra Connect encompasses functionality that was previously released as Dirsync and Azure AD Sync. Learn more about [directory integration](/previous-versions/azure/azure-services/jj573653(v=azure.100)). To learn about syncing user accounts from a local directory to Microsoft Entra ID, see [Similarities between Active Directory and Microsoft Entra ID](/previous-versions/azure/azure-services/dn518177(v=azure.100)).
diff --git a/memdocs/intune/fundamentals/what-is-device-management.md b/memdocs/intune/fundamentals/what-is-device-management.md
index 2fd75bfb51c..3ee9e542e4d 100644
--- a/memdocs/intune/fundamentals/what-is-device-management.md
+++ b/memdocs/intune/fundamentals/what-is-device-management.md
@@ -69,7 +69,7 @@ For more information about Intune and its benefits, go to:
### Cloud attach your on-premises Configuration Manager
-Many organizations use on-premises Configuration Manager to manage devices, including desktops and servers. You can cloud-attach your on-premises Configuration Manager to Microsoft Intune. When you cloud-attach, you get the benefits of Intune and the cloud, including [conditional access](../../configmgr/comanage/quickstart-conditional-access.md), [running remote actions](../../configmgr/comanage/quickstart-remote-actions.md), [using Windows Autopilot](../../configmgr/comanage/quickstart-autopilot.md), and more.
+Many organizations use on-premises Configuration Manager to manage devices, including desktops and servers. You can cloud-attach your on-premises Configuration Manager to Microsoft Intune. When you cloud-attach, you get the benefits of Intune and the cloud, including [Conditional Access](../../configmgr/comanage/quickstart-conditional-access.md), [running remote actions](../../configmgr/comanage/quickstart-remote-actions.md), [using Windows Autopilot](../../configmgr/comanage/quickstart-autopilot.md), and more.
For more information, go to:
diff --git a/memdocs/intune/fundamentals/what-is-intune.md b/memdocs/intune/fundamentals/what-is-intune.md
index a4fde607378..5fb07608a91 100644
--- a/memdocs/intune/fundamentals/what-is-intune.md
+++ b/memdocs/intune/fundamentals/what-is-intune.md
@@ -44,7 +44,7 @@ Microsoft Intune is a **cloud-based endpoint management solution**. It manages u
You can protect access and data on organization-owned and users personal devices. And, Intune has compliance and reporting features that support the [Zero Trust security model](zero-trust-with-microsoft-intune.md).
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWAoF9]
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=dbd45acc-fa88-41aa-a9ac-7a751378d603]
This article lists some features and benefits of Microsoft Intune.
@@ -85,7 +85,7 @@ For more information, go to [Manage apps using Microsoft Intune](manage-apps.md)
✅ **Automate policy deployment**
-You can create policies for apps, security, device configuration, compliance, conditional access, and more. When the policies are ready, you can deploy these policies to your user groups and device groups. To receive these policies, the devices only need internet access.
+You can create policies for apps, security, device configuration, compliance, Conditional Access, and more. When the policies are ready, you can deploy these policies to your user groups and device groups. To receive these policies, the devices only need internet access.
For more information, go to [Assign policies in Microsoft Intune](../configuration/device-profile-assign.md).
@@ -120,7 +120,7 @@ For more information, go to [Intune Suite add-on features](intune-add-ons.md).
✅ **Use Microsoft Copilot in Intune for AI-generated analysis**
-Copilot in Intune is available and has capabilities that are powered by Copilot for Security.
+Copilot in Intune is available and has capabilities that are powered by Security Copilot.
Copilot can summarize existing policies, give you more setting information, including recommended values and potential conflicts. You can also get device details and troubleshoot a device.
@@ -169,7 +169,7 @@ Microsoft Intune integrates with other Microsoft products and services that focu
- **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)** to help enterprises prevent, detect, investigate, and respond to threats
- In Intune, you can create a service-to-service connection between Intune and Microsoft Defender for Endpoint. When they're connected, you can create policies that scan files, detect threats, and report threat levels to Microsoft Defender for Endpoint. You can also create compliance policies that set an allowable level of risk. When combined with conditional access, you can block access to organization resources for devices that are noncompliant.
+ In Intune, you can create a service-to-service connection between Intune and Microsoft Defender for Endpoint. When they're connected, you can create policies that scan files, detect threats, and report threat levels to Microsoft Defender for Endpoint. You can also create compliance policies that set an allowable level of risk. When combined with Conditional Access, you can block access to organization resources for devices that are noncompliant.
For more specific information, go to:
@@ -252,7 +252,7 @@ On devices enrolled in Intune, you can:
- Create and deploy policies that configure security settings, set password requirements, deploy certificates, and more.
- Use mobile threat defense services to scan devices, detect threats, and remediate threats.
- View data and reports that measure compliance with your security settings and rules.
-- Use conditional access to only allow managed and compliant devices access to organization resources, apps, and data.
+- Use Conditional Access to only allow managed and compliant devices access to organization resources, apps, and data.
- Remove organization data if a device is lost or stolen.
For personal devices, users might not want their IT admins to have full control. To support a hybrid work environment, give users options. For example, users enroll their devices if they want full access to your organization's resources. Or, if these users only want access to Outlook or Microsoft Teams, then use app protection policies that require multifactor authentication (MFA).
@@ -262,7 +262,7 @@ On devices using application management, you can:
- Use mobile threat defense services to protect app data. The service can scan devices, detect threats, and assess risk.
- Prevent organization data from being copied and pasted into personal apps.
- Use app protection policies on apps and on unmanaged devices enrolled in a third party or partner MDM.
-- Use conditional access to restrict the apps that can access organization email and files.
+- Use Conditional Access to restrict the apps that can access organization email and files.
- Remove organization data within apps.
For more information, go to:
diff --git a/memdocs/intune/fundamentals/whats-new-archive.md b/memdocs/intune/fundamentals/whats-new-archive.md
index b4b41c64ea9..9fa2578dc50 100644
--- a/memdocs/intune/fundamentals/whats-new-archive.md
+++ b/memdocs/intune/fundamentals/whats-new-archive.md
@@ -810,7 +810,7 @@ Due to the rollout timelines, we're updating our documentation to the new experi
#### BlackBerry Protect Mobile now supports app protection policies
-You can now use Intune app protection policies with *BlackBerry Protect Mobile* (powered by Cylance AI). With this change, Intune supports BlackBerry Protect Mobile for mobile application management (MAM) scenarios for [unenrolled devices](../protect/mtd-add-apps-unenrolled-devices.md). This support includes the use of risk assessment with Conditional access and configuration of Conditional Launch settings for unenrolled devices.
+You can now use Intune app protection policies with *BlackBerry Protect Mobile* (powered by Cylance AI). With this change, Intune supports BlackBerry Protect Mobile for mobile application management (MAM) scenarios for [unenrolled devices](../protect/mtd-add-apps-unenrolled-devices.md). This support includes the use of risk assessment with Conditional Access and configuration of Conditional Launch settings for unenrolled devices.
While configuring the CylancePROTECT Mobile connector (formerly BlackBerry Mobile), you now can select options to turn on *App protection policy evaluation* for both Android and iOS/iPadOS devices.
@@ -1626,7 +1626,7 @@ Applies to:
For more information on these settings, see [Apple's developer website](https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings). For more information about configuring Settings Catalog profiles in Intune, see [Create a policy using settings catalog](../configuration/settings-catalog.md).
-#### New setting available in the macOS settings catalog
+#### New settings available in the macOS settings catalog
The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place.
@@ -2090,8 +2090,7 @@ In Intune, you can use the new **Store app** type to deploy Store apps to your d
Now, you can use the **Turn off the Store application** policy to disable end users' direct access to Store apps. When it's disabled, end users can still access and install Store apps from the Windows Company Portal app and through Intune app management. If you want to allow random store app installs outside of Intune, then don't configure this policy.
-The previous **Only display the private store within the Microsoft Store app** policy doesn't prevent end users from directly accessing the store using the Windows Package Manager `winget` APIs. So, if your goal is to block random unmanaged Store application installs on client devices, then it's recommended to use the **Turn off the Store application** policy. Don't use the **Only display the private store within the Microsoft Store app** policy
-.
+The previous **Only display the private store within the Microsoft Store app** policy doesn't prevent end users from directly accessing the store using the Windows Package Manager `winget` APIs. So, if your goal is to block random unmanaged Store application installs on client devices, then it's recommended to use the **Turn off the Store application** policy. Don't use the **Only display the private store within the Microsoft Store app** policy.
Applies to:
- Windows 10 and later
@@ -2578,7 +2577,7 @@ Applies to:
### App management
#### Microsoft Store for Business or Microsoft Store for Education
-Apps added from the Microsoft Store for Business or Microsoft Store for Education won't deploy to devices and users. Apps show as "not applicable" in reporting. Apps already deployed are unaffected. Use the [new Microsoft Store app](../apps/store-apps-microsoft.md) to deploy Microsoft Store apps to devices or users. For related information, see [Plan for Change: Ending support for Microsoft Store for Business and Education apps](whats-new.md#plan-for-change-ending-support-for-microsoft-store-for-business-and-education-apps) for upcoming dates when Microsoft Store for Business apps will no longer deploy and Microsoft Store for Business apps will be removed.
+Apps added from the Microsoft Store for Business or Microsoft Store for Education won't deploy to devices and users. Apps show as "not applicable" in reporting. Apps already deployed are unaffected. Use the [new Microsoft Store app](../apps/store-apps-microsoft.md) to deploy Microsoft Store apps to devices or users. For related information, see [Adding your Microsoft Store for Business and Education apps to the Microsoft Store in Intune](https://aka.ms/Intune/MSfB-support) for upcoming dates when Microsoft Store for Business apps will no longer deploy and Microsoft Store for Business apps will be removed.
For more information, see the following resources:
@@ -2903,16 +2902,16 @@ The Microsoft Store for Business connector is no longer available in the [Micros
It's now also possible to delete Microsoft Store for Business apps from the **Apps** pane in the Microsoft Intune admin center so that you can clean up your environment as you move to the new Microsoft Store app type.
-For related information, see [Plan for Change: Ending support for Microsoft Store for Business and Education apps](whats-new.md#plan-for-change-ending-support-for-microsoft-store-for-business-and-education-apps) for upcoming dates when Microsoft Store for Business apps won't deploy and Microsoft Store for Business apps are removed.
+For related information, see [Adding your Microsoft Store for Business and Education apps to the Microsoft Store in Intune](https://aka.ms/Intune/MSfB-support) for upcoming dates when Microsoft Store for Business apps won't deploy and Microsoft Store for Business apps are removed.
### Device configuration
-#### Remote Help now supports conditional access capability
-Administrators can now utilize conditional access capability when setting up policies and conditions for Remote Help. For example, multifactor authentication, installing security updates, and locking access to Remote Help for a specific region or IP addresses.
+#### Remote Help now supports Conditional Access capability
+Administrators can now utilize Conditional Access capability when setting up policies and conditions for Remote Help. For example, multifactor authentication, installing security updates, and locking access to Remote Help for a specific region or IP addresses.
For more information, see:
-- [Conditional access](../protect/conditional-access.md)
+- [Conditional Access](../protect/conditional-access.md)
- [Remote Help](remote-help-windows.md#setup-conditional-access-for-remote-help)
### Device security
@@ -3725,7 +3724,7 @@ Configure Microsoft Intune to skip or show a new Setup Assistant pane called **T
As a public preview, you can use the Mobile Application Management (MAM) to the Microsoft Tunnel VPN gateway for iOS/iPadOS. With this preview for iOS devices that haven't enrolled with Intune, supported apps on those unenrolled devices can use Microsoft Tunnel to connect to your organization when working with corporate data and resources. This feature includes VPN gateway support for:
- Secure access to on-premises apps and resources using modern authentication
-- Single Sign On and conditional access
+- Single Sign On and Conditional Access
For more information, go to:
@@ -3749,7 +3748,7 @@ Applies to:
- Windows 11
#### SentinelOne – New mobile threat defense partner
-You can now use [SentinelOne](../protect/sentinelone-mobile-threat-defense-connector.md) as an integrated Mobile Threat Defense (MTD) partner with Intune. By configuring the SentinelOne connector in Intune, you can control mobile device access to corporate resources using conditional access that's based on risk assessment in your compliance policy. The SentinelOne connector can also send risk levels to app protection policies.
+You can now use [SentinelOne](../protect/sentinelone-mobile-threat-defense-connector.md) as an integrated Mobile Threat Defense (MTD) partner with Intune. By configuring the SentinelOne connector in Intune, you can control mobile device access to corporate resources using Conditional Access that's based on risk assessment in your compliance policy. The SentinelOne connector can also send risk levels to app protection policies.
### Device configuration
@@ -4063,7 +4062,7 @@ For more information, see [Use Access policies to require multiple administrativ
As a public preview, you can now use Microsoft Tunnel with unenrolled devices. This capability is called [Microsoft Tunnel for Mobile Application Management](../protect/microsoft-tunnel-mam.md) (MAM). This preview supports Android, and without any changes to your existing Tunnel infrastructure, supports the Tunnel VPN gateway for:
- Secure access to on-premises apps and resources using modern authentication
-- Single Sign On and conditional access
+- Single Sign On and Conditional Access
To use Tunnel MAM, unenrolled devices must install Microsoft Edge, Microsoft Defender for Endpoint, and the Company Portal. You can then use the Microsoft Intune admin center to configure the following profiles for the unenrolled devices:
@@ -4262,7 +4261,7 @@ All configurations need to be done in the Microsoft Intune admin center. The Mic
### App management
#### Ending support for Windows Information Protection
-Windows Information Protection (WIP) policies without enrollment are being deprecated. You can no longer create new WIP policies without enrollment. Until December of 2022, you can modify existing policies until the deprecation of the *without enrollment* scenario is complete. For more information, go to [Plan for Change: Ending support for Windows Information Protection](whats-new.md#plan-for-change-ending-support-for-windows-information-protection).
+Windows Information Protection (WIP) policies without enrollment are being deprecated. You can no longer create new WIP policies without enrollment. Until December of 2022, you can modify existing policies until the deprecation of the *without enrollment* scenario is complete. For more information, go to [Support tip: End of support guidance for Windows Information Protection](https://aka.ms/Intune-WIP-support).
### Device Configuration
@@ -4751,7 +4750,7 @@ The **All devices** option is now available for [compliance policy](../protect/c
When you include the *All devices* group, you can then exclude individual groups of devices to further refine the assignment scope.
#### Trend Micro – New mobile threat defense partner
-You can now use [Trend Micro Mobile Security as a Service](../protect/trend-micro-mobile-threat-defense-connector.md) as an integrated mobile threat defense (MTD) partner with Intune. By configuring the Trend MTD connector in Intune, you can control mobile device access to corporate resources using conditional access that's based on risk assessment.
+You can now use [Trend Micro Mobile Security as a Service](../protect/trend-micro-mobile-threat-defense-connector.md) as an integrated mobile threat defense (MTD) partner with Intune. By configuring the Trend MTD connector in Intune, you can control mobile device access to corporate resources using Conditional Access that's based on risk assessment.
For more information, see:
- [Mobile threat defense integration with Intune](../protect/mobile-threat-defense.md)
@@ -5402,4 +5401,4 @@ Intune's remote action to [Collect diagnostics](../remote-actions/collect-diagno
The new details that are collected include:
- Files: `C:\Program Files\Microsoft Update Health Tools\Logs\*.etl`
-- Registry Keys: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate`
\ No newline at end of file
+- Registry Keys: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate`
diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md
index 8e8e34fe44f..3106c21f527 100644
--- a/memdocs/intune/fundamentals/whats-new.md
+++ b/memdocs/intune/fundamentals/whats-new.md
@@ -7,7 +7,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 10/31/2024
+ms.date: 01/21/2025
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -75,6 +75,171 @@ You can use RSS to be notified when this page is updated. For more information,
### Tenant administration
-->
+
+## Week of January 20, 2025
+
+### Monitor and troubleshoot
+
+#### Use Support Assistant to resolve issues
+
+Support Assistant is now available in Intune. It leverages AI to enhance your help and support experience, ensuring more efficient issue resolution. Support Assistant is available in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Troubleshoot + support** > **Help and Support**, or by selecting the question mark near your profile pic. Currently, the Support Assistant is in preview. You can enable and disable Support Assistant by choosing to opt-in and opt-out at any time. For related information, see [How to get support in the Microsoft Intune admin center](/mem/get-support).
+
+## Week of December 30, 2024
+
+### Device enrollment
+
+#### Intune ends support for Android device administrator on devices with access to Google Mobile Services
+As of December 31, 2024, Microsoft Intune no longer supports Android device administrator management on devices with access to Google Mobile Services (GMS). This change comes after Google deprecated Android device administrator management and ceased support. Intune support and help documentation remains for devices without access to GMS running Android 15 or earlier, and Microsoft Teams devices migrating to Android Open Source Project (AOSP) management. For more information about how this change impacts your tenant, see [Intune ending support for Android device administrator on devices with GMS access in December 2024](https://techcommunity.microsoft.com/blog/intunecustomersuccess/intune-ending-support-for-android-device-administrator-on-devices-with-gms-in-de/3915443).
+
+
+## Week of December 16, 2024 (Service release 2412)
+
+### App management
+
+#### Increased scale for Customization policies
+
+You can now create up to 25 policies that customize the Company Portal and Intune app experience. The previous maximum number of Customization policies was 10. Navigate to the Intune admin center, and select **Tenant administration** > **Customization**.
+
+For more information about customizing the Company Portal and Intune apps, see [Customizing the user experience](../apps/company-portal-app.md#customizing-the-user-experience).
+
+### Device security
+
+#### Support for tamper protection in policies for Security settings management for Microsoft Defender for Endpoint
+
+> [!NOTE]
+>
+> *Rollout of this feature is delayed and now expected to be available on or around January 18th, 2025.*
+
+You can now manage the Microsoft Defender for Endpoint CSP setting for [tamper protection](/windows/client-management/mdm/defender-csp) on unenrolled devices you manage as part of the [Defender for Endpoint security settings management](../protect/mde-security-integration.md#which-solution-should-i-use) scenario.
+
+With this support, tamper protection configurations from *Windows Security Experience* profiles for *Antivirus* policies now apply to all devices instead of only to those that are enrolled with Intune.
+
+
+### Device configuration
+
+#### Ending support for administrative templates when creating a new configuration profile
+
+Customers cannot create new Administrative Templates configuration profile through **Devices > Configuration > Create > New policy > Windows 10 and later > Administrative Templates**. A (retired) tag is seen next to **Administrative Templates** and the **Create** button is now greyed out. Other templates will continue to be supported.
+
+However, customers can now use the Settings Catalog for creating new **Administrative Templates** configuration profile by navigating to **Devices > Configuration > Create > New policy > Windows 10 and later > Settings Catalog**.
+
+There are no changes in the following UI experiences:
+
+- Editing an existing Administrative template.
+- Deleting an existing Administrative template.
+- Adding, modifying or deleting settings in an existing Administrative template.
+- **Imported Administrative templates (Preview)** template, which is used for Custom ADMX.
+
+For more information, see [Use ADMX templates on Windows 10/11 devices in Microsoft Intune](..\configuration\administrative-templates-windows.md).
+
+Applies to:
+
+- Windows
+
+### Device management
+
+#### More Wi-Fi configurations are now available for personally-owned work profile devices
+
+Intune Wi-Fi configuration profiles for Android Enterprise personally-owned work profile devices now support configuration of pre-shared keys and proxy settings.
+
+You can find these settings in the admin console in **Devices** > **Manage devices** > **Configuration** > **Create** > **New Policy**. Set **Platform** to Android Enterprise and then in the **Personally-Owned Work Profile** section, select Wi-Fi and select the **Create** button.
+
+In the **Configuration settings** tab, when you select Basic Wi-Fi type, several new options are available:
+
+1. Security type, with options for Open (no authentication), WEP-Pre-shared key, and WPA-Pre-shared key.
+
+2. Proxy settings, with the option to select Automatic and then specify the proxy server URL.
+
+It was possible to configure these in the past with Custom Configuration policies, but going forward, we recommend setting these in the Wi-Fi Configuration profile, because [Intune is ending support for Custom policies in April 2024.](https://aka.ms/Intune/Android-customprofiles).
+
+For more information, see [Wi-Fi settings for personally-owned work profile devices.](../configuration/wi-fi-settings-android-enterprise.md#personally-owned-work-profile).
+
+Applies to:
+
+- Android Enterprise
+
+## Week of December 9, 2024
+
+### Tenant administration
+
+#### Intune now supports Ubuntu 24.04 LTS for Linux management.
+
+We're now supporting device management for Ubuntu 24.04 LTS. You can enroll and manage Linux devices running Ubuntu 24.04, and assign standard compliance policies, custom configuration scripts, and compliance scripts.
+
+For more information, see the following in Intune documentation:
+
+- [Deployment guide: Manage Linux devices in Microsoft Intune](../fundamentals/deployment-guide-platform-linux.md)
+- [Enrollment guide: Enroll Linux desktop devices in Microsoft Intune](../fundamentals/deployment-guide-enrollment-linux.md). To enroll Linux devices, ensure that they are running Ubuntu 20.04 LTS or higher.
+
+Applies to:
+
+- Linux Ubuntu Desktops
+
+## Week of December 2, 2024
+
+### Device enrollment
+
+#### Change to enrollment behavior for iOS enrollment profile type
+
+At Apple WWDC 2024, Apple ended support for profile-based Apple user enrollment. For more information, see [Support has ended for profile-based user enrollment with Company Portal](#support-has-ended-for-apple-profile-based-user-enrollment-with-company-portal). As a result of this change, we updated the behavior that occurs when you select **Determine based on user choice** as the enrollment profile type for bring-your-own-device (BYOD) enrollments.
+
+Now when users select **I own this device** during a BYOD enrollment, Microsoft Intune enrolls them via account-driven user enrollment, rather than profile-based user enrollment, and then secures only work-related apps. Less than one percent of Apple devices across all Intune tenants are currently enrolled this way, so this change doesn't affect most enrolled devices. There is no change for iOS users who select **My company owns this device** during a BYOD enrollment. Intune enrolls them via device enrollment with Intune Company Portal, and then secures their entire device.
+
+If you currently allow users in BYOD scenarios to determine their enrollment profile type, you must take action to ensure account-driven user enrollment works by completing all prerequisites. For more information, see [Set up account driven Apple user enrollment](../enrollment/apple-account-driven-user-enrollment.md). If you don't give users the option to choose their enrollment profile type, there are no action items.
+
+### Device management
+
+#### Device Inventory for Windows
+
+Device inventory lets you collect and view additional hardware properties from your managed devices to help you better understand the state of your devices and make business decisions.
+
+You can now choose what you want to collect from your devices, using the catalog of properties and then view the collected properties in the Resource Explorer view.
+
+For more information, see:
+
+- [Properties catalog](../configuration/properties-catalog.md)
+- [Data collection platform](../../analytics/data-platform-schema.md)
+
+Applies to:
+
+- Windows 10 and later (Corporate owned devices managed by Intune)
+
+## Week of November 18, 2024 (Service release 2411)
+
+### App management
+
+#### Configuration values for specific managed applications on Intune enrolled iOS devices
+
+Starting with Intune's September (2409) service release, the **IntuneMAMUPN**, **IntuneMAMOID**, and **IntuneMAMDeviceID** app configuration values are automatically sent to managed applications on Intune enrolled iOS devices for the following apps:
+
+- Microsoft Excel
+- Microsoft Outlook
+- Microsoft PowerPoint
+- Microsoft Teams
+- Microsoft Word
+
+For more information, see [Plan for Change: Specific app configuration values will be automatically sent to specific apps](../fundamentals/whats-new.md#plan-for-change-specific-app-configuration-values-will-be-automatically-sent-to-specific-apps) and Intune [Support tip: Intune MAM users on iOS/iPadOS userless devices may be blocked in rare cases](https://techcommunity.microsoft.com/blog/intunecustomersuccess/support-tip-intune-mam-users-on-iosipados-userless-devices-may-be-blocked-in-rar/4254335).
+
+#### Additional installation error reporting for LOB apps on AOSP devices
+
+Additional details are now provided for app installation reporting of Line of Business (LOB) apps on Android Open Source Project (AOSP) devices. You can view installation error codes and detailed error messages for LOB apps in Intune.
+
+For information about app installation error details, see [Monitor app information and assignments with Microsoft Intune](../apps/apps-monitor.md#app-installation-error-reporting).
+
+Applies to:
+
+- Android Open Source Project (AOSP) devices
+
+#### Microsoft Teams app protection on VisionOS devices (preview)
+
+Microsoft Intune app protection policies (APP) are now supported on the Microsoft Teams app on VisionOS devices.
+
+To learn more about how to target policies to VisionOS devices, see [Managed app properties](../fundamentals/filters-device-properties.md#managed-app-properties) for more information about filters for managed app properties.
+
+Applies to:
+
+- Microsoft Teams for iOS on VisionOS devices
+
## Week of October 28, 2024
### Device security
@@ -117,7 +282,7 @@ For information about this Autopilot support, see the following in the Autopilot
#### Minimum OS version for Android devices is Android 10 and later for user-based management methods
-Beginning in October 2024, Android 10 and later is the minimum Android OS version that is supported for user-based management methods, which includes:
+Beginning in October 2024, Android 10 and later is the [minimum Android OS version that is supported for user-based management methods](../fundamentals/supported-devices-browsers.md#android), which includes:
- Android Enterprise personally-owned work profile
- Android Enterprise corporate owned work profile
@@ -139,7 +304,7 @@ Userless methods of Android device management (Dedicated and AOSP userless) and
#### Collection of additional device inventory details
-Intune now collects additional files and registry keys to assist in troubleshooting the Device Hardware Inventory feature.
+Intune now collects additional files and registry keys to assist in troubleshooting the [Device Hardware Inventory](../remote-actions/collect-diagnostics.md) feature.
Applies to:
@@ -161,7 +326,7 @@ For more information, see [New look for Intune Company Portal app for Windows](h
The Key Distribution Center (KDC) requires user or device objects to be strongly mapped to Active Directory for certificate-based authentication. This means that a Simple Certificate Enrollment Protocol (SCEP) certificate's subject alternative name (SAN) must have a security identifier (SID) extension that maps to the user or device SID in Active Directory. The mapping requirement protects against certificate spoofing and ensures that certificate-based authentication against the KDC continues working.
-To meet requirements, modify or create a SCEP certificate profile in Microsoft Intune. Then add a `URI` attribute and the `OnPremisesSecurityIdentifier` variable to the SAN. After you do that, Microsoft Intune appends a tag with the SID extension to the SAN and issues new certificates to targeted users and devices. If the user or device has a SID on premises that's been synced to Microsoft Entra ID, the certificate shows the SID. If they don't have a SID, a new certificate is issued without the SID.
+To meet requirements, modify or create a SCEP certificate profile in Microsoft Intune. Then add a `URI` attribute and the `OnPremisesSecurityIdentifier` variable to the SAN. After you do that, Microsoft Intune appends a tag with the SID extension to the SAN and issues new certificates to targeted users and devices. If the user or device has a SID on premises that's synced to Microsoft Entra ID, the certificate shows the SID. If they don't have a SID, a new certificate is issued without the SID.
For more information and steps, see [Update certificate connector: Strong mapping requirements for KB5014754](../protect/certificates-profile-scep.md).
@@ -184,7 +349,7 @@ For more information about the Intune features supported in GCC High and DoD env
#### Updates to PKCS certificate issuance process in Microsoft Intune Certificate Connector, version 6.2406.0.1001
-We've updated the process for Public Key Cryptography Standards (PKCS) certificate issuance in Microsoft Intune to support the security identifiers (SID) information requirements described in [KB5014754](https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16). As part of this update, an OID attribute containing the user or device SID is added to the certificate. This change is available with the Certificate Connector for Microsoft Intune, version 6.2406.0.1001, and applies to users and devices synced from Active Directory on-premises to Microsoft Entra ID.
+We updated the process for Public Key Cryptography Standards (PKCS) certificate issuance in Microsoft Intune to support the security identifiers (SID) information requirements described in [KB5014754](https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16). As part of this update, an OID attribute containing the user or device SID is added to the certificate. This change is available with the Certificate Connector for Microsoft Intune, version 6.2406.0.1001, and applies to users and devices synced from Active Directory on-premises to Microsoft Entra ID.
The SID update is available for user certificates across all platforms, and for device certificates specifically on Microsoft Entra hybrid joined Windows devices.
@@ -202,6 +367,12 @@ For more information, see:
Working time settings allow you to enforce policies that limit access to apps and mute message notifications received from apps during non-working time. The limit access setting is now available for the Microsoft Teams and Microsoft Edge apps. You can limit access by using App Protection Policies (APP) to block or warn end users from using the iOS/iPadOS or Android Teams and Microsoft Edge apps during non-working time by setting the **Non-working time** conditional launch setting. Also, you can create a non-working time policy to mute notifications from the Teams app to end users during non-working time.
+For more information, see:
+
+- [Android app protection policy settings](../apps/app-protection-policy-settings-android.md#conditional-launch)
+- [iOS app protection policy settings](../apps/app-protection-policy-settings-ios.md#conditional-launch)
+- [Quiet time policies for iOS/iPadOS and Android apps](../apps/apps-quiet-time-policies.md#quiet-time-policy-types)
+
Applies to:
- Android
@@ -209,7 +380,7 @@ Applies to:
#### Streamlined app creation experience for apps from Enterprise App Catalog
-We've streamlined the way apps from Enterprise App Catalog are added to Intune. We now provide a direct app link rather than duplicating the app binaries and metadata. App contents now download from a `*.manage.microsoft.com` subdomain. This update helps to improve the latency when adding an app to Intune. When you add an app from Enterprise App Catalog, it syncs immediately and is ready for additional action from within Intune.
+We've streamlined the way apps from [Enterprise App Catalog](../apps/apps-add-enterprise-app.md) are added to Intune. We now provide a direct app link rather than duplicating the app binaries and metadata. App contents now download from a `*.manage.microsoft.com` subdomain. This update helps to improve the latency when adding an app to Intune. When you add an app from Enterprise App Catalog, it syncs immediately and is ready for additional action from within Intune.
#### Update Enterprise App Catalog apps
@@ -381,7 +552,7 @@ All Android devices automatically migrate to the updated Managed Home Screen (MH
#### Support has ended for Apple profile-based user enrollment with Company Portal
-Apple supports two types of manual enrollment methods for users and devices in bring-your-own-device (BYOD) scenarios: *profile-based enrollment* and *account-driven enrollment*. Apple has ended support for profile-based user enrollment, known in Intune as *user enrollment with Company Portal*. This method was their privacy-focused BYOD enrollment flow that used managed Apple IDs. As a result of this change, Intune has ended support for [profile-based user enrollment with Company Portal](../enrollment/apple-user-enrollment-with-company-portal.md). Users can no longer enroll devices targeted with this enrollment profile type. This change doesn't affect devices that are already enrolled with this profile type, so you can continue to manage them in the admin center and receive Microsoft Intune technical support. Less than 1% of Apple devices across all Intune tenants are currently enrolled this way, so this change doesn't affect most enrolled devices.
+Apple supports two types of manual enrollment methods for users and devices in bring-your-own-device (BYOD) scenarios: *profile-based enrollment* and *account-driven enrollment*. Apple ended support for profile-based user enrollment, known in Intune as *user enrollment with Company Portal*. This method was their privacy-focused BYOD enrollment flow that used managed Apple IDs. As a result of this change, Intune has ended support for [profile-based user enrollment with Company Portal](../enrollment/apple-user-enrollment-with-company-portal.md). Users can no longer enroll devices targeted with this enrollment profile type. This change doesn't affect devices that are already enrolled with this profile type, so you can continue to manage them in the admin center and receive Microsoft Intune technical support. Less than 1% of Apple devices across all Intune tenants are currently enrolled this way, so this change doesn't affect most enrolled devices.
There's no change to profile-based device enrollment with Company Portal, the default enrollment method for BYOD scenarios. Devices enrolled via Apple automated device enrollment also remain unaffected.
@@ -595,7 +766,7 @@ Intune now supports account-driven Apple User Enrollment, the new, and improved
For more information, see [Set up account driven Apple User Enrollment](../enrollment/apple-account-driven-user-enrollment.md) on Microsoft Learn.
-Apple has announced they are ending support for profile-based Apple User Enrollment. As a result, Microsoft Intune will end support for Apple User Enrollment with Company Portal shortly after the release of iOS/iPadOS 18. We recommend enrolling devices with account-driven Apple User Enrollment for similar functionality and an improved user experience.
+Apple announced they are ending support for profile-based Apple User Enrollment. As a result, Microsoft Intune will end support for Apple User Enrollment with Company Portal shortly after the release of iOS/iPadOS 18. We recommend enrolling devices with account-driven Apple User Enrollment for similar functionality and an improved user experience.
#### Use corporate Microsoft Entra account to enable Android Enterprise management options in Intune
@@ -678,7 +849,7 @@ Applies to:
You can specify the time that OS updates are enforced on devices in their local time zone. For example, configuring an OS update to be enforced at 5pm schedules the update for 5pm in the device's local time zone. Previously, this setting used the time zone of the browser where the policy was configured.
-This change only applies to new policies that are created in the August 2408 release and later. The **Target Date Time** setting is in the settings catalog at **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type > **Declarative Device Management** > Software Update.
+This change only applies to new policies that are created in the August 2408 release and later. The **Target Date Time** setting is in the [settings catalog](../configuration/settings-catalog.md) at **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type > **Declarative Device Management** > Software Update.
In a future release, the **UTC** text will be removed from the **Target Date Time** setting.
@@ -751,7 +922,9 @@ ACME is supported for Apple Device Enrollment, Apple Configurator enrollment, an
- iOS 16.0 or later
- iPadOS 16.1 or later
-- macOS 13.1 or later
+- macOS 13.1 or later
+
+This capability is also supported in [GCC High tenants](../fundamentals/intune-govt-service-description.md).
## Week of July 22, 2024 (Service release 2407)
@@ -865,7 +1038,7 @@ You can now configure just-in-time (JIT) registration and JIT compliance remedia
We have consolidated the Intune profiles that were related to identity and account protection, into a single new profile named *Account protection*. This new profile is found in the [account protection policy node of endpoint security](../protect/endpoint-security-account-protection-policy.md), and is now the only profile template that remains available when creating new policy instances for identity and account protection. The new profile includes Windows Hello for Business settings for both users and devices, and settings for Windows Credential Guard.
-Because this new profile uses Intune’s unified settings format for device management, the profiles settings are also available through the settings catalog, and help to improve the reporting experience in the Intune admin center.
+Because this new profile uses Intune’s unified settings format for device management, the profiles settings are also available through the [settings catalog](../configuration/settings-catalog.md), and help to improve the reporting experience in the Intune admin center.
You can continue to use any instances of the following profile templates that you already have in place, but Intune no longer supports creating new instances of these profiles:
@@ -1345,7 +1518,7 @@ Applies to:
Feature updates can now be made available to end users as **Optional** updates, with the introduction of **Optional** Feature updates. End users see the update in the **Windows Update** settings page in the same way that it's shown for consumer devices.
-End users can easily opt in to try out the next Feature update and provide feedback. When it's time to roll out the feature as a **Required** update, then admins can change the setting on the policy, and update the rollout settings so that the update is deployed as a **Required** update to devices that don't yet have it installed.
+End users can easily opt in to try out the next Feature update and provide feedback. When it's time to roll out the feature as a **Required** update, admins can change the setting on the policy and update the rollout settings so that the update is deployed as a **Required** update to devices that don't yet have it installed.
For more information on Optional Feature updates, see [Feature updates for Windows 10 and later policy in Intune](..//protect/windows-10-feature-updates.md#create-and-assign-feature-updates-for-windows-10-and-later-policy).
diff --git a/memdocs/intune/includes/android-device-administrator-support.md b/memdocs/intune/includes/android-device-administrator-support.md
index 6338e8f11ff..5fd923c6c12 100644
--- a/memdocs/intune/includes/android-device-administrator-support.md
+++ b/memdocs/intune/includes/android-device-administrator-support.md
@@ -4,7 +4,7 @@ description: include file
author: lenewsad
ms.service: microsoft-intune
ms.topic: include
-ms.date: 06/12/2024
+ms.date: 12/31/2024
ms.author: lanewsad
ms.custom: include file
ms.collection:
@@ -13,4 +13,4 @@ ms.collection:
---
> [!IMPORTANT]
-> Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on December 31, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable. If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends. For more information, see [Ending support for Android device administrator on GMS devices](https://techcommunity.microsoft.com/t5/intune-customer-success/microsoft-intune-ending-support-for-android-device-administrator/ba-p/3915443).
+> Android device administrator management is deprecated and no longer available for devices with access to Google Mobile Services (GMS). If you currently use device administrator management, we recommend switching to another Android management option. Support and help documentation remain available for some devices without GMS, running Android 15 and earlier. For more information, see [Ending support for Android device administrator on GMS devices](https://techcommunity.microsoft.com/t5/intune-customer-success/microsoft-intune-ending-support-for-android-device-administrator/ba-p/3915443).
diff --git a/memdocs/intune/includes/intune-notices.md b/memdocs/intune/includes/intune-notices.md
index 615a5ca2d36..751c02f1e05 100644
--- a/memdocs/intune/includes/intune-notices.md
+++ b/memdocs/intune/includes/intune-notices.md
@@ -4,7 +4,7 @@ description: include file
author: dougeby
ms.service: microsoft-intune
ms.topic: include
-ms.date: 10/30/2024
+ms.date: 1/6/2025
ms.author: dougeby
manager: dougeby
ms.custom: include file
@@ -12,52 +12,132 @@ ms.custom: include file
These notices provide important information that can help you prepare for future Intune changes and features.
-### Update to the latest Intune App SDK and Intune App Wrapper for Android 15 support
-We've recently released new versions of the Intune App SDK and Intune App Wrapping Tool for Android to support Android 15. We recommend upgrading your app to the latest SDK or wrapper versions to ensure applications stay secure and run smoothly.
-
+### Move to new Microsoft Graph Beta API properties for Windows Autopilot self-deploying mode and pre-provisioning
+
+In late February 2025, a select number of old Microsoft Graph Beta API [windowsAutopilotDeploymentProfile](/graph/api/resources/intune-shared-windowsautopilotdeploymentprofile) properties used for Windows Autopilot self-deploying mode and pre-provisioning will be removed and stop working. The same data can be found using newer Graph API properties.
+
#### How does this affect you or your users?
-If you have applications using the Intune App SDK or Intune App Wrapping Tool for Android, it's recommended that you update your app to the latest version to support Android 15.
-
+If you have automation or scripts using the following Windows Autopilot properties, you must update to the new properties to prevent them from breaking.
+
+| Old | New |
+| -------- | ------- |
+| enableWhiteglove | preprovisioningAllowed |
+| extractHardwareHash | hardwareHashExtractionEnabled |
+| language | Locale |
+| outOfBoxExperienceSettings | outOfBoxExperienceSetting |
+| outOfBoxExperienceSettings.HidePrivacySettings | outOfBoxExperienceSetting.PrivacySettingsHidden |
+| outOfBoxExperienceSettings.HideEULA | outOfBoxExperienceSetting.EULAHidden |
+| outOfBoxExperienceSettings.SkipKeyboardSelectionPage | outOfBoxExperienceSettings.KeyboardSelectionPageSkipped |
+| outOfBoxExperienceSettings.HideEscapeLink | outOfBoxExperienceSettings.EscapeLinkHidden |
+
#### How can you prepare?
-If you choose to build apps targeting Android API 35, you'll need to adopt the new version of the Intune App SDK for Android (v11.0.0). If you’ve wrapped your app and are targeting API 35 you'll need to use the new version of the App wrapper (v1.0.4549.6).
+Update your automation or scripts to use the new Graph API properties to avoid deployment issues.
-> [!NOTE]
-> As a reminder, while apps must update to the latest SDK if targeting Android 15, apps do not need to update the SDK to simply run on Android 15.
+**Additional information:**
-You should also plan to update your documentation or developer guidance if applicable to include this change in support for the SDK.
+- [windowsAutopilotDeploymentProfile resource type - Microsoft Graph Beta | Microsoft Learn](/graph/api/resources/intune-shared-windowsautopilotdeploymentprofile)
+- [azureADWindowsAutopilotDeploymentProfile resource type - Microsoft Graph Beta | Microsoft Learn](/graph/api/resources/intune-enrollment-azureadwindowsautopilotdeploymentprofile)
+- [outOfBoxExperienceSettings resource type - Microsoft Graph Beta | Microsoft Learn](/graph/api/resources/intune-enrollment-outofboxexperiencesettings)
-Here are the public repositories:
-- [Intune App SDK for Android](https://github.com/microsoftconnect/ms-intune-app-sdk-android)
-- [Intune App Wrapping Tool for Android](https://github.com/microsoftconnect/intune-app-wrapping-tool-android)
+### Plan for Change: Blocking screen capture in the latest Intune App SDK for iOS and Intune App Wrapping Tool for iOS
+
+We recently released updated versions of the Intune App SDK and the Intune App Wrapping Tool. Included in these releases (v19.7.5+ for Xcode 15 and v20.2.0+ for Xcode 16) is the support for blocking screen capture, Genmojis and writing tools in response to the new AI features in iOS/iPadOS 18.2.
+
+#### How does this affect you or your users?
+
+For apps that have updated to the latest Intune App SDK or Intune App Wrapping Tool versions screen capture will be blocked if you've configured “Send Org data to other apps” to a value other than “All apps”. To allow screen capture for your iOS/iPadOS devices, configure the [Managed apps app configuration policy](../apps/app-configuration-policies-managed-app.md) setting “com.microsoft.intune.mam.screencapturecontrol" to **Disabled**.
+
+#### How can you prepare?
+
+Review your app protection policies and if needed, create a [Managed apps app configuration policy](../apps/app-configuration-policies-managed-app.md) to allow screen capture by configuring the above setting *(Apps > App configuration policies > Create > Managed apps > Step 3 ‘Settings’ under General configuration)*. For more information review, [iOS app protection policy settings – Data protection](../apps/app-protection-policy-settings-ios.md#data-protection) and [App configuration policies - Managed apps](../apps/app-configuration-policies-overview.md#managed-apps).
### Take Action: Update to the latest Intune App SDK for iOS and Intune App Wrapping Tool for iOS
-To support the upcoming release of iOS/iPadOS 18.1, update to the latest versions of the Intune App SDK and the Intune App Wrapping Tool to ensure applications stay secure and run smoothly. **Important:** If you don't update to the latest versions, some app protection policies may not apply to your app in certain scenarios. Review the following GitHub announcements for more details on the specific impact:
+To support the upcoming release of iOS/iPadOS 18.2, update to the latest versions of the Intune App SDK and the Intune App Wrapping Tool to ensure applications stay secure and run smoothly. **Important:** If you don't update to the latest versions, some app protection policies may not apply to your app in certain scenarios. Review the following GitHub announcements for more details on the specific impact:
-- SDK for iOS: [Update recommended prior to iOS 18.1 general availability - microsoftconnect/ms-intune-app-sdk-ios - Discussion #477](https://github.com/microsoftconnect/ms-intune-app-sdk-ios/discussions/477)
-- Wrapper for iOS: [Update recommended prior to iOS 18.1 general availability - microsoftconnect/intune-app-wrapping-tool-ios - Discussion #125](https://github.com/microsoftconnect/intune-app-wrapping-tool-ios/discussions/125)
+- SDK for iOS: [Update recommended prior to iOS 18.2 general availability - microsoftconnect/ms-intune-app-sdk-ios - Discussion #495](https://github.com/microsoftconnect/ms-intune-app-sdk-ios/discussions/495)
+- Wrapper for iOS: [Update recommended prior to iOS 18.2 general availability - microsoftconnect/intune-app-wrapping-tool-ios - Discussion #128](https://github.com/microsoftconnect/intune-app-wrapping-tool-ios/discussions/128)
As a best practice, always update your iOS apps to the latest App SDK or App Wrapping Tool to ensure that your app continues to run smoothly.
#### How does this affect you or your users?
-If you have applications using the Intune App SDK or Intune App Wrapping Tool, you'll need to update to the latest version to support iOS 18.1.
+If you have applications using the Intune App SDK or Intune App Wrapping Tool, you'll need to update to the latest version to support iOS 18.2.
#### How can you prepare?
-For apps running on iOS 18.1, you must update to the new version of the Intune App SDK for iOS
+For apps running on iOS 18.2, you must update to the new version of the Intune App SDK for iOS:
+- [For apps built with XCode 15 use v19.7.6 - Release 19.7.6 - microsoftconnect/ms-intune-app-sdk-ios - GitHub](https://github.com/microsoftconnect/ms-intune-app-sdk-ios/releases/tag/19.7.6)
+- [For apps built with XCode 16 use v20.2.1 - Release 20.2.1 - microsoftconnect/ms-intune-app-sdk-ios - GitHub](https://github.com/microsoftconnect/ms-intune-app-sdk-ios/releases/tag/20.2.1)
+
+For apps running on iOS 18.2, you must update to the new version of the Intune App Wrapping Tool for iOS:
+- [For apps built with XCode 15 use v19.7.6 - Release 19.7.6 - microsoftconnect/intune-app-wrapping-tool-ios - GitHub](https://github.com/microsoftconnect/intune-app-wrapping-tool-ios/releases/tag/19.7.6)
+- [For apps built with XCode 16 use v20.2.1 - Release 20.2.1 - microsoftconnect/intune-app-wrapping-tool-ios - GitHub](https://github.com/microsoftconnect/intune-app-wrapping-tool-ios/releases/tag/20.2.1)
-- For apps built with XCode 15 use v19.7.1 - [Release 19.7.1 - microsoftconnect/ms-intune-app-sdk-ios - GitHub](https://github.com/microsoftconnect/ms-intune-app-sdk-ios/releases/tag/19.7.1)
-- For apps built with XCode 16 use v20.1.2 - [Release 20.1.2 - microsoftconnect/ms-intune-app-sdk-ios - GitHub](https://github.com/microsoftconnect/ms-intune-app-sdk-ios/releases/tag/20.1.2)
+> [!IMPORTANT]
+>
+> The listed SDK releases support blocking screen capture, Genmojis and writing tools in response to new AI features in iOS 18.2. For apps that have updated to these SDK versions, screen capture block is applied if you have configured *Send Org data to other apps* to a value other than *All apps*. See [iOS/iPadOS app protection policy settings](../apps/app-protection-policy-settings-ios.md#data-protection) for more info. You can configure app configuration policy setting **com.microsoft.intune.mam.screencapturecontrol = Disabled** if you wish to allow screen capture for your iOS devices. See [App configuration policies for Microsoft Intune](../apps/app-configuration-policies-overview.md#managed-apps) for more info. Intune will be providing more granular controls for blocking specific AI features in the future. Follow [What's new in Microsoft Intune](../fundamentals/whats-new.md) to stay up to date.
+>
+> Notify your users as applicable, to ensure they upgrade their apps to the latest version prior to upgrading to iOS 18.2. You can review the Intune App SDK version in use by your users in the Microsoft Intune admin center by navigating to **Apps** > **Monitor** > **App protection status**, then review *Platform version* and *iOS SDK version*.
+>
+> If you have questions, leave a comment on the applicable GitHub announcement. Additionally, if you haven't already, navigate to the applicable GitHub repository and subscribe to *Releases* and *Discussions* (Watch > Custom > select Releases, Discussions) to ensure you stay up-to-date with the latest SDK releases, updates, and other important announcements.
-For apps running on iOS 18.1, you must update to the new version of the Intune App Wrapping Tool for iOS
+### Plan for Change: Specific app configuration values will be automatically sent to specific apps
-- For apps built with XCode 15 use v19.7.1 - [Release 19.7.1 - microsoftconnect/intune-app-wrapping-tool-ios - GitHub](https://github.com/microsoftconnect/intune-app-wrapping-tool-ios/releases/tag/19.7.1)
-- For apps built with XCode 16 use v20.1.2 - [Release 20.1.2 - microsoftconnect/intune-app-wrapping-tool-ios - GitHub](https://github.com/microsoftconnect/intune-app-wrapping-tool-ios/releases/tag/20.1.2)
+Starting with Intune's September (2409) service release, the **IntuneMAMUPN**, **IntuneMAMOID**, and **IntuneMAMDeviceID** app configuration values will be automatically sent to managed applications on Intune enrolled iOS devices for the following apps: Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft Teams and Microsoft Word. Intune will continue to expand this list to include additional managed apps.
-Notify your users as applicable, to ensure they upgrade their apps to the latest version prior to upgrading to iOS 18.1. You can review the Intune App SDK version in use by your users in the Microsoft Intune admin center by navigating to **Apps** > **Monitor** > **App protection status**, then review “Platform version” and “iOS SDK version”.
+#### How does this affect you or your users?
+
+If these values aren't configured correctly for iOS devices, there's a possibility of either the policy not getting delivered to the app or the wrong policy is delivered. For more information, see [Support tip: Intune MAM users on iOS/iPadOS userless devices may be blocked in rare cases](https://techcommunity.microsoft.com/blog/intunecustomersuccess/support-tip-intune-mam-users-on-iosipados-userless-devices-may-be-blocked-in-rar/4254335).
+
+#### How can you prepare?
+
+No additional action is needed.
+
+### Plan for Change: Implement strong mapping for SCEP and PKCS certificates
+
+With the May 10, 2022, Windows update ([KB5014754](https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16)), changes were made to the Active Directory Kerberos Key Distribution (KDC) behavior in Windows Server 2008 and later versions to mitigate elevation of privilege vulnerabilities associated with certificate spoofing. Windows will enforce these changes on **February 11, 2025**.
+
+To prepare for this change, Intune has released the ability to include the security identifier to strongly map SCEP and PKCS certificates. For more information, review the blog: [Support tip: Implementing strong mapping in Microsoft Intune certificates](https://techcommunity.microsoft.com/blog/intunecustomersuccess/support-tip-implementing-strong-mapping-in-microsoft-intune-certificates/4053376)
+
+#### How does this affect you or your users?
+
+These changes will impact SCEP and PKCS certificates delivered by Intune for Microsoft Entra hybrid joined users or devices. If a certificate can't be strongly mapped, authentication will be denied. To enable strong mapping:
+
+- SCEP certificates: Add the security identifier to your SCEP profile. We strongly recommend testing with a small group of devices and then slowly rollout updated certificates to minimize disruptions to your users.
+- PKCS certificates: Update to the latest version of the Certificate Connector, change the registry key to enable the security identifier, and then restart the connector service. **Important:** Before you modify the registry key, review how to change the registry key and how to back up and restore the registry.
+
+For detailed steps and additional guidance, review the blog: [Support tip: Implementing strong mapping in Microsoft Intune certificates](https://techcommunity.microsoft.com/blog/intunecustomersuccess/support-tip-implementing-strong-mapping-in-microsoft-intune-certificates/4053376)
+
+#### How can you prepare?
+
+If you use SCEP or PKCS certificates for Microsoft Entra Hybrid joined users or devices, you'll need to take action before February 11, 2025 to either:
+
+- **(Recommended)** Enable strong mapping by reviewing the steps described in the blog: [Support tip: Implementing strong mapping in Microsoft Intune certificates](https://techcommunity.microsoft.com/blog/intunecustomersuccess/support-tip-implementing-strong-mapping-in-microsoft-intune-certificates/4053376)
+- Alternatively, if all certificates can't be renewed before February 11, 2025, with the SID included, enable Compatibility mode by adjusting the registry settings as described in [KB5014754](https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16). Compatibility mode will remain valid until September 2025.
+
+### Update to the latest Intune App SDK and Intune App Wrapper for Android 15 support
+
+We've recently released new versions of the Intune App SDK and Intune App Wrapping Tool for Android to support Android 15. We recommend upgrading your app to the latest SDK or wrapper versions to ensure applications stay secure and run smoothly.
+
+#### How does this affect you or your users?
+
+If you have applications using the Intune App SDK or Intune App Wrapping Tool for Android, it's recommended that you update your app to the latest version to support Android 15.
+
+#### How can you prepare?
+
+If you choose to build apps targeting Android API 35, you'll need to adopt the new version of the Intune App SDK for Android (v11.0.0). If you’ve wrapped your app and are targeting API 35 you'll need to use the new version of the App wrapper (v1.0.4549.6).
+
+> [!NOTE]
+> As a reminder, while apps must update to the latest SDK if targeting Android 15, apps don't need to update the SDK to run on Android 15.
+
+You should also plan to update your documentation or developer guidance if applicable to include this change in support for the SDK.
+
+Here are the public repositories:
+- [Intune App SDK for Android](https://github.com/microsoftconnect/ms-intune-app-sdk-android)
+- [Intune App Wrapping Tool for Android](https://github.com/microsoftconnect/intune-app-wrapping-tool-android)
### Take Action: Enable multifactor authentication for your tenant before October 15, 2024
@@ -111,51 +191,17 @@ Later this year, we expect macOS 15 Sequoia to be released by Apple. Microsoft I
This change only affects you if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see [macOS Ventura is compatible with these computers](https://support.apple.com/102861).
> [!NOTE]
-> Devices that are currently enrolled on macOS 12.x or below will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 12.x or below.
+> Devices that are currently enrolled on macOS 12.x or below will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they're running macOS 12.x or below.
#### How can you prepare?
Check your Intune reporting to see what devices or users might be affected. Go to **Devices** > **All devices** and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 12.x or earlier. Ask your users to upgrade their devices to a supported OS version.
-### Plan for Change: Ending support for Intune App SDK Xamarin Bindings in May 2024
-
-With the [end of support for Xamarin Bindings](https://dotnet.microsoft.com/platform/support/policy/xamarin), Intune will end support for Xamarin apps and the Intune App SDK Xamarin Bindings beginning on **May 1, 2024**.
-
-#### How does this affect you or your users?
-
-If you have iOS and/or Android apps built with Xamarin and are using the Intune App SDK Xamarin Bindings to enable app protection policies, upgrade your apps to .NET MAUI.
-
-#### How can you prepare?
-
-Upgrade your Xamarin based apps to .NET MAUI. Review the following documentation for more information on Xamarin support and upgrading your apps:
-
-- [Xamarin Support Policy | .NET](https://dotnet.microsoft.com/platform/support/policy/xamarin)
-- [Upgrade from Xamarin to .NET | Microsoft Lear](/dotnet/maui/migration/?view=net-maui-8.0&preserve-view=true)
-- [Microsoft Intune App SDK for .NET MAUI – Android | NuGet Gallery](https://www.nuget.org/packages/Microsoft.Intune.Maui.Essentials.android)
-- [Microsoft Intune App SDK for .NET MAUI – iOS | NuGet Gallery](https://www.nuget.org/packages/Microsoft.Intune.Maui.Essentials.iOS)
-
-### Plan for Change: Update your PowerShell scripts with a Microsoft Entra ID registered app ID
-
-Last year we announced a [new Microsoft Intune GitHub repository](https://aka.ms/Intune/Scripts-blog) based on the Microsoft Graph SDK-based PowerShell module. The legacy Microsoft Intune PowerShell sample scripts GitHub repository is now read-only. Additionally, in **May 2024**, due to updated authentication methods in the Graph SDK-based PowerShell module, the global Microsoft Intune PowerShell application (client) ID based authentication method will be removed.
-
-#### How does this affect you or your users?
-
-If you're using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you'll need to update your scripts with a Microsoft Entra ID registered application ID to prevent your scripts from breaking.
-
-#### How can you prepare?
-
-Update your PowerShell scripts by:
-
-1. Creating a new app registration in the Microsoft Entra admin center. For detailed instructions, read: [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app).
-2. Update scripts containing the Intune application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) with the new application ID created in step 1.
-
-For detailed step-by-step instructions visit [powershell-intune-samples/Updating App Registration (github.com)](https://github.com/microsoftgraph/powershell-intune-samples/blob/master/Updating%20App%20Registration).
-
### Intune moving to support Android 10 and later for user-based management methods in October 2024
In October 2024, Intune will be moving to support Android 10 and later for user-based management methods, which includes:
-- Android Enterprise personally-owned work profile
+- Android Enterprise personally owned work profile
- Android Enterprise corporate owned work profile
- Android Enterprise fully managed
- Android Open Source Project (AOSP) user-based
@@ -193,11 +239,11 @@ For more information, review: [Manage operating system versions with Microsoft I
Today, when creating iOS/iPadOS enrollment profiles, “Device enrollment with Company Portal” is shown as the default method. In an upcoming service release, the default method will change to “Web based device enrollment” during profile creation. Additionally for *new* tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.
> [!NOTE]
-> For web enrollment, you will need to deploy the single sign-on (SSO) extension policy to enable just in time (JIT) registration, for more information review: [Set up just in time registration in Microsoft Intune](../enrollment/set-up-just-in-time-registration.md).
+> For web enrollment, you need to deploy the single sign-on (SSO) extension policy to enable just in time (JIT) registration, for more information review: [Set up just in time registration in Microsoft Intune](../enrollment/set-up-just-in-time-registration.md).
#### How does this affect you or your users?
-This is an update to the user interface when creating new iOS/iPadOS enrollment profiles to display “Web based device enrollment” as the default method, existing profiles are not impacted. For *new* tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.
+This is an update to the user interface when creating new iOS/iPadOS enrollment profiles to display “Web based device enrollment” as the default method, existing profiles aren't impacted. For *new* tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.
#### How can you prepare?
@@ -210,9 +256,9 @@ Update your documentation and user guidance as needed. If you currently use devi
### Plan for Change: Transition Jamf macOS devices from Conditional Access to Device Compliance
-We've been working with Jamf on a migration plan to help customers transition macOS devices from Jamf Pro’s Conditional Access integration to their Device Compliance integration. The Device Compliance integration uses the newer Intune partner compliance management API, which involves a simpler setup than the partner device management API and brings macOS devices onto the same API as iOS devices managed by Jamf Pro. The platform Jamf Pro’s Conditional Access feature is built on will no longer be supported after September 1, 2024.
+We've been working with Jamf on a migration plan to help customers transition macOS devices from Jamf Pro’s Conditional Access integration to their Device Compliance integration. The Device Compliance integration uses the newer Intune partner compliance management API, which involves a simpler setup than the partner device management API and brings macOS devices onto the same API as iOS devices managed by Jamf Pro. The platform Jamf Pro’s Conditional Access feature is built on will no longer be supported after January 31, 2025.
-Note that customers in some environments cannot be transitioned initially, for more details and updates read the blog: [Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance](https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-transitioning-jamf-macos-devices-from-conditional/ba-p/3913059).
+Note that customers in some environments can't be transitioned initially, for more details and updates read the blog: [Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance](https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-transitioning-jamf-macos-devices-from-conditional/ba-p/3913059).
#### How does this affect you or your users?
@@ -240,42 +286,3 @@ After Intune ends support for Android device administrator, devices with access
Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users might be affected. Go to **Devices** > **All devices** and filter the OS column to **Android (device administrator)** to see the list of devices.
Read the blog, [Microsoft Intune ending support for Android device administrator on devices with GMS access](https://aka.ms/Intune-Android-DA-blog), for our recommended alternative Android device management methods and information about the impact to devices without access to GMS.
-
-### Plan for Change: Ending support for Microsoft Store for Business and Education apps
-
-In April 2023, we began ending support for the Microsoft Store for Business experience in Intune. This occurs in several stages. For more information, see: [Adding your Microsoft Store for Business and Education apps to the Microsoft Store in Intune](https://aka.ms/Intune/MSfB-support)
-
-### How does this affect you or your users?
-
-If you're using Microsoft Store for Business and Education apps:
-
-1. On April 30, 2023, Intune will disconnect Microsoft Store for Business services. Microsoft Store for Business and Education apps won't be able to sync with Intune and the connector page will be removed from the Intune admin center.
-2. On June 15, 2023, Intune will stop enforcing online and offline Microsoft Store for Business and Education apps on devices. Downloaded applications remain on the device with limited support. Users might still be able to access the app from their device, but the app won't be managed. Existing synced Intune app objects remain to allow admins to view the apps that had been synced and their assignments. Additionally, you'll not be able to sync apps via the Microsoft Graph API syncMicrosoftStoreForBusinessApps and related API properties will display stale data.
-3. On September 15, 2023, Microsoft Store for Business and Education apps will be removed from the Intune admin center. Apps on the device remain until intentionally removed. The Microsoft Graph API microsoftStoreForBusinessApp will no longer be available about a month later.
-
-The retirement of Microsoft Store for Business and Education was [announced in 2021](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/ba-p/2569423). When the Microsoft Store for Business and Education portals are retired, admins will no longer be able to manage the list of Microsoft Store for Business and Education apps that are synced or download offline content from the Microsoft Store for Business and Education portals.
-
-### How can you prepare?
-
-We recommend adding your apps through the new Microsoft Store app experience in Intune. If an app isn't available in the Microsoft Store, you need to retrieve an app package from the vendor and install it as a line-of-business (LOB) app or Win32 app. For instructions read the following articles:
-
-- [Add Microsoft Store apps to Microsoft Intune](../apps/store-apps-microsoft.md)
-- [Add a Windows line-of-business app to Microsoft Intune](../apps/lob-apps-windows.md)
-- [Add, assign, and monitor a Win32 app in Microsoft Intune](../apps/apps-win32-add.md)
-
-Related information
-
-- [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077)
-- [Unpacking Endpoint Management: The future of app management in Intune](https://techcommunity.microsoft.com/t5/endpoint-management-events/unpacking-endpoint-management-the-future-of-app-management-in/ev-p/3724878)
-
-### Plan for Change: Ending support for Windows Information Protection
-
-Microsoft Windows [announced](https://go.microsoft.com/fwlink/?linkid=2202124) they're ending support for Windows Information Protection (WIP). The Microsoft Intune family of products will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we removed support for WIP *without enrollment* scenario at the end of calendar year 2022.
-
-### How does this affect you or your users?
-
-If you have enabled WIP policies, you should turn off or disable these policies.
-
-### How can you prepare?
-
-We recommend disabling WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog [Support tip: End of support guidance for Windows Information Protection](https://aka.ms/Intune-WIP-support) for more details and options for removing WIP from your devices.
diff --git a/memdocs/intune/includes/mdm-supported-devices.md b/memdocs/intune/includes/mdm-supported-devices.md
index f0e4df39afe..25600f2fe8e 100644
--- a/memdocs/intune/includes/mdm-supported-devices.md
+++ b/memdocs/intune/includes/mdm-supported-devices.md
@@ -4,35 +4,36 @@ ms.author: erikje
ms.service: microsoft-intune
ms.subservice: fundamentals
ms.topic: include
-ms.date: 10/10/2024
+ms.date: 11/04/2024
ms.localizationpriority: high
---
### Apple
-- **User assigned devices** - devices enrolled with user affinity using Automated Device Enrollment or personally enrolled devices.
- - iOS/iPadOS 15.x and later
- - macOS 13.0 and later
-- **User-less devices** - devices enrolled without user affinity using Automated Device Enrollment or Apple Configurator.
+- **Devices with user affinity** - devices enrolled with user affinity using ADE (automated device enrollment) or personally enrolled devices.
+- Supported:
+ - iOS/iPadOS 16.x and later
+ - macOS 13.x and later
+- **Devices without user affinity** - devices enrolled without user affinity using ADE (automated device enrollment) or Apple Configurator.
- Supported:
- iOS/iPadOS 16.x and later
- - macOS 13.0 and later
+ - macOS 13.x and later
- Allowed to enroll:
- iOS/iPadOS 13.x and later
- - macOS 10.14 and later
+ - macOS 10.1x and later
> [!NOTE]
> **Supported** versions include devices running the three most recent operating system versions. These devices can enroll and take advantage of all Intune functionality that is applicable, and all new eligible features will work on these devices.
>
> **Allowed** versions includes devices running a non-supported version (within three versions of the supported versions). These devices can enroll and take advantage of Intune's eligible features but there is no guarantee that they will work as expected.
>
-> Intune requires iOS 15.x or later for app protection policies and app configuration.
+> Intune requires iOS/iPadOS 16.x or later for app protection policies and app configuration.
### Android
- For user-based management methods: Android 10.0 and later
- For userless management methods: Android 8.0 and later (including Samsung KNOX Standard 3.0 and higher: [requirements](https://www.samsungknox.com/en/knox-platform/supported-devices/2.4+))
-- Android enterprise
+- Android Enterprise: Android 8.0 and later
- Android open source project device: [See here for the list of supported devices](../fundamentals/android-os-project-supported-devices.md)
[!INCLUDE [android-supported-os](android-supported-os.md)]
@@ -40,6 +41,9 @@ ms.localizationpriority: high
- Ubuntu Desktop 22.04 LTS with a GNOME graphical desktop environment
- Ubuntu Desktop 20.04 LTS with a GNOME graphical desktop environment
+- Ubuntu LTS, version 24.04
+- RedHat Enterprise Linux 8
+- RedHat Enterprise Linux 9
> [!NOTE]
> Ubuntu Desktop already has a GNOME graphical desktop environment installed.
diff --git a/memdocs/intune/index.yml b/memdocs/intune/index.yml
index 1341161f314..decac21d09f 100644
--- a/memdocs/intune/index.yml
+++ b/memdocs/intune/index.yml
@@ -247,9 +247,6 @@ conceptualContent:
- url: ./fundamentals/monitor-audit-logs.md
itemType: how-to-guide
text: Use audit logs to track and monitor events
- - url: /mem/analytics/
- itemType: concept
- text: Endpoint analytics docs
footerLink:
text: Browse all reporting and monitoring articles
url: ./fundamentals/reports.md
@@ -265,6 +262,18 @@ conceptualContent:
- url: ./protect/microsoft-tunnel-mam.md
itemType: how-to-guide
text: Microsoft Tunnel for Mobile Application Management
+
+ - title: Microsoft Endpoint analytics
+ links:
+ - url: ../analytics/overview.md
+ itemType: how-to-guide
+ text: Overview of Endpoint analytics
+ - url: ../analytics/scores.md
+ itemType: how-to-guide
+ text: Scores, baselines and insight
+ - url: ../analytics/startup-performance.md
+ itemType: how-to-guide
+ text: Reports in Endpoint analytics
- title: Developer guidance
links:
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-ai.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-ai.md
index 471b12382f2..ebb9575cd4d 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-ai.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-ai.md
@@ -9,6 +9,8 @@ ms.manager: dougeby
no-loc: [Microsoft, Apple]
ms.collection:
- graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
---
# Apple Intelligence
@@ -38,7 +40,7 @@ To learn more, see:
[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
-This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - iPads - Appple Intelligence**.
+This will create a policy in your tenant with the name **:::no-loc text="_MSLearn_Example_CommonEDU - iPads - Apple Intelligence":::**.
```msgraph-interactive
POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-device-restrictions.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-device-restrictions.md
index 15dde916548..276e99db7fa 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-device-restrictions.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-device-restrictions.md
@@ -9,6 +9,8 @@ ms.manager: dougeby
no-loc: [Microsoft, Apple]
ms.collection:
- graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
---
# Common Education iPad device restrictions
@@ -97,7 +99,7 @@ To learn more, see:
[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
-This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - iPads - Device restrictions**.
+This will create a policy in your tenant with the name **:::no-loc text="_MSLearn_Example_CommonEDU - iPads - Device restrictions":::**.
```msgraph-interactive
POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
@@ -131,7 +133,7 @@ Content-Type: application/json
[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
-This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - iPads - Device restrictions (require additional consideration)**.
+This will create a policy in your tenant with the name **:::no-loc text="_MSLearn_Example_CommonEDU - iPads - Device restrictions (require additional consideration)":::**.
```msgraph-interactive
POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-nouser.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-nouser.md
index 8d5c79bbd0a..e251824fe3e 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-nouser.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-nouser.md
@@ -9,6 +9,8 @@ ms.manager: dougeby
no-loc: [Microsoft, Apple]
ms.collection:
- graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
---
# iPads with no user affinity
@@ -43,7 +45,7 @@ To learn more, see:
[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
-This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - iPads - No user affinity**.
+This will create a policy in your tenant with the name **:::no-loc text="_MSLearn_Example_CommonEDU - iPads - No user affinity":::**.
```msgraph-interactive
POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-optional.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-optional.md
index dff086ba432..fec60b208f5 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-optional.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-optional.md
@@ -9,6 +9,8 @@ ms.manager: dougeby
no-loc: [Microsoft, Apple]
ms.collection:
- graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
---
# Optional restrictions
@@ -29,10 +31,10 @@ To learn more, see:
|---|---|:---:|---|---|
| Managed Settings > Bluetooth | **:::no-loc text="Enabled":::** | True | Enable the Bluetooth setting. | [:::no-loc text="Enabled":::](https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/bluetooth) |
| Restrictions | **:::no-loc text="Force Automatic Date And Time":::** | True | Enables the Set Automatically feature in Date & Time and the user can't disable it.
**Note:**
| [:::no-loc text="forceAutomaticDateAndTime":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
-| Managed Settings > Time Zone | **:::no-loc text="Time Zone":::** | **Example**:
America/Los_Angeles
Asia/Tokyo
Australia/Brisbane
See complete list in [:::no-loc text="IANA time zone database":::](https://data.iana.org/time-zones/tzdb/zone.tab). | If the **forceAutomaticDateAndTime** restriction is set in Restrictions, this setting fails with an error. Otherwise, setting this value disables automatic time zone logic. The user is still able to change the time zone; for example, by turning automatic date and time back on. The intention is to allow setting the time zone when automatic determination isn't available, such as when Location Services are off. | [:::no-loc text="TimeZone":::](https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/timezone) |
+| Managed Settings > Time Zone | **:::no-loc text="Time Zone":::** | **Example**:
:::no-loc text="America/Los_Angeles":::
:::no-loc text="Asia/Tokyo":::
:::no-loc text="Australia/Brisbane":::
See complete list in [:::no-loc text="IANA time zone database":::](https://data.iana.org/time-zones/tzdb/zone.tab). | If the **forceAutomaticDateAndTime** restriction is set in Restrictions, this setting fails with an error. Otherwise, setting this value disables automatic time zone logic. The user is still able to change the time zone; for example, by turning automatic date and time back on. The intention is to allow setting the time zone when automatic determination isn't available, such as when Location Services are off. | [:::no-loc text="TimeZone":::](https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/timezone) |
| Restrictions | **:::no-loc text="Allow Bluetooth Modification":::** | False | Prevents modification of Bluetooth settings. | [:::no-loc text="allowBluetoothModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
| Restrictions | **:::no-loc text="Allow USB Restricted Mode":::** | True | Allows iOS devices to always connect to USB accessories while locked. If the system has Lockdown mode enabled, it ignores this value. | [:::no-loc text="allowUSBRestrictedMode":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
-| Restrictions | **:::no-loc text="Blocked App Bundle IDs":::** | **Example:**
com.apple.facetime
com.apple.findmy
com.apple.Home
com.apple.MobileStore
com.apple.MobileSMS
com.apple.Music
com.apple.podcasts
com.apple.stocks
com.apple.tv
com.apple.store.Jolly
com.apple.supportapp | Prevents showing or launching apps with bundle IDs in the array. | [:::no-loc text="blockedAppBundleIDs":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Blocked App Bundle IDs":::** | **Example:**
:::no-loc text="com.apple.facetime":::
:::no-loc text="com.apple.findmy":::
:::no-loc text="com.apple.Home":::
:::no-loc text="com.apple.MobileStore":::
:::no-loc text="com.apple.MobileSMS":::
:::no-loc text="com.apple.Music":::
:::no-loc text="com.apple.podcasts":::
:::no-loc text="com.apple.stocks":::
:::no-loc text="com.apple.tv":::
:::no-loc text="com.apple.store.Jolly":::
:::no-loc text="com.apple.supportapp"::: | Prevents showing or launching apps with bundle IDs in the array. | [:::no-loc text="blockedAppBundleIDs":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
| Restrictions | **:::no-loc text="Enforced Software Update Delay":::** | 30 | How many days to delay a software update on the device. | [:::no-loc text="enforcedSoftwareUpdateDelay":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
| Restrictions | **:::no-loc text="Force Classroom Automatically Join Classes":::** | True | Automatically gives permission to the teacher's requests without prompting the student. | [:::no-loc text="forceClassroomAutomaticallyJoinClasses":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
| Restrictions | **:::no-loc text="Force Classroom Request Permission To Leave Classes":::** | True | A student enrolled in an unmanaged course through Classroom needs to request permission from the teacher to leave the course. | [:::no-loc text="forceClassroomRequestPermissionToLeaveClasses":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
@@ -46,7 +48,7 @@ To learn more, see:
[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
-This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - iPads - Optional**.
+This will create a policy in your tenant with the name **:::no-loc text="_MSLearn_Example_CommonEDU - iPads - Optional":::**.
```msgraph-interactive
POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-overview.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-overview.md
index c89e98535ec..030ea364b9d 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-overview.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-overview.md
@@ -8,6 +8,8 @@ author: yegor-a
ms.author: egorabr
ms.manager: dougeby
no-loc: [Microsoft, Windows, Autopatch, Autopilot, Edge, Apple]
+ms.service: microsoft-intune
+ms.subservice: education
---
# Common Education configuration overview
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-delivery-optimization.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-delivery-optimization.md
index 66ed57a2cf5..1f716a115b5 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-delivery-optimization.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-delivery-optimization.md
@@ -7,6 +7,10 @@ author: yegor-a
ms.author: egorabr
ms.manager: dougeby
no-loc: [Microsoft, Windows, Autopatch, Autopilot]
+ms.collection:
+- graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
---
# Delivery Optimization
@@ -24,14 +28,31 @@ To learn more, see:
> [!TIP]
> When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
-## Settings catalog policies
-
-| **Name** | **Value** | **Notes** | **CSP** |
-|---|---|---|---|
-| **:::no-loc text="DO Delay Background Download From Http":::** | 3600 | 1 hour in seconds. After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers. | [:::no-loc text="DODelayBackgroundDownloadFromHttp":::](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodelaybackgrounddownloadfromhttp) |
-| **:::no-loc text="DO Download Mode":::** | HTTP blended with peering behind the same NAT. | Delivery Optimization enables peer sharing on the same network between clients that connect to the Internet using the same public IP. | [:::no-loc text="DODownloadMode":::](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) |
-| **:::no-loc text="DO Max Cache Age":::** | 1209600 | 14 days in seconds. Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | [:::no-loc text="DOMaxCacheAge":::](/windows/client-management/mdm/policy-csp-deliveryoptimization#domaxcacheage) |
-| **:::no-loc text="DO Min Disk Size Allowed To Peer":::** | 100 | Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB.Adjust as necessary according to your hardware. | [:::no-loc text="DOMinDiskSizeAllowedToPeer":::](/windows/client-management/mdm/policy-csp-deliveryoptimization#domindisksizeallowedtopeer) |
-| **:::no-loc text="DO Min File Size To Cache":::** | 5 | Specifies the minimum content file size in MB enabled to use Peer Caching. | [:::no-loc text="DOMinFileSizeToCache":::](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) |
-| **:::no-loc text="DO Min RAM Allowed To Peer":::** | 2 | Specifies the minimum RAM size in GB required to use Peer Caching. | [:::no-loc text="DOMinRAMAllowedToPeer":::](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominramallowedtopeer) |
-| **:::no-loc text="DO Restrict Peer selection By":::** | Subnet mask | Set this policy to restrict peer selection | [:::no-loc text="DORestrictPeerSelectionBy":::](/windows/client-management/mdm/policy-csp-deliveryoptimization#dorestrictpeerselectionby) |
+## [**Settings**](#tab/settings)
+
+| **Category** | **Name** | **Value** | **Notes** | **CSP** |
+|---|---|---|---|---|
+| Delivery Optimization | **:::no-loc text="DO Delay Background Download From Http":::** | 3600 | 1 hour in seconds. After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers. | [:::no-loc text="DODelayBackgroundDownloadFromHttp":::](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodelaybackgrounddownloadfromhttp) |
+| Delivery Optimization | **:::no-loc text="DO Download Mode":::** | HTTP blended with peering behind the same NAT. | Delivery Optimization enables peer sharing on the same network between clients that connect to the Internet using the same public IP. | [:::no-loc text="DODownloadMode":::](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) |
+| Delivery Optimization | **:::no-loc text="DO Max Cache Age":::** | 1209600 | 14 days in seconds. Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | [:::no-loc text="DOMaxCacheAge":::](/windows/client-management/mdm/policy-csp-deliveryoptimization#domaxcacheage) |
+| Delivery Optimization | **:::no-loc text="DO Min Disk Size Allowed To Peer":::** | 100 | Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB.Adjust as necessary according to your hardware. | [:::no-loc text="DOMinDiskSizeAllowedToPeer":::](/windows/client-management/mdm/policy-csp-deliveryoptimization#domindisksizeallowedtopeer) |
+| Delivery Optimization | **:::no-loc text="DO Min File Size To Cache":::** | 5 | Specifies the minimum content file size in MB enabled to use Peer Caching. | [:::no-loc text="DOMinFileSizeToCache":::](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) |
+| Delivery Optimization | **:::no-loc text="DO Min RAM Allowed To Peer":::** | 2 | Specifies the minimum RAM size in GB required to use Peer Caching. | [:::no-loc text="DOMinRAMAllowedToPeer":::](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominramallowedtopeer) |
+| Delivery Optimization | **:::no-loc text="DO Restrict Peer selection By":::** | Subnet mask | Set this policy to restrict peer selection | [:::no-loc text="DORestrictPeerSelectionBy":::](/windows/client-management/mdm/policy-csp-deliveryoptimization#dorestrictpeerselectionby) |
+
+## [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **:::no-loc text="_MSLearn_Example_CommonEDU - Windows - Delivery Optimization":::**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - Windows - Delivery Optimization","description":"https://aka.ms/ManageEduDevices","platforms":"windows10","technologies":"mdm","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_deliveryoptimization_dodelaybackgrounddownloadfromhttp","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","value":3600}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_deliveryoptimization_dodownloadmode","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_deliveryoptimization_dodownloadmode_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_deliveryoptimization_domaxcacheage","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","value":1209600}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_deliveryoptimization_domindisksizeallowedtopeer","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","value":100}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_deliveryoptimization_dominfilesizetocache","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","value":5}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_deliveryoptimization_dominramallowedtopeer","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","value":2}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_deliveryoptimization_dorestrictpeerselectionby","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_deliveryoptimization_dorestrictpeerselectionby_1","children":[]}}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-device-restrictions.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-device-restrictions.md
index e2d4bc91e1f..d9c76009c01 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-device-restrictions.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-device-restrictions.md
@@ -7,6 +7,10 @@ author: yegor-a
ms.author: egorabr
ms.manager: dougeby
no-loc: [Microsoft, Windows, Autopatch, Autopilot]
+ms.collection:
+- graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
---
# Common Education device restrictions
@@ -24,72 +28,91 @@ To learn more, see [Use the settings catalog to configure settings on Windows, i
Configure these settings to personalize user experience and simplify the Windows sign-in process. Values for these settings should be defined according to the environment.
-| **Name** | **Value** | **Notes** | **CSP** |
-|---|---|---|---|
-|**:::no-loc text="Preferred Aad Tenant Domain Name":::** | _domain_ | Simplifies the sign-in to Windows by automatically appending the domain to the username | [:::no-loc text="Authentication/PreferredAadTenantDomainName":::](/windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname) |
-|**:::no-loc text="Desktop Image Url":::** | _url_ | An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image. | [:::no-loc text="Personalization/DesktopImageUrl":::](/windows/client-management/mdm/personalization-csp#desktopimageurl) |
-|**:::no-loc text="Lock Screen Image Url":::** | _url_ | An http or https URL to a jpg, jpeg or png image that needs to be downloaded and used as the Lock Screen Image. | [:::no-loc text="Personalization/LockScreenImageUrl":::](/windows/client-management/mdm/personalization-csp#lockscreenimageurl) |
-|**:::no-loc text="Configure Time Zone":::** | _timezone_ | Use Timezone column from [:::no-loc text="Default Time Zones":::](/windows-hardware/manufacture/desktop/default-time-zones) | [:::no-loc text="TimeLanguageSettings/ConfigureTimeZone":::](/windows/client-management/mdm/policy-csp-timelanguagesettings#configuretimezone) |
+| **Category** | **Name** | **Value** | **Notes** | **CSP** |
+|---|---|---|---|---|
+| Authentication |**:::no-loc text="Preferred Aad Tenant Domain Name":::** | _domain_ | Simplifies the sign-in to Windows by automatically appending the domain to the username | [:::no-loc text="Authentication/PreferredAadTenantDomainName":::](/windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname) |
+| Personalization |**:::no-loc text="Desktop Image Url":::** | _url_ | An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image. | [:::no-loc text="Personalization/DesktopImageUrl":::](/windows/client-management/mdm/personalization-csp#desktopimageurl) |
+| Personalization |**:::no-loc text="Lock Screen Image Url":::** | _url_ | An http or https URL to a jpg, jpeg or png image that needs to be downloaded and used as the Lock Screen Image. | [:::no-loc text="Personalization/LockScreenImageUrl":::](/windows/client-management/mdm/personalization-csp#lockscreenimageurl) |
+| Time Language Settings |**:::no-loc text="Configure Time Zone":::** | _timezone_ | Use Timezone column from [:::no-loc text="Default Time Zones":::](/windows-hardware/manufacture/desktop/default-time-zones) | [:::no-loc text="TimeLanguageSettings/ConfigureTimeZone":::](/windows/client-management/mdm/policy-csp-timelanguagesettings#configuretimezone) |
## General restrictions
Commonly applied device restrictions in education.
-| **Name** | **Value** | **Notes** | **CSP** |
-|---|---|---|---|
-|**:::no-loc text="Allow Cortana Above Lock":::** | Block | The system will need to be unlocked for the user to interact with Cortana using speech. | [:::no-loc text="AboveLock/AllowCortanaAboveLock":::](/windows/client-management/mdm/policy-csp-abovelock#allowcortanaabovelock) |
-|**:::no-loc text="Allow Toasts":::** | Block | Block toast notifications above the device lock screen | [:::no-loc text="AboveLock/AllowToasts":::](/windows/client-management/mdm/policy-csp-abovelock#allowtoasts) |
-|**:::no-loc text="Allow Adding Non Microsoft Accounts Manually":::** | Block | Block users from adding non-MSA email account. | [:::no-loc text="Accounts/AllowAddingNonMicrosoftAccountsManually":::](/windows/client-management/mdm/policy-csp-accounts#allowaddingnonmicrosoftaccountsmanually) |
-|**:::no-loc text="Allow Microsoft Account Connection":::** | Block | Block users from using an MSA account for non-email related connection authentication and services. | [:::no-loc text="Accounts/AllowMicrosoftAccountConnection":::](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) |
-|**:::no-loc text="Specify the system hibernate timeout (on battery)":::** | Disabled | | [:::no-loc text="Power/HibernateTimeoutOnBattery":::](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) |
-|**:::no-loc text="Specify the system sleep timeout (on battery)":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="Power/StandbyTimeoutOnBattery":::](/windows/client-management/mdm/policy-csp-power#standbytimeoutonbattery) |
-|**:::no-loc text="System Sleep Timeout (seconds):":::** | 3600 | | [:::no-loc text="Power/StandbyTimeoutOnBattery":::](/windows/client-management/mdm/policy-csp-power#standbytimeoutonbattery) |
-|**:::no-loc text="Specify the system sleep timeout (plugged in)":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="Power/StandbyTimeoutPluggedIn":::](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) |
-|**:::no-loc text="System Sleep Timeout (seconds):":::** | 3600 | | [:::no-loc text="Power/StandbyTimeoutPluggedIn":::](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) |
-|**:::no-loc text="Turn off the display (on battery)":::** | Enabled | | [:::no-loc text="Power/DisplayOffTimeoutOnBattery":::](/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) |
-|**:::no-loc text="On battery power, turn display off after (seconds)":::** | 300 | | [:::no-loc text="Power/DisplayOffTimeoutOnBattery":::](/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) |
-|**:::no-loc text="Turn off the display (plugged in)":::** | Enabled | | [:::no-loc text="Power/DisplayOffTimeoutPluggedIn":::](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) |
-|**:::no-loc text="When plugged in, turn display off after (seconds)":::** | 300 | | [:::no-loc text="Power/DisplayOffTimeoutPluggedIn":::](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) |
-|**:::no-loc text="All Removable Storage classes: Deny all access":::** | Disabled | Do not block access to removable storage | [:::no-loc text="ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2":::](/windows/client-management/mdm/policy-csp-admx-removablestorage#removablestorageclasses_denyall_access_2) |
-|**:::no-loc text="Allow Advertising":::** | Block | Blocks the device from sending out Bluetooth advertisements. | [:::no-loc text="Bluetooth/AllowAdvertising":::](/windows/client-management/mdm/policy-csp-bluetooth#allowadvertising) |
-|**:::no-loc text="Allow Discoverable Mode":::** | Allow | Allow other Bluetooth-enabled devices discover the device. | [:::no-loc text="Bluetooth/AllowDiscoverableMode":::](/windows/client-management/mdm/policy-csp-bluetooth#allowdiscoverablemode) |
-|**:::no-loc text="Allow Prompted Proximal Connections":::** | Block | Block users on these managed devices from using Swift Pair and other proximity based scenarios. | [:::no-loc text="Bluetooth/AllowPromptedProximalConnections":::](/windows/client-management/mdm/policy-csp-bluetooth#allowpromptedproximalconnections) |
-|**:::no-loc text="Allow Camera":::** | Allowed | | [:::no-loc text="Camera/AllowCamera":::](/windows/client-management/mdm/policy-csp-camera#allowcamera) |
-|**:::no-loc text="Allow Bluetooth":::** | Allow Bluetooth. The radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. | | [:::no-loc text="Connectivity/AllowBluetooth":::](/windows/client-management/mdm/policy-csp-connectivity#allowbluetooth) |
-|**:::no-loc text="Allow Cellular Data Roaming":::** | Do not allow cellular data roaming. The user cannot turn it on. This value is not supported in Windows 10, version 1511. | | [:::no-loc text="Connectivity/AllowCellularDataRoaming":::](/windows/client-management/mdm/policy-csp-connectivity#allowcellulardataroaming) |
-|**:::no-loc text="Allow Cortana":::** | Block | | [:::no-loc text="Experience/AllowCortana":::](/windows/client-management/mdm/policy-csp-experience#allowcortana) |
-|**:::no-loc text="Allow Manual MDM Unenrollment":::** | Block | Block the user from deleting the workplace account using the workplace control panel. | [:::no-loc text="Experience/AllowManualMDMUnenrollment":::](/windows/client-management/mdm/policy-csp-experience#allowmanualmdmunenrollment) |
-|**:::no-loc text="Allow Widgets":::** | Not allowed. | This policy applies to the entire widgets experience, including content on the taskbar. | [:::no-loc text="AllowNewsAndInterests":::](/windows/client-management/mdm/policy-csp-newsandinterests) |
-|**:::no-loc text="Allow Windows Spotlight (User)":::** | Block | Turn off Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features. | [:::no-loc text="Experience/AllowWindowsSpotlight":::](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight) |
-|**:::no-loc text="Allow All Trusted Apps":::** | Explicit allow unlock. | Allow install of any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer) | [:::no-loc text="ApplicationManagement/AllowAllTrustedApps":::](/windows/client-management/mdm/policy-csp-applicationmanagement#allowalltrustedapps) |
-|**:::no-loc text="Allow Developer Unlock":::** | Explicit deny. | Block developing Microsoft Store apps or installing them directly from an IDE. | [:::no-loc text="ApplicationManagement/AllowDeveloperUnlock":::](/windows/client-management/mdm/policy-csp-applicationmanagement#allowdeveloperunlock) |
-|**:::no-loc text="Allow Shared User App Data":::** | Block | Windows app can't share app data with other instances of that app. | [:::no-loc text="ApplicationManagement/AllowSharedUserAppData":::](/windows/client-management/mdm/policy-csp-applicationmanagement#allowshareduserappdata) |
-|**:::no-loc text="Turn off the Store application":::** | Enabled | Access to the Store application is denied. | [:::no-loc text="ADMX_WindowsStore/RemoveWindowsStore_2":::](/windows/client-management/mdm/policy-csp-admx-windowsstore#removewindowsstore_2) |
-|**:::no-loc text="Allow Hibernate":::** | Block | Windows 11 only | [:::no-loc text="Power/AllowHibernate":::](/windows/client-management/mdm/policy-csp-power#allowhibernate) |
-|**:::no-loc text="Energy Saver Battery Threshold On Battery":::** | 50 | Energy Saver will be automatically turned on at (and below) the specified level. | [:::no-loc text="Power/EnergySaverBatteryThresholdOnBattery":::](/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) |
-|**:::no-loc text="Energy Saver Battery Threshold Plugged In":::** | 40 | Energy Saver will be automatically turned on at (and below) the specified level. | [:::no-loc text="Power/EnergySaverBatteryThresholdPluggedIn":::](/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdpluggedin) |
-|**:::no-loc text="Select Lid Close Action On Battery":::** | Sleep | | [:::no-loc text="Power/SelectLidCloseActionOnBattery":::](/windows/client-management/mdm/policy-csp-power#selectlidcloseactiononbattery) |
-|**:::no-loc text="Select Lid Close Action Plugged In":::** | Sleep | | [:::no-loc text="Power/SelectLidCloseActionPluggedIn":::](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) |
-|**:::no-loc text="Select Power Button Action On Battery":::** | Sleep | | [:::no-loc text="Power/SelectPowerButtonActionOnBattery":::](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) |
-|**:::no-loc text="Select Power Button Action Plugged In":::** | Sleep | | [:::no-loc text="Power/SelectPowerButtonActionPluggedIn":::](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) |
-|**:::no-loc text="Select Sleep Button Action On Battery":::** | Sleep | | [:::no-loc text="Power/SelectSleepButtonActionOnBattery":::](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) |
-|**:::no-loc text="Select Sleep Button Action Plugged In":::** | Sleep | | [:::no-loc text="Power/SelectSleepButtonActionPluggedIn":::](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) |
-|**:::no-loc text="Turn Off Hybrid Sleep On Battery":::** | hybrid sleep | A hiberfile isn't generated when the system transitions to sleep (Stand By). | [:::no-loc text="Power/TurnOffHybridSleepOnBattery":::](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) |
-|**:::no-loc text="Turn Off Hybrid Sleep Plugged In":::** | hybrid sleep | A hiberfile isn't generated when the system transitions to sleep (Stand By). | [:::no-loc text="Power/TurnOffHybridSleepPluggedIn":::](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) |
-|**:::no-loc text="Unattended Sleep Timeout On Battery":::** | 3600 | How much idle time (seconds) should elapse before Windows automatically transitions to sleep when left unattended. | [:::no-loc text="Power/UnattendedSleepTimeoutOnBattery":::](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) |
-|**:::no-loc text="Unattended Sleep Timeout Plugged In":::** | 3600 | How much idle time (seconds) should elapse before Windows automatically transitions to sleep when left unattended. | [:::no-loc text="Power/UnattendedSleepTimeoutPluggedIn":::](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) |
-|**:::no-loc text="Allow Add Provisioning Package":::** | Allow | Allow the runtime configuration agent to install provisioning packages. | [:::no-loc text="Security/AllowAddProvisioningPackage":::](/windows/client-management/mdm/policy-csp-security#allowaddprovisioningpackage) |
-|**:::no-loc text="Allow Remove Provisioning Package":::** | Allow | Allow the runtime configuration agent to remove provisioning packages. | [:::no-loc text="Security/AllowRemoveProvisioningPackage":::](/windows/client-management/mdm/policy-csp-security#allowremoveprovisioningpackage) |
-|**:::no-loc text="Allow Date Time":::** | Block | Block the user from changing date and time settings. | [:::no-loc text="Settings/AllowDateTime":::](/windows/client-management/mdm/policy-csp-settings#allowdatetime) |
-|**:::no-loc text="Allow Language":::** | Block | Block the user from changing the language settings. | [:::no-loc text="Settings/AllowLanguage":::](/windows/client-management/mdm/policy-csp-settings#allowlanguage) |
-|**:::no-loc text="Allow Power Sleep":::** | Block | Block the user from changing power and sleep settings. | [:::no-loc text="Settings/AllowPowerSleep":::](/windows/client-management/mdm/policy-csp-settings#allowpowersleep) |
-|**:::no-loc text="Allow Region":::** | Block | Block the user from changing the region settings. | [:::no-loc text="Settings/AllowRegion":::](/windows/client-management/mdm/policy-csp-settings#allowregion) |
-|**:::no-loc text="Enable Shared PC Mode":::** | False | | [:::no-loc text="SharedPC/EnableSharedPCMode":::](/windows/client-management/mdm/sharedpc-csp#enablesharedpcmode) |
-|**:::no-loc text="Restrict Local Storage":::** | False | | [:::no-loc text="SharedPC/RestrictLocalStorage":::](/windows/client-management/mdm/sharedpc-csp#restrictlocalstorage) |
-|**:::no-loc text="Set Edu Policies":::** | true | [:::no-loc text="Windows 10 configuration recommendations for education customers":::](/education/windows/configure-windows-for-education) | [:::no-loc text="SharedPC/SetEDUpolicies":::](/windows/client-management/mdm/sharedpc-csp#setedupolicies) |
-|**:::no-loc text="Allow End Task":::** | Block | | [:::no-loc text="TaskManager/AllowEndTask":::](/windows/client-management/mdm/policy-csp-taskmanager#allowendtask) |
-|**:::no-loc text="Allow Auto Connect To Wi Fi Sense Hotspots":::** | Block | | [:::no-loc text="Wifi/AllowAutoConnectToWiFiSenseHotspots":::](/windows/client-management/mdm/policy-csp-wifi#allowautoconnecttowifisensehotspots) |
-|**:::no-loc text="Allow Internet Sharing":::** | Block | | [:::no-loc text="Wifi/AllowInternetSharing":::](/windows/client-management/mdm/policy-csp-wifi#allowinternetsharing) |
-|**:::no-loc text="Hide Fast User Switching":::** | Enabled | | [:::no-loc text="WindowsLogon/HideFastUserSwitching":::](/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching) |
-|**:::no-loc text="Disable Automatic Re Deployment Credentials":::** | Disabled | Enables local Autopilot Reset | [:::no-loc text="CredentialProviders/DisableAutomaticReDeploymentCredentials":::](/en-us/windows/client-management/mdm/policy-csp-credentialproviders#disableautomaticredeploymentcredentials) |
-|**:::no-loc text="Configure Chat Icon":::** | Disabled | Configures the Teams Chat icon on the taskbar for Windows 11 | [:::no-loc text="Experience/ConfigureChatIcon":::](/en-us/windows/client-management/mdm/policy-csp-experience#configurechaticon) |
+### [**Settings**](#tab/settings)
+
+| **Category** | **Name** | **Value** | **Notes** | **CSP** |
+|---|---|---|---|---|
+| Above Lock |**:::no-loc text="Allow Cortana Above Lock":::** | Block | The system will need to be unlocked for the user to interact with Cortana using speech. | [:::no-loc text="AboveLock/AllowCortanaAboveLock":::](/windows/client-management/mdm/policy-csp-abovelock#allowcortanaabovelock) |
+| Above Lock |**:::no-loc text="Allow Toasts":::** | Block | Block toast notifications above the device lock screen | [:::no-loc text="AboveLock/AllowToasts":::](/windows/client-management/mdm/policy-csp-abovelock#allowtoasts) |
+| Accounts |**:::no-loc text="Allow Adding Non Microsoft Accounts Manually":::** | Block | Block users from adding non-MSA email account. | [:::no-loc text="Accounts/AllowAddingNonMicrosoftAccountsManually":::](/windows/client-management/mdm/policy-csp-accounts#allowaddingnonmicrosoftaccountsmanually) |
+| Accounts |**:::no-loc text="Allow Microsoft Account Connection":::** | Block | Block users from using an MSA account for non-email related connection authentication and services. | [:::no-loc text="Accounts/AllowMicrosoftAccountConnection":::](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) |
+| Administrative Templates > System > Power Management > Sleep Settings |**:::no-loc text="Specify the system hibernate timeout (on battery)":::** | Disabled | | [:::no-loc text="Power/HibernateTimeoutOnBattery":::](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) |
+| Administrative Templates > System > Power Management > Sleep Settings |**:::no-loc text="Specify the system sleep timeout (on battery)":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="Power/StandbyTimeoutOnBattery":::](/windows/client-management/mdm/policy-csp-power#standbytimeoutonbattery) |
+| Administrative Templates > System > Power Management > Sleep Settings |**:::no-loc text="System Sleep Timeout (seconds):":::** | 3600 | | [:::no-loc text="Power/StandbyTimeoutOnBattery":::](/windows/client-management/mdm/policy-csp-power#standbytimeoutonbattery) |
+| Administrative Templates > System > Power Management > Sleep Settings |**:::no-loc text="Specify the system sleep timeout (plugged in)":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="Power/StandbyTimeoutPluggedIn":::](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) |
+| Administrative Templates > System > Power Management > Sleep Settings |**:::no-loc text="System Sleep Timeout (seconds):":::** | 3600 | | [:::no-loc text="Power/StandbyTimeoutPluggedIn":::](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) |
+| Administrative Templates > System > Power Management > Video and Display Settings |**:::no-loc text="Turn off the display (on battery)":::** | Enabled | | [:::no-loc text="Power/DisplayOffTimeoutOnBattery":::](/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) |
+| Administrative Templates > System > Power Management > Video and Display Settings |**:::no-loc text="On battery power, turn display off after (seconds)":::** | 300 | | [:::no-loc text="Power/DisplayOffTimeoutOnBattery":::](/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) |
+| Administrative Templates > System > Power Management > Video and Display Settings |**:::no-loc text="Turn off the display (plugged in)":::** | Enabled | | [:::no-loc text="Power/DisplayOffTimeoutPluggedIn":::](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) |
+| Administrative Templates > System > Power Management > Video and Display Settings |**:::no-loc text="When plugged in, turn display off after (seconds)":::** | 300 | | [:::no-loc text="Power/DisplayOffTimeoutPluggedIn":::](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) |
+| Administrative Templates > System > Removable Storage Access |**:::no-loc text="All Removable Storage classes: Deny all access":::** | Disabled | Do not block access to removable storage | [:::no-loc text="ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2":::](/windows/client-management/mdm/policy-csp-admx-removablestorage#removablestorageclasses_denyall_access_2) |
+| Administrative Templates > Windows Components > Store |**:::no-loc text="Turn off the Store application":::** | Enabled | Access to the Store application is denied. | [:::no-loc text="ADMX_WindowsStore/RemoveWindowsStore_2":::](/windows/client-management/mdm/policy-csp-admx-windowsstore#removewindowsstore_2) |
+| Bluetooth |**:::no-loc text="Allow Advertising":::** | Block | Blocks the device from sending out Bluetooth advertisements. | [:::no-loc text="Bluetooth/AllowAdvertising":::](/windows/client-management/mdm/policy-csp-bluetooth#allowadvertising) |
+| Bluetooth |**:::no-loc text="Allow Discoverable Mode":::** | Allow | Allow other Bluetooth-enabled devices discover the device. | [:::no-loc text="Bluetooth/AllowDiscoverableMode":::](/windows/client-management/mdm/policy-csp-bluetooth#allowdiscoverablemode) |
+| Bluetooth |**:::no-loc text="Allow Prompted Proximal Connections":::** | Block | Block users on these managed devices from using Swift Pair and other proximity based scenarios. | [:::no-loc text="Bluetooth/AllowPromptedProximalConnections":::](/windows/client-management/mdm/policy-csp-bluetooth#allowpromptedproximalconnections) |
+| Camera |**:::no-loc text="Allow Camera":::** | Allowed | | [:::no-loc text="Camera/AllowCamera":::](/windows/client-management/mdm/policy-csp-camera#allowcamera) |
+| Connectivity |**:::no-loc text="Allow Bluetooth":::** | Allow Bluetooth. The radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. | | [:::no-loc text="Connectivity/AllowBluetooth":::](/windows/client-management/mdm/policy-csp-connectivity#allowbluetooth) |
+| Connectivity |**:::no-loc text="Allow Cellular Data Roaming":::** | Do not allow cellular data roaming. The user cannot turn it on. This value is not supported in Windows 10, version 1511. | | [:::no-loc text="Connectivity/AllowCellularDataRoaming":::](/windows/client-management/mdm/policy-csp-connectivity#allowcellulardataroaming) |
+| Credential Providers |**:::no-loc text="Disable Automatic Re Deployment Credentials":::** | Disabled | Enables local Autopilot Reset | [:::no-loc text="CredentialProviders/DisableAutomaticReDeploymentCredentials":::](/en-us/windows/client-management/mdm/policy-csp-credentialproviders#disableautomaticredeploymentcredentials) |
+| Experience |**:::no-loc text="Allow Cortana":::** | Block | | [:::no-loc text="Experience/AllowCortana":::](/windows/client-management/mdm/policy-csp-experience#allowcortana) |
+| Experience |**:::no-loc text="Allow Manual MDM Unenrollment":::** | Block | Block the user from deleting the workplace account using the workplace control panel. | [:::no-loc text="Experience/AllowManualMDMUnenrollment":::](/windows/client-management/mdm/policy-csp-experience#allowmanualmdmunenrollment) |
+| Experience |**:::no-loc text="Allow Windows Spotlight (User)":::** | Block | Turn off Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features. | [:::no-loc text="Experience/AllowWindowsSpotlight":::](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight) |
+| Experience |**:::no-loc text="Configure Chat Icon":::** | Disabled | Configures the Teams Chat icon on the taskbar for Windows 11 | [:::no-loc text="Experience/ConfigureChatIcon":::](/en-us/windows/client-management/mdm/policy-csp-experience#configurechaticon) |
+| Microsoft App Store |**:::no-loc text="Allow All Trusted Apps":::** | Explicit allow unlock. | Allow install of any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer) | [:::no-loc text="ApplicationManagement/AllowAllTrustedApps":::](/windows/client-management/mdm/policy-csp-applicationmanagement#allowalltrustedapps) |
+| Microsoft App Store |**:::no-loc text="Allow Developer Unlock":::** | Explicit deny. | Block developing Microsoft Store apps or installing them directly from an IDE. | [:::no-loc text="ApplicationManagement/AllowDeveloperUnlock":::](/windows/client-management/mdm/policy-csp-applicationmanagement#allowdeveloperunlock) |
+| Microsoft App Store |**:::no-loc text="Allow Shared User App Data":::** | Block | Windows app can't share app data with other instances of that app. | [:::no-loc text="ApplicationManagement/AllowSharedUserAppData":::](/windows/client-management/mdm/policy-csp-applicationmanagement#allowshareduserappdata) |
+| Power |**:::no-loc text="Allow Hibernate":::** | Block | Windows 11 only | [:::no-loc text="Power/AllowHibernate":::](/windows/client-management/mdm/policy-csp-power#allowhibernate) |
+| Power |**:::no-loc text="Energy Saver Battery Threshold On Battery":::** | 50 | Energy Saver will be automatically turned on at (and below) the specified level. | [:::no-loc text="Power/EnergySaverBatteryThresholdOnBattery":::](/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) |
+| Power |**:::no-loc text="Energy Saver Battery Threshold Plugged In":::** | 40 | Energy Saver will be automatically turned on at (and below) the specified level. | [:::no-loc text="Power/EnergySaverBatteryThresholdPluggedIn":::](/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdpluggedin) |
+| Power |**:::no-loc text="Select Lid Close Action On Battery":::** | Sleep | | [:::no-loc text="Power/SelectLidCloseActionOnBattery":::](/windows/client-management/mdm/policy-csp-power#selectlidcloseactiononbattery) |
+| Power |**:::no-loc text="Select Lid Close Action Plugged In":::** | Sleep | | [:::no-loc text="Power/SelectLidCloseActionPluggedIn":::](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) |
+| Power |**:::no-loc text="Select Power Button Action On Battery":::** | Sleep | | [:::no-loc text="Power/SelectPowerButtonActionOnBattery":::](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) |
+| Power |**:::no-loc text="Select Power Button Action Plugged In":::** | Sleep | | [:::no-loc text="Power/SelectPowerButtonActionPluggedIn":::](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) |
+| Power |**:::no-loc text="Select Sleep Button Action On Battery":::** | Sleep | | [:::no-loc text="Power/SelectSleepButtonActionOnBattery":::](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) |
+| Power |**:::no-loc text="Select Sleep Button Action Plugged In":::** | Sleep | | [:::no-loc text="Power/SelectSleepButtonActionPluggedIn":::](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) |
+| Power |**:::no-loc text="Turn Off Hybrid Sleep On Battery":::** | hybrid sleep | A hiberfile isn't generated when the system transitions to sleep (Stand By). | [:::no-loc text="Power/TurnOffHybridSleepOnBattery":::](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) |
+| Power |**:::no-loc text="Turn Off Hybrid Sleep Plugged In":::** | hybrid sleep | A hiberfile isn't generated when the system transitions to sleep (Stand By). | [:::no-loc text="Power/TurnOffHybridSleepPluggedIn":::](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) |
+| Power |**:::no-loc text="Unattended Sleep Timeout On Battery":::** | 3600 | How much idle time (seconds) should elapse before Windows automatically transitions to sleep when left unattended. | [:::no-loc text="Power/UnattendedSleepTimeoutOnBattery":::](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) |
+| Power |**:::no-loc text="Unattended Sleep Timeout Plugged In":::** | 3600 | How much idle time (seconds) should elapse before Windows automatically transitions to sleep when left unattended. | [:::no-loc text="Power/UnattendedSleepTimeoutPluggedIn":::](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) |
+| Security |**:::no-loc text="Allow Add Provisioning Package":::** | Allow | Allow the runtime configuration agent to install provisioning packages. | [:::no-loc text="Security/AllowAddProvisioningPackage":::](/windows/client-management/mdm/policy-csp-security#allowaddprovisioningpackage) |
+| Security |**:::no-loc text="Allow Remove Provisioning Package":::** | Allow | Allow the runtime configuration agent to remove provisioning packages. | [:::no-loc text="Security/AllowRemoveProvisioningPackage":::](/windows/client-management/mdm/policy-csp-security#allowremoveprovisioningpackage) |
+| Settings |**:::no-loc text="Allow Date Time":::** | Block | Block the user from changing date and time settings. | [:::no-loc text="Settings/AllowDateTime":::](/windows/client-management/mdm/policy-csp-settings#allowdatetime) |
+| Settings |**:::no-loc text="Allow Language":::** | Block | Block the user from changing the language settings. | [:::no-loc text="Settings/AllowLanguage":::](/windows/client-management/mdm/policy-csp-settings#allowlanguage) |
+| Settings |**:::no-loc text="Allow Power Sleep":::** | Block | Block the user from changing power and sleep settings. | [:::no-loc text="Settings/AllowPowerSleep":::](/windows/client-management/mdm/policy-csp-settings#allowpowersleep) |
+| Settings |**:::no-loc text="Allow Region":::** | Block | Block the user from changing the region settings. | [:::no-loc text="Settings/AllowRegion":::](/windows/client-management/mdm/policy-csp-settings#allowregion) |
+| Shared PC |**:::no-loc text="Enable Shared PC Mode":::** | False | | [:::no-loc text="SharedPC/EnableSharedPCMode":::](/windows/client-management/mdm/sharedpc-csp#enablesharedpcmode) |
+| Shared PC |**:::no-loc text="Restrict Local Storage":::** | False | | [:::no-loc text="SharedPC/RestrictLocalStorage":::](/windows/client-management/mdm/sharedpc-csp#restrictlocalstorage) |
+| Shared PC |**:::no-loc text="Set Edu Policies":::** | true | [:::no-loc text="Windows 10 configuration recommendations for education customers":::](/education/windows/configure-windows-for-education) | [:::no-loc text="SharedPC/SetEDUpolicies":::](/windows/client-management/mdm/sharedpc-csp#setedupolicies) |
+| Task Manager |**:::no-loc text="Allow End Task":::** | Block | | [:::no-loc text="TaskManager/AllowEndTask":::](/windows/client-management/mdm/policy-csp-taskmanager#allowendtask) |
+| Widgets |**:::no-loc text="Allow Widgets":::** | Not allowed. | This policy applies to the entire widgets experience, including content on the taskbar. | [:::no-loc text="AllowNewsAndInterests":::](/windows/client-management/mdm/policy-csp-newsandinterests) |
+| Wi-Fi Settings |**:::no-loc text="Allow Auto Connect To Wi Fi Sense Hotspots":::** | Block | | [:::no-loc text="Wifi/AllowAutoConnectToWiFiSenseHotspots":::](/windows/client-management/mdm/policy-csp-wifi#allowautoconnecttowifisensehotspots) |
+| Wi-Fi Settings |**:::no-loc text="Allow Internet Sharing":::** | Block | | [:::no-loc text="Wifi/AllowInternetSharing":::](/windows/client-management/mdm/policy-csp-wifi#allowinternetsharing) |
+| Windows Logon |**:::no-loc text="Hide Fast User Switching":::** | Enabled | | [:::no-loc text="WindowsLogon/HideFastUserSwitching":::](/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching) |
+
+### [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **:::no-loc text="_MSLearn_Example_CommonEDU - Windows - Device restrictions":::**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - Windows - Device restrictions","description":"https://aka.ms/ManageEduDevices","platforms":"windows10","technologies":"mdm","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_abovelock_allowcortanaabovelock","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_abovelock_allowcortanaabovelock_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_abovelock_allowtoasts","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_abovelock_allowtoasts_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_accounts_allowaddingnonmicrosoftaccountsmanually","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_accounts_allowaddingnonmicrosoftaccountsmanually_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_accounts_allowmicrosoftaccountconnection","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_accounts_allowmicrosoftaccountconnection_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_hibernatetimeoutonbattery","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_power_hibernatetimeoutonbattery_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_standbytimeoutonbattery","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_power_standbytimeoutonbattery_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_standbytimeoutonbattery_enterdcstandbytimeout","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","value":3600}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_standbytimeoutpluggedin","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_power_standbytimeoutpluggedin_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_standbytimeoutpluggedin_enteracstandbytimeout","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","value":3600}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_displayofftimeoutonbattery","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_power_displayofftimeoutonbattery_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_displayofftimeoutonbattery_entervideodcpowerdowntimeout","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","value":300}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_displayofftimeoutpluggedin","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_power_displayofftimeoutpluggedin_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_displayofftimeoutpluggedin_entervideoacpowerdowntimeout","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","value":300}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_admx_removablestorage_removablestorageclasses_denyall_access_2","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_admx_removablestorage_removablestorageclasses_denyall_access_2_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_admx_windowsstore_removewindowsstore_2","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_admx_windowsstore_removewindowsstore_2_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_bluetooth_allowadvertising","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_bluetooth_allowadvertising_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_bluetooth_allowdiscoverablemode","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_bluetooth_allowdiscoverablemode_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_bluetooth_allowpromptedproximalconnections","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_bluetooth_allowpromptedproximalconnections_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_camera_allowcamera","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_camera_allowcamera_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_connectivity_allowbluetooth","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_connectivity_allowbluetooth_2","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_connectivity_allowcellulardataroaming","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_connectivity_allowcellulardataroaming_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_credentialproviders_disableautomaticredeploymentcredentials","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_credentialproviders_disableautomaticredeploymentcredentials_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_experience_allowcortana","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_experience_allowcortana_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_experience_allowmanualmdmunenrollment","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_experience_allowmanualmdmunenrollment_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"user_vendor_msft_policy_config_experience_allowwindowsspotlight","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"user_vendor_msft_policy_config_experience_allowwindowsspotlight_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_experience_configurechaticon","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_experience_configurechaticon_3","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_applicationmanagement_allowalltrustedapps","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_applicationmanagement_allowalltrustedapps_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_applicationmanagement_allowdeveloperunlock","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_applicationmanagement_allowdeveloperunlock_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_applicationmanagement_allowshareduserappdata","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_applicationmanagement_allowshareduserappdata_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_allowhibernate","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_power_allowhibernate_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_energysaverbatterythresholdonbattery","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","value":50}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_energysaverbatterythresholdpluggedin","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","value":40}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_selectlidcloseactiononbattery","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_power_selectlidcloseactiononbattery_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_selectlidcloseactionpluggedin","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_power_selectlidcloseactionpluggedin_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_selectpowerbuttonactiononbattery","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_power_selectpowerbuttonactiononbattery_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_selectpowerbuttonactionpluggedin","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_power_selectpowerbuttonactionpluggedin_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_selectsleepbuttonactiononbattery","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_power_selectsleepbuttonactiononbattery_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_selectsleepbuttonactionpluggedin","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_power_selectsleepbuttonactionpluggedin_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_turnoffhybridsleeponbattery","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_power_turnoffhybridsleeponbattery_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_turnoffhybridsleeppluggedin","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_power_turnoffhybridsleeppluggedin_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_unattendedsleeptimeoutonbattery","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","value":3600}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_power_unattendedsleeptimeoutpluggedin","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","value":3600}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_security_allowaddprovisioningpackage","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_security_allowaddprovisioningpackage_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_security_allowremoveprovisioningpackage","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_security_allowremoveprovisioningpackage_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_settings_allowdatetime","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_settings_allowdatetime_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_settings_allowlanguage","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_settings_allowlanguage_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_settings_allowpowersleep","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_settings_allowpowersleep_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_settings_allowregion","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_settings_allowregion_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"vendor_msft_sharedpc_enablesharedpcmode","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"vendor_msft_sharedpc_enablesharedpcmode_false","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"vendor_msft_sharedpc_restrictlocalstorage","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"vendor_msft_sharedpc_restrictlocalstorage_false","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"vendor_msft_sharedpc_setedupolicies","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"vendor_msft_sharedpc_setedupolicies_true","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_taskmanager_allowendtask","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_taskmanager_allowendtask_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_wifi_allowautoconnecttowifisensehotspots","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_wifi_allowautoconnecttowifisensehotspots_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_wifi_allowinternetsharing","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_wifi_allowinternetsharing_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_newsandinterests_allownewsandinterests","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_newsandinterests_allownewsandinterests_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_windowslogon_hidefastuserswitching","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_windowslogon_hidefastuserswitching_1","children":[]}}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge.md
index 55cba31b2de..ce85b3625f8 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge.md
@@ -7,6 +7,10 @@ author: yegor-a
ms.author: egorabr
ms.manager: dougeby
no-loc: [Microsoft, Windows, Autopatch, Autopilot, Edge]
+ms.collection:
+- graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
---
# Microsoft Edge
@@ -30,83 +34,119 @@ To learn more, see:
> [!TIP]
> When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
-## Settings catalog policies
-
-| **Name** | **Value** | **Notes** | **CSP** |
-|---|---|---|---|
-| **:::no-loc text="Ads setting for sites with intrusive ads":::** | Disabled | Block ads on sites with intrusive ads. | [:::no-loc text="AdsSettingForIntrusiveAdsSites":::](/deployedge/microsoft-edge-policies#adssettingforintrusiveadssites) |
-| **:::no-loc text="Default sensors setting":::** | Disabled | Don't allow any site to access sensors. | [:::no-loc text="DefaultSensorsSetting":::](/deployedge/microsoft-edge-policies#defaultsensorssetting) |
-| **:::no-loc text="Allow import of data from other browsers on each Microsoft Edge launch":::** | Disabled | Users will never see a prompt to import their browsing data from other browsers on each Microsoft Edge launch. | [:::no-loc text="ImportOnEachLaunch":::](/deployedge/microsoft-edge-policies#importoneachlaunch) |
-| **:::no-loc text="Allow importing of browser settings":::** | Disabled | Browser settings aren't imported at first run, and users can't import them manually. | [:::no-loc text="ImportBrowserSettings":::](/deployedge/microsoft-edge-policies#importbrowsersettings) |
-| **:::no-loc text="Allow importing of favorites":::** | Disabled | Favorites aren't imported at first run, and users can't import them manually. | [:::no-loc text="ImportFavorites":::](/deployedge/microsoft-edge-policies#importfavorites) |
-| **:::no-loc text="Allow feature recommendations and browser assistance notifications from Microsoft Edge":::** | Disabled | This setting controls the in-browser assistance notifications, which are intended to help users get the most out of Microsoft Edge by recommending features and by helping them use browser features. | [:::no-loc text="ShowRecommendationsEnabled":::](/deployedge/microsoft-edge-policies#showrecommendationsenabled) |
-| **:::no-loc text="Allow suggestions from local providers":::** | Disabled | Suggestions from local providers are never used. Local history and local favorites suggestions won't appear. | [:::no-loc text="LocalProvidersEnabled":::](/deployedge/microsoft-edge-policies#localprovidersenabled) |
-| **:::no-loc text="Allow surf game":::** | Disabled | Users won't be able to play the surf game when the device is offline or if the user navigates to edge://surf. | [:::no-loc text="AllowSurfGame":::](/deployedge/microsoft-edge-policies#allowsurfgame) |
-| **:::no-loc text="Allow user feedback":::** | Disabled | Microsoft Edge uses the Edge Feedback feature (enabled by default) to allow users to send feedback, suggestions, or customer surveys and to report any issues with the browser. | [:::no-loc text="UserFeedbackAllowed":::](/deployedge/microsoft-edge-policies#userfeedbackallowed) |
-| **:::no-loc text="Allow users to access the games menu":::** | Disabled | Users won't be able to access the games menu. | [:::no-loc text="AllowGamesMenu":::](/deployedge/microsoft-edge-policies#allowgamesmenu) |
-| **:::no-loc text="Allow users to proceed from the HTTPS warning page":::** | Disabled | Users are blocked from clicking through any warning page. | [:::no-loc text="SSLErrorOverrideAllowed":::](/deployedge/microsoft-edge-policies#sslerroroverrideallowed) |
-| **:::no-loc text="Allow websites to query for available payment methods":::** | Disabled | Websites that use Payment Request will be informed that no payment methods are available. | [:::no-loc text="PaymentMethodQueryEnabled":::](/deployedge/microsoft-edge-policies#paymentmethodqueryenabled) |
-| **:::no-loc text="Block access to a list of URLs":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="URLBlocklist":::](/deployedge/microsoft-edge-policies#urlblocklist) |
-| **:::no-loc text="Block access to a list of URLs > Block access to a list of URLs (Device)":::** | edge://flags | Define a list of sites, based on URL patterns, that are blocked (your users can't load them). | [:::no-loc text="URLBlocklist":::](/deployedge/microsoft-edge-policies#urlblocklist) |
-| **:::no-loc text="Block all ads on Bing search results":::** | Enabled | A user can search on bing.com and have an ad-free search experience. At the same time, the SafeSearch setting will be set to 'Strict' and can't be changed by the user. | [:::no-loc text="BingAdsSuppression":::](/deployedge/microsoft-edge-policies#bingadssuppression) |
-| **:::no-loc text="Block tracking of users' web-browsing activity":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="TrackingPrevention":::](/deployedge/microsoft-edge-policies#trackingprevention) |
-| **:::no-loc text="Block tracking of users' web-browsing activity > Block tracking of users' web-browsing activity (Device)":::** | Balanced (blocks harmful trackers and trackers from sites user has nt visited; content and ads will be less personalized#) | Optional:
Strict (blocks harmful trackers and majority of trackers from all sites; content and ads will have minimal personalization. Some parts of sites might not work) | [:::no-loc text="TrackingPrevention":::](/deployedge/microsoft-edge-policies#trackingprevention) |
-| **:::no-loc text="Browser sign-in settings":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="BrowserSignin":::](/deployedge/microsoft-edge-policies#browsersignin) |
-| **:::no-loc text="Browser sign-in settings > Browser sign-in settings (Device)":::** | Force users to sign-in to use the browser | This policy requires user cloud identity. | [:::no-loc text="BrowserSignin":::](/deployedge/microsoft-edge-policies#browsersignin) |
-| **:::no-loc text="Clear browsing data when Microsoft Edge closes":::** | Disabled | Users can configure the Clear browsing data option in Settings. | [:::no-loc text="ClearBrowsingDataOnExit":::](/deployedge/microsoft-edge-policies#clearbrowsingdataonexit) |
-| **:::no-loc text="Configure Do Not Track":::** | Enable | Do Not Track requests let the websites you visit know that you don't want your browsing activity to be tracked. | [:::no-loc text="ConfigureDoNotTrack":::](/deployedge/microsoft-edge-policies#configuredonottrack) |
-| **:::no-loc text="Configure InPrivate mode availability":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="InPrivateModeAvailability":::](/deployedge/microsoft-edge-policies#inprivatemodeavailability) |
-| **:::no-loc text="Configure InPrivate mode availability > Configure InPrivate mode availability (Device)":::** | InPrivate mode disabled | | [:::no-loc text="InPrivateModeAvailability":::](/deployedge/microsoft-edge-policies#inprivatemodeavailability) |
-| **:::no-loc text="Configure Microsoft Defender SmartScreen to block potentially unwanted apps":::** | Enabled | Potentially unwanted app blocking with Microsoft Defender SmartScreen provides warning messages to help protect users from adware, coin miners, bundleware, and other low-reputation apps that are hosted by websites. | [:::no-loc text="SmartScreenPuaEnabled":::](/deployedge/microsoft-edge-policies#smartscreenpuaenabled) |
-| **:::no-loc text="Configure users ability to override feature flags":::** | Disabled | Users can't override state of feature flags using command line arguments or edge://flags page. | [:::no-loc text="FeatureFlagOverridesControl":::](/deployedge/microsoft-edge-policies#featureflagoverridescontrol) |
-| **:::no-loc text="Configure whether a user always has a default profile automatically signed in with their work or school account":::** | Enabled | A non-removable profile will be created with the user's work or school account on Windows. This profile can't be signed out or removed. | [:::no-loc text="NonRemovableProfileEnabled":::](/deployedge/microsoft-edge-policies#nonremovableprofileenabled) |
-| **:::no-loc text="Continue running background apps after Microsoft Edge closes":::** | Disabled | Background mode disable to prevent conflicts with assessment software. | [:::no-loc text="BackgroundModeEnabled":::](/deployedge/microsoft-edge-policies#backgroundmodeenabled) |
-| **:::no-loc text="Control where developer tools can be used":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="DeveloperToolsAvailability":::](/deployedge/microsoft-edge-policies#developertoolsavailability) |
-| **:::no-loc text="Control where developer tools can be used (Device)":::** | Don't allow using the developer tools | | [:::no-loc text="DeveloperToolsAvailability":::](/deployedge/microsoft-edge-policies#developertoolsavailability) |
-| **:::no-loc text="Enable AutoFill for addresses":::** | Disabled | AutoFill never suggests or fills in address information, nor does it save additional address information that the user might submit while browsing the web. | [:::no-loc text="AutofillAddressEnabled":::](/deployedge/microsoft-edge-policies#autofilladdressenabled) |
-| **:::no-loc text="Enable AutoFill for credit cards":::** | Disabled | AutoFill never suggests, fills, or recommends new payment Instruments. Additionally, it won't save any payment instrument information that users submit while browsing the web. | [:::no-loc text="AutofillCreditCardEnabled":::](/deployedge/microsoft-edge-policies#autofillcreditcardenabled) |
-| **:::no-loc text="Enable Drop feature in Microsoft Edge":::** | Disabled | Drop lets users send messages or files to themselves. | [:::no-loc text="EdgeEDropEnabled":::](/deployedge/microsoft-edge-policies#edgeedropenabled) |
-| **:::no-loc text="Enable full-tab promotional content":::** | Disabled | This setting controls the presentation of welcome pages that help users sign into Microsoft Edge, choose their default browser, or learn about product features. | [:::no-loc text="PromotionalTabsEnabled":::](/deployedge/microsoft-edge-policies#promotionaltabsenabled) |
-| **:::no-loc text="Enable Microsoft Search in Bing suggestions in the address bar":::** | Enabled | Enables the display of relevant Microsoft Search in Bing suggestions in the address bar's suggestion list when the user types a search string in the address bar. | [:::no-loc text="AddressBarMicrosoftSearchInBingProviderEnabled":::](/deployedge/microsoft-edge-policies#addressbarmicrosoftsearchinbingproviderenabled) |
-| **:::no-loc text="Enable profile creation from the Identity flyout menu or the Settings page":::** | Disabled | Users can't add new profiles from the Identity flyout menu or the Settings page. | [:::no-loc text="BrowserAddProfileEnabled":::](/deployedge/microsoft-edge-policies#browseraddprofileenabled) |
-| **:::no-loc text="Enable search suggestions":::** | Enabled | Enables web search suggestions in Microsoft Edge's Address Bar and Auto-Suggest List. | [:::no-loc text="SearchSuggestEnabled":::](/deployedge/microsoft-edge-policies#searchsuggestenabled) |
-| **:::no-loc text="Enforce Bing SafeSearch":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="ForceBingSafeSearch":::](/deployedge/microsoft-edge-policies#forcebingsafesearch) |
-| **:::no-loc text="Enforce Bing SafeSearch (Device)":::** | Configure strict search restrictions in Bing | | [:::no-loc text="ForceBingSafeSearch":::](/deployedge/microsoft-edge-policies#forcebingsafesearch) |
-| **:::no-loc text="Enforce Google SafeSearch":::** | Enabled | Forces queries in Google Web Search to be performed with SafeSearch set to active, and prevents users from changing this setting. | [:::no-loc text="ForceGoogleSafeSearch":::](/deployedge/microsoft-edge-policies#forcegooglesafesearch) |
-| **:::no-loc text="Force minimum YouTube Restricted Mode":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="ForceYouTubeRestrict":::](/deployedge/microsoft-edge-policies#forceyoutuberestrict) |
-| **:::no-loc text="Force minimum YouTube Restricted Mode (Device)":::** | Enforce Strict Restricted Mode for YouTube | | [:::no-loc text="ForceYouTubeRestrict":::](/deployedge/microsoft-edge-policies#forceyoutuberestrict) |
-| **:::no-loc text="Force synchronization of browser data and do not show the sync consent prompt":::** | Enabled | Forces data synchronization in Microsoft Edge. This policy also prevents the user from turning sync off. | [:::no-loc text="ForceSync":::](/deployedge/microsoft-edge-policies#forcesync) |
-| **:::no-loc text="Hide the First-run experience and splash screen":::** | Enabled | The First-run experience and the splash screen won't be shown to users when they run Microsoft Edge for the first time. | [:::no-loc text="HideFirstRunExperience":::](/deployedge/microsoft-edge-policies#hidefirstrunexperience) |
-| **:::no-loc text="In-app support Enabled":::** | Disabled | Microsoft Edge uses the in-app support feature (enabled by default) to allow users to contact our support agents directly from the browser. | [:::no-loc text="InAppSupportEnabled":::](/deployedge/microsoft-edge-policies#inappsupportenabled) |
-| **:::no-loc text="Microsoft Edge Insider Promotion Enabled":::** | Disabled | The Microsoft Edge Insider promotion content won't be shown on the About Microsoft Edge page. | [:::no-loc text="MicrosoftEdgeInsiderPromotionEnabled":::](/deployedge/microsoft-edge-policies#microsoftedgeinsiderpromotionenabled) |
-| **:::no-loc text="Save and fill memberships":::** | Disabled | Users can't have their membership info automatically saved and used to fill form fields while using Microsoft Edge. | [:::no-loc text="AutofillMembershipsEnabled":::](/deployedge/microsoft-edge-policies#autofillmembershipsenabled) |
-| **:::no-loc text="Send all intranet sites to Internet Explorer":::** | Disabled | | [:::no-loc text="SendIntranetToInternetExplorer":::](/deployedge/microsoft-edge-policies#sendintranettointernetexplorer) |
-| **:::no-loc text="Shopping in Microsoft Edge Enabled":::** | Disabled | Shopping features such as price comparison, coupons, rebates, and express checkout won't be automatically found for retail domains. | [:::no-loc text="EdgeShoppingAssistantEnabled":::](/deployedge/microsoft-edge-policies#edgeshoppingassistantenabled) |
-| **:::no-loc text="Show Hubs Sidebar":::** | Disabled | The Sidebar will never be shown. | [:::no-loc text="HubsSidebarEnabled":::](/deployedge/microsoft-edge-policies#hubssidebarenabled) |
-| **:::no-loc text="Show Microsoft Rewards experiences":::** | Disabled | | [:::no-loc text="ShowMicrosoftRewards":::](/deployedge/microsoft-edge-policies#showmicrosoftrewards) |
-| **:::no-loc text="Update policy override default":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="UpdateDefault":::](/deployedge/microsoft-edge-update-policies#updatedefault) |
-| **:::no-loc text="Update policy override default > Policy (Device)":::** | Always allow updates (recommended) | | [:::no-loc text="UpdateDefault":::](/deployedge/microsoft-edge-update-policies#updatedefault) |
-| **:::no-loc text="Configure cookies":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="DefaultCookiesSetting":::](/deployedge/microsoft-edge-policies#defaultcookiessetting) |
-| **:::no-loc text="Configure cookies (Device)":::** | Let all sites create cookies | | [:::no-loc text="DefaultCookiesSetting":::](/deployedge/microsoft-edge-policies#defaultcookiessetting) |
-| **:::no-loc text="Default pop-up window setting":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="DefaultPopupsSetting":::](/deployedge/microsoft-edge-policies#defaultpopupssetting) |
-| **:::no-loc text="Default pop-up window setting (Device)":::** | Allow all sites to show pop-ups | | [:::no-loc text="DefaultPopupsSetting":::](/deployedge/microsoft-edge-policies#defaultpopupssetting) |
-| **:::no-loc text="Blocks external extensions from being installed":::** | Disabled | External extensions are allowed to be installed. | [:::no-loc text="BlockExternalExtensions":::](/deployedge/microsoft-edge-policies#blockexternalextensions) |
-| **:::no-loc text="Control which extensions cannot be installed":::** | Disabled | The user can install any extension in Microsoft Edge. | [:::no-loc text="ExtensionInstallBlocklist":::](/deployedge/microsoft-edge-policies#extensioninstallblocklist) |
-| **:::no-loc text="Enable implicit sign-in":::** | Enabled | Edge will attempt to sign the user into their profile based on what and how they sign in to their OS. | [:::no-loc text="ImplicitSignInEnabled":::](/deployedge/microsoft-edge-policies#implicitsigninenabled) |
-| **:::no-loc text="Enable printing":::** | Enabled | | [:::no-loc text="PrintingEnabled":::](/deployedge/microsoft-edge-policies#printingenabled) |
-| **:::no-loc text="Prevent bypassing Microsoft Defender SmartScreen prompts for sites":::** | Enabled | Users can't ignore Microsoft Defender SmartScreen warnings and they're blocked from continuing to the site. | [:::no-loc text="PreventSmartScreenPromptOverride":::](/deployedge/microsoft-edge-policies#preventsmartscreenpromptoverride) |
-| **:::no-loc text="Allow Microsoft News content on the new tab page":::** | Disabled | Microsoft Edge does not display Microsoft News content on the new tab page, the Content control in the NTP settings flyout is disabled and set to 'Content off'. | [:::no-loc text="NewTabPageContentEnabled":::](/deployedge/microsoft-edge-policies#newtabpagecontentenabled) |
-| **:::no-loc text="Hide the default top sites from the new tab page":::** | Enabled | The default top site tiles are hidden. | [:::no-loc text="NewTabPageHideDefaultTopSites":::](/deployedge/microsoft-edge-policies#newtabpagehidedefaulttopsites) |
+## [**Settings**](#tab/settings)
+
+| **Category** | **Name** | **Value** | **Notes** | **CSP** |
+|---|---|---|---|---|
+| Microsoft Edge |**:::no-loc text="Ads setting for sites with intrusive ads":::** | Disabled | Block ads on sites with intrusive ads. | [:::no-loc text="AdsSettingForIntrusiveAdsSites":::](/deployedge/microsoft-edge-policies#adssettingforintrusiveadssites) |
+| Microsoft Edge |**:::no-loc text="Allow feature recommendations and browser assistance notifications from Microsoft Edge":::** | Disabled | This setting controls the in-browser assistance notifications, which are intended to help users get the most out of Microsoft Edge by recommending features and by helping them use browser features. | [:::no-loc text="ShowRecommendationsEnabled":::](/deployedge/microsoft-edge-policies#showrecommendationsenabled) |
+| Microsoft Edge |**:::no-loc text="Allow import of data from other browsers on each Microsoft Edge launch":::** | Disabled | Users will never see a prompt to import their browsing data from other browsers on each Microsoft Edge launch. | [:::no-loc text="ImportOnEachLaunch":::](/deployedge/microsoft-edge-policies#importoneachlaunch) |
+| Microsoft Edge |**:::no-loc text="Allow importing of browser settings":::** | Disabled | Browser settings aren't imported at first run, and users can't import them manually. | [:::no-loc text="ImportBrowserSettings":::](/deployedge/microsoft-edge-policies#importbrowsersettings) |
+| Microsoft Edge |**:::no-loc text="Allow importing of favorites":::** | Disabled | Favorites aren't imported at first run, and users can't import them manually. | [:::no-loc text="ImportFavorites":::](/deployedge/microsoft-edge-policies#importfavorites) |
+| Microsoft Edge |**:::no-loc text="Allow suggestions from local providers":::** | Disabled | Suggestions from local providers are never used. Local history and local favorites suggestions won't appear. | [:::no-loc text="LocalProvidersEnabled":::](/deployedge/microsoft-edge-policies#localprovidersenabled) |
+| Microsoft Edge |**:::no-loc text="Allow surf game":::** | Disabled | Users won't be able to play the surf game when the device is offline or if the user navigates to edge://surf. | [:::no-loc text="AllowSurfGame":::](/deployedge/microsoft-edge-policies#allowsurfgame) |
+| Microsoft Edge |**:::no-loc text="Allow user feedback":::** | Disabled | Microsoft Edge uses the Edge Feedback feature (enabled by default) to allow users to send feedback, suggestions, or customer surveys and to report any issues with the browser. | [:::no-loc text="UserFeedbackAllowed":::](/deployedge/microsoft-edge-policies#userfeedbackallowed) |
+| Microsoft Edge |**:::no-loc text="Allow users to access the games menu":::** | Disabled | Users won't be able to access the games menu. | [:::no-loc text="AllowGamesMenu":::](/deployedge/microsoft-edge-policies#allowgamesmenu) |
+| Microsoft Edge |**:::no-loc text="Allow users to proceed from the HTTPS warning page":::** | Disabled | Users are blocked from clicking through any warning page. | [:::no-loc text="SSLErrorOverrideAllowed":::](/deployedge/microsoft-edge-policies#sslerroroverrideallowed) |
+| Microsoft Edge |**:::no-loc text="Allow websites to query for available payment methods":::** | Disabled | Websites that use Payment Request will be informed that no payment methods are available. | [:::no-loc text="PaymentMethodQueryEnabled":::](/deployedge/microsoft-edge-policies#paymentmethodqueryenabled) |
+| Microsoft Edge |**:::no-loc text="Block access to a list of URLs":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="URLBlocklist":::](/deployedge/microsoft-edge-policies#urlblocklist) |
+| Microsoft Edge |**:::no-loc text="Block access to a list of URLs > Block access to a list of URLs (Device)":::** | edge://flags | Define a list of sites, based on URL patterns, that are blocked (your users can't load them). | [:::no-loc text="URLBlocklist":::](/deployedge/microsoft-edge-policies#urlblocklist) |
+| Microsoft Edge |**:::no-loc text="Block all ads on Bing search results":::** | Enabled | A user can search on bing.com and have an ad-free search experience. At the same time, the SafeSearch setting will be set to 'Strict' and can't be changed by the user. | [:::no-loc text="BingAdsSuppression":::](/deployedge/microsoft-edge-policies#bingadssuppression) |
+| Microsoft Edge |**:::no-loc text="Block tracking of users' web-browsing activity":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="TrackingPrevention":::](/deployedge/microsoft-edge-policies#trackingprevention) |
+| Microsoft Edge |**:::no-loc text="Block tracking of users' web-browsing activity > Block tracking of users' web-browsing activity (Device)":::** | Balanced (blocks harmful trackers and trackers from sites user has nt visited; content and ads will be less personalized#) | Optional:
Strict (blocks harmful trackers and majority of trackers from all sites; content and ads will have minimal personalization. Some parts of sites might not work) | [:::no-loc text="TrackingPrevention":::](/deployedge/microsoft-edge-policies#trackingprevention) |
+| Microsoft Edge |**:::no-loc text="Browser sign-in settings":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="BrowserSignin":::](/deployedge/microsoft-edge-policies#browsersignin) |
+| Microsoft Edge |**:::no-loc text="Browser sign-in settings > Browser sign-in settings (Device)":::** | Force users to sign-in to use the browser | This policy requires user cloud identity. | [:::no-loc text="BrowserSignin":::](/deployedge/microsoft-edge-policies#browsersignin) |
+| Microsoft Edge |**:::no-loc text="Clear browsing data when Microsoft Edge closes":::** | Disabled | Users can configure the Clear browsing data option in Settings. | [:::no-loc text="ClearBrowsingDataOnExit":::](/deployedge/microsoft-edge-policies#clearbrowsingdataonexit) |
+| Microsoft Edge |**:::no-loc text="Configure Do Not Track":::** | Enable | Do Not Track requests let the websites you visit know that you don't want your browsing activity to be tracked. | [:::no-loc text="ConfigureDoNotTrack":::](/deployedge/microsoft-edge-policies#configuredonottrack) |
+| Microsoft Edge |**:::no-loc text="Configure InPrivate mode availability":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="InPrivateModeAvailability":::](/deployedge/microsoft-edge-policies#inprivatemodeavailability) |
+| Microsoft Edge |**:::no-loc text="Configure InPrivate mode availability > Configure InPrivate mode availability (Device)":::** | InPrivate mode disabled | | [:::no-loc text="InPrivateModeAvailability":::](/deployedge/microsoft-edge-policies#inprivatemodeavailability) |
+| Microsoft Edge |**:::no-loc text="Configure whether a user always has a default profile automatically signed in with their work or school account":::** | Enabled | A non-removable profile will be created with the user's work or school account on Windows. This profile can't be signed out or removed. | [:::no-loc text="NonRemovableProfileEnabled":::](/deployedge/microsoft-edge-policies#nonremovableprofileenabled) |
+| Microsoft Edge |**:::no-loc text="Continue running background apps after Microsoft Edge closes":::** | Disabled | Background mode disable to prevent conflicts with assessment software. | [:::no-loc text="BackgroundModeEnabled":::](/deployedge/microsoft-edge-policies#backgroundmodeenabled) |
+| Microsoft Edge |**:::no-loc text="Control where developer tools can be used":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="DeveloperToolsAvailability":::](/deployedge/microsoft-edge-policies#developertoolsavailability) |
+| Microsoft Edge |**:::no-loc text="Control where developer tools can be used (Device)":::** | Don't allow using the developer tools | | [:::no-loc text="DeveloperToolsAvailability":::](/deployedge/microsoft-edge-policies#developertoolsavailability) |
+| Microsoft Edge |**:::no-loc text="Default sensors setting":::** | Disabled | Don't allow any site to access sensors. | [:::no-loc text="DefaultSensorsSetting":::](/deployedge/microsoft-edge-policies#defaultsensorssetting) |
+| Microsoft Edge |**:::no-loc text="Enable AutoFill for addresses":::** | Disabled | AutoFill never suggests or fills in address information, nor does it save additional address information that the user might submit while browsing the web. | [:::no-loc text="AutofillAddressEnabled":::](/deployedge/microsoft-edge-policies#autofilladdressenabled) |
+| Microsoft Edge |**:::no-loc text="Enable AutoFill for payment instruments":::** | Disabled | AutoFill never suggests, fills, or recommends new payment Instruments. Additionally, it won't save any payment instrument information that users submit while browsing the web. | [:::no-loc text="AutofillCreditCardEnabled":::](/deployedge/microsoft-edge-policies#autofillcreditcardenabled) |
+| Microsoft Edge |**:::no-loc text="Enable Drop feature in Microsoft Edge":::** | Disabled | Drop lets users send messages or files to themselves. | [:::no-loc text="EdgeEDropEnabled":::](/deployedge/microsoft-edge-policies#edgeedropenabled) |
+| Microsoft Edge |**:::no-loc text="Enable full-tab promotional content":::** | Disabled | This setting controls the presentation of welcome pages that help users sign into Microsoft Edge, choose their default browser, or learn about product features. | [:::no-loc text="PromotionalTabsEnabled":::](/deployedge/microsoft-edge-policies#promotionaltabsenabled) |
+| Microsoft Edge |**:::no-loc text="Enable Microsoft Search in Bing suggestions in the address bar":::** | Enabled | Enables the display of relevant Microsoft Search in Bing suggestions in the address bar's suggestion list when the user types a search string in the address bar. | [:::no-loc text="AddressBarMicrosoftSearchInBingProviderEnabled":::](/deployedge/microsoft-edge-policies#addressbarmicrosoftsearchinbingproviderenabled) |
+| Microsoft Edge |**:::no-loc text="Enable profile creation from the Identity flyout menu or the Settings page":::** | Disabled | Users can't add new profiles from the Identity flyout menu or the Settings page. | [:::no-loc text="BrowserAddProfileEnabled":::](/deployedge/microsoft-edge-policies#browseraddprofileenabled) |
+| Microsoft Edge |**:::no-loc text="Enable search suggestions":::** | Enabled | Enables web search suggestions in Microsoft Edge's Address Bar and Auto-Suggest List. | [:::no-loc text="SearchSuggestEnabled":::](/deployedge/microsoft-edge-policies#searchsuggestenabled) |
+| Microsoft Edge |**:::no-loc text="Enforce Bing SafeSearch":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="ForceBingSafeSearch":::](/deployedge/microsoft-edge-policies#forcebingsafesearch) |
+| Microsoft Edge |**:::no-loc text="Enforce Bing SafeSearch (Device)":::** | Configure strict search restrictions in Bing | | [:::no-loc text="ForceBingSafeSearch":::](/deployedge/microsoft-edge-policies#forcebingsafesearch) |
+| Microsoft Edge |**:::no-loc text="Enforce Google SafeSearch":::** | Enabled | Forces queries in Google Web Search to be performed with SafeSearch set to active, and prevents users from changing this setting. | [:::no-loc text="ForceGoogleSafeSearch":::](/deployedge/microsoft-edge-policies#forcegooglesafesearch) |
+| Microsoft Edge |**:::no-loc text="Force minimum YouTube Restricted Mode":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="ForceYouTubeRestrict":::](/deployedge/microsoft-edge-policies#forceyoutuberestrict) |
+| Microsoft Edge |**:::no-loc text="Force minimum YouTube Restricted Mode (Device)":::** | Enforce Strict Restricted Mode for YouTube | | [:::no-loc text="ForceYouTubeRestrict":::](/deployedge/microsoft-edge-policies#forceyoutuberestrict) |
+| Microsoft Edge |**:::no-loc text="Force synchronization of browser data and do not show the sync consent prompt":::** | Enabled | Forces data synchronization in Microsoft Edge. This policy also prevents the user from turning sync off. | [:::no-loc text="ForceSync":::](/deployedge/microsoft-edge-policies#forcesync) |
+| Microsoft Edge |**:::no-loc text="Hide the First-run experience and splash screen":::** | Enabled | The First-run experience and the splash screen won't be shown to users when they run Microsoft Edge for the first time. | [:::no-loc text="HideFirstRunExperience":::](/deployedge/microsoft-edge-policies#hidefirstrunexperience) |
+| Microsoft Edge |**:::no-loc text="In-app support Enabled":::** | Disabled | Microsoft Edge uses the in-app support feature (enabled by default) to allow users to contact our support agents directly from the browser. | [:::no-loc text="InAppSupportEnabled":::](/deployedge/microsoft-edge-policies#inappsupportenabled) |
+| Microsoft Edge |**:::no-loc text="Microsoft Edge Insider Promotion Enabled":::** | Disabled | The Microsoft Edge Insider promotion content won't be shown on the About Microsoft Edge page. | [:::no-loc text="MicrosoftEdgeInsiderPromotionEnabled":::](/deployedge/microsoft-edge-policies#microsoftedgeinsiderpromotionenabled) |
+| Microsoft Edge |**:::no-loc text="Save and fill memberships":::** | Disabled | Users can't have their membership info automatically saved and used to fill form fields while using Microsoft Edge. | [:::no-loc text="AutofillMembershipsEnabled":::](/deployedge/microsoft-edge-policies#autofillmembershipsenabled) |
+| Microsoft Edge |**:::no-loc text="Send all intranet sites to Internet Explorer":::** | Disabled | | [:::no-loc text="SendIntranetToInternetExplorer":::](/deployedge/microsoft-edge-policies#sendintranettointernetexplorer) |
+| Microsoft Edge |**:::no-loc text="Shopping in Microsoft Edge Enabled":::** | Disabled | Shopping features such as price comparison, coupons, rebates, and express checkout won't be automatically found for retail domains. | [:::no-loc text="EdgeShoppingAssistantEnabled":::](/deployedge/microsoft-edge-policies#edgeshoppingassistantenabled) |
+| Microsoft Edge |**:::no-loc text="Show Hubs Sidebar":::** | Disabled | The Sidebar will never be shown. | [:::no-loc text="HubsSidebarEnabled":::](/deployedge/microsoft-edge-policies#hubssidebarenabled) |
+| Microsoft Edge |**:::no-loc text="Show Microsoft Rewards experiences":::** | Disabled | | [:::no-loc text="ShowMicrosoftRewards":::](/deployedge/microsoft-edge-policies#showmicrosoftrewards) |
+| Microsoft Edge > Content settings |**:::no-loc text="Configure cookies":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="DefaultCookiesSetting":::](/deployedge/microsoft-edge-policies#defaultcookiessetting) |
+| Microsoft Edge > Content settings |**:::no-loc text="Configure cookies (Device)":::** | Let all sites create cookies | | [:::no-loc text="DefaultCookiesSetting":::](/deployedge/microsoft-edge-policies#defaultcookiessetting) |
+| Microsoft Edge > Content settings |**:::no-loc text="Default pop-up window setting":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="DefaultPopupsSetting":::](/deployedge/microsoft-edge-policies#defaultpopupssetting) |
+| Microsoft Edge > Content settings |**:::no-loc text="Default pop-up window setting (Device)":::** | Allow all sites to show pop-ups | | [:::no-loc text="DefaultPopupsSetting":::](/deployedge/microsoft-edge-policies#defaultpopupssetting) |
+| Microsoft Edge > Experimentation |**:::no-loc text="Configure users ability to override feature flags":::** | Disabled | Users can't override state of feature flags using command line arguments or edge://flags page. | [:::no-loc text="FeatureFlagOverridesControl":::](/deployedge/microsoft-edge-policies#featureflagoverridescontrol) |
+| Microsoft Edge > Extensions |**:::no-loc text="Blocks external extensions from being installed":::** | Disabled | External extensions are allowed to be installed. | [:::no-loc text="BlockExternalExtensions":::](/deployedge/microsoft-edge-policies#blockexternalextensions) |
+| Microsoft Edge > Extensions |**:::no-loc text="Control which extensions cannot be installed":::** | Disabled | The user can install any extension in Microsoft Edge. | [:::no-loc text="ExtensionInstallBlocklist":::](/deployedge/microsoft-edge-policies#extensioninstallblocklist) |
+| Microsoft Edge > Identity and sign-in |**:::no-loc text="Enable implicit sign-in":::** | Enabled | Edge will attempt to sign the user into their profile based on what and how they sign in to their OS. | [:::no-loc text="ImplicitSignInEnabled":::](/deployedge/microsoft-edge-policies#implicitsigninenabled) |
+| Microsoft Edge > Printing |**:::no-loc text="Enable printing":::** | Enabled | | [:::no-loc text="PrintingEnabled":::](/deployedge/microsoft-edge-policies#printingenabled) |
+| Microsoft Edge > SmartScreen settings |**:::no-loc text="Configure Microsoft Defender SmartScreen to block potentially unwanted apps":::** | Enabled | Potentially unwanted app blocking with Microsoft Defender SmartScreen provides warning messages to help protect users from adware, coin miners, bundleware, and other low-reputation apps that are hosted by websites. | [:::no-loc text="SmartScreenPuaEnabled":::](/deployedge/microsoft-edge-policies#smartscreenpuaenabled) |
+| Microsoft Edge > SmartScreen settings |**:::no-loc text="Prevent bypassing Microsoft Defender SmartScreen prompts for sites":::** | Enabled | Users can't ignore Microsoft Defender SmartScreen warnings and they're blocked from continuing to the site. | [:::no-loc text="PreventSmartScreenPromptOverride":::](/deployedge/microsoft-edge-policies#preventsmartscreenpromptoverride) |
+| Microsoft Edge > Startup, home page and new tab page |**:::no-loc text="Allow Microsoft News content on the new tab page":::** | Disabled | Microsoft Edge does not display Microsoft News content on the new tab page, the Content control in the NTP settings flyout is disabled and set to 'Content off'. | [:::no-loc text="NewTabPageContentEnabled":::](/deployedge/microsoft-edge-policies#newtabpagecontentenabled) |
+| Microsoft Edge > Startup, home page and new tab page |**:::no-loc text="Hide the default top sites from the new tab page":::** | Enabled | The default top site tiles are hidden. | [:::no-loc text="NewTabPageHideDefaultTopSites":::](/deployedge/microsoft-edge-policies#newtabpagehidedefaulttopsites) |
+| Microsoft Edge Update > Applications |**:::no-loc text="Update policy override default":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="UpdateDefault":::](/deployedge/microsoft-edge-update-policies#updatedefault) |
+| Microsoft Edge Update > Applications |**:::no-loc text="Update policy override default > Policy (Device)":::** | Always allow updates (recommended) | | [:::no-loc text="UpdateDefault":::](/deployedge/microsoft-edge-update-policies#updatedefault) |
+
+## [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **:::no-loc text="_MSLearn_Example_CommonEDU - Windows - Microsoft Edge":::**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - Windows - Microsoft Edge","description":"https://aka.ms/ManageEduDevices","platforms":"windows10","technologies":"mdm","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev78diff~policy~microsoft_edge_adssettingforintrusiveadssites","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev78diff~policy~microsoft_edge_adssettingforintrusiveadssites_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev104~policy~microsoft_edge_importoneachlaunch","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev104~policy~microsoft_edge_importoneachlaunch_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev78diff~policy~microsoft_edge_importbrowsersettings","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev78diff~policy~microsoft_edge_importbrowsersettings_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_importfavorites","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_importfavorites_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev89~policy~microsoft_edge_showrecommendationsenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev89~policy~microsoft_edge_showrecommendationsenabled_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev83diff~policy~microsoft_edge_localprovidersenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev83diff~policy~microsoft_edge_localprovidersenabled_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev83diff~policy~microsoft_edge_allowsurfgame","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev83diff~policy~microsoft_edge_allowsurfgame_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_userfeedbackallowed","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_userfeedbackallowed_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev99~policy~microsoft_edge_allowgamesmenu","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev99~policy~microsoft_edge_allowgamesmenu_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sslerroroverrideallowed","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sslerroroverrideallowed_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge_paymentmethodqueryenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge_paymentmethodqueryenabled_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_urlblocklist","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_urlblocklist_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_urlblocklist_urlblocklistdesc","simpleSettingCollectionValue":[{"value":"edge://flags","@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue"}]}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev83diff~policy~microsoft_edge_bingadssuppression","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev83diff~policy~microsoft_edge_bingadssuppression_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev78diff~policy~microsoft_edge_trackingprevention","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev78diff~policy~microsoft_edge_trackingprevention_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev78diff~policy~microsoft_edge_trackingprevention_trackingprevention","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev78diff~policy~microsoft_edge_trackingprevention_trackingprevention_2","children":[]}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_browsersignin","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_browsersignin_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_browsersignin_browsersignin","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_browsersignin_browsersignin_2","children":[]}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev78diff~policy~microsoft_edge_clearbrowsingdataonexit","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev78diff~policy~microsoft_edge_clearbrowsingdataonexit_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_configuredonottrack","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_configuredonottrack_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_inprivatemodeavailability","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_inprivatemodeavailability_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_inprivatemodeavailability_inprivatemodeavailability","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_inprivatemodeavailability_inprivatemodeavailability_1","children":[]}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev78diff~policy~microsoft_edge_nonremovableprofileenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev78diff~policy~microsoft_edge_nonremovableprofileenabled_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~contentsettings_defaultcookiessetting","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~contentsettings_defaultcookiessetting_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~contentsettings_defaultcookiessetting_defaultcookiessetting","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~contentsettings_defaultcookiessetting_defaultcookiessetting_1","children":[]}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~contentsettings_defaultpopupssetting","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~contentsettings_defaultpopupssetting_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~contentsettings_defaultpopupssetting_defaultpopupssetting","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~contentsettings_defaultpopupssetting_defaultpopupssetting_1","children":[]}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_backgroundmodeenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_backgroundmodeenabled_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_developertoolsavailability","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_developertoolsavailability_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_developertoolsavailability_developertoolsavailability","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_developertoolsavailability_developertoolsavailability_2","children":[]}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev86~policy~microsoft_edge_defaultsensorssetting","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev86~policy~microsoft_edge_defaultsensorssetting_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_autofilladdressenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_autofilladdressenabled_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_autofillcreditcardenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_autofillcreditcardenabled_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev104~policy~microsoft_edge_edgeedropenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev104~policy~microsoft_edge_edgeedropenabled_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_promotionaltabsenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_promotionaltabsenabled_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev81diff~policy~microsoft_edge_addressbarmicrosoftsearchinbingproviderenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev81diff~policy~microsoft_edge_addressbarmicrosoftsearchinbingproviderenabled_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_browseraddprofileenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_browseraddprofileenabled_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_searchsuggestenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_searchsuggestenabled_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_forcebingsafesearch","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_forcebingsafesearch_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_forcebingsafesearch_forcebingsafesearch","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_forcebingsafesearch_forcebingsafesearch_2","children":[]}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_forcegooglesafesearch","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_forcegooglesafesearch_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev93~policy~microsoft_edge~experimentation_featureflagoverridescontrol","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev93~policy~microsoft_edge~experimentation_featureflagoverridescontrol_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev88~policy~microsoft_edge~extensions_blockexternalextensions","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev88~policy~microsoft_edge~extensions_blockexternalextensions_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_forceyoutuberestrict","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_forceyoutuberestrict_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_forceyoutuberestrict_forceyoutuberestrict","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_forceyoutuberestrict_forceyoutuberestrict_2","children":[]}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev86~policy~microsoft_edge_forcesync","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev86~policy~microsoft_edge_forcesync_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge_hidefirstrunexperience","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge_hidefirstrunexperience_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev93~policy~microsoft_edge~identity_implicitsigninenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev93~policy~microsoft_edge~identity_implicitsigninenabled_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev98~policy~microsoft_edge_inappsupportenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev98~policy~microsoft_edge_inappsupportenabled_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev98~policy~microsoft_edge_microsoftedgeinsiderpromotionenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev98~policy~microsoft_edge_microsoftedgeinsiderpromotionenabled_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~printing_printingenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~printing_printingenabled_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev110~policy~microsoft_edge_autofillmembershipsenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev110~policy~microsoft_edge_autofillmembershipsenabled_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sendintranettointernetexplorer","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sendintranettointernetexplorer_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev87~policy~microsoft_edge_edgeshoppingassistantenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev87~policy~microsoft_edge_edgeshoppingassistantenabled_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev99~policy~microsoft_edge_hubssidebarenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev99~policy~microsoft_edge_hubssidebarenabled_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev88~policy~microsoft_edge_showmicrosoftrewards","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev88~policy~microsoft_edge_showmicrosoftrewards_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverride","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverride_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edgev91~policy~microsoft_edge~startup_newtabpagecontentenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edgev91~policy~microsoft_edge~startup_newtabpagecontentenabled_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_newtabpagehidedefaulttopsites","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_newtabpagehidedefaulttopsites_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_update~policy~cat_google~cat_googleupdate~cat_applications_pol_defaultupdatepolicy","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_update~policy~cat_google~cat_googleupdate~cat_applications_pol_defaultupdatepolicy_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_update~policy~cat_google~cat_googleupdate~cat_applications_pol_defaultupdatepolicy_part_updatepolicy","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_update~policy~cat_google~cat_googleupdate~cat_applications_pol_defaultupdatepolicy_part_updatepolicy_1","children":[]}}]}}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
## (Optional) Startup, home page and new tab page
-| **Name** | **Value** | **Notes** | **CSP** |
-|---|---|---|---|
-| **:::no-loc text="Action to take on startup":::** | _custom_ | Specify how Microsoft Edge behaves when it starts. | [:::no-loc text="RestoreOnStartup":::](/deployedge/microsoft-edge-policies#restoreonstartup) |
-| **:::no-loc text="Configure the home page URL":::** | Enabled | Configures the default home page URL in Microsoft Edge. The home page is the page opened by the Home button. | [:::no-loc text="HomepageLocation":::](/deployedge/microsoft-edge-policies#homepagelocation) |
-| **:::no-loc text="Home page URL (Device)":::** | _custom_ _url_ | | [:::no-loc text="HomepageLocation":::](/deployedge/microsoft-edge-policies#homepagelocation) |
-| **:::no-loc text="Configure the new tab page URL":::** | Disabled | This policy determines the page that's opened when new tabs are created (including when new windows are opened). It also affects the startup page if that's set to open to the new tab page. | [:::no-loc text="NewTabPageLocation":::](/deployedge/microsoft-edge-policies#newtabpagelocation) |
-| **:::no-loc text="New tab page URL (Device)":::** | _custom_ _url_ | | [:::no-loc text="NewTabPageLocation":::](/deployedge/microsoft-edge-policies#newtabpagelocation) |
+### [**Settings**](#tab/settings)
+
+| **Category** | **Name** | **Value** | **Notes** | **CSP** |
+|---|---|---|---|---|
+| Microsoft Edge > Startup, home page and new tab page |**:::no-loc text="Action to take on startup":::** | _custom_ | Specify how Microsoft Edge behaves when it starts. | [:::no-loc text="RestoreOnStartup":::](/deployedge/microsoft-edge-policies#restoreonstartup) |
+| Microsoft Edge > Startup, home page and new tab page |**:::no-loc text="Configure the home page URL":::** | Enabled | Configures the default home page URL in Microsoft Edge. The home page is the page opened by the Home button. | [:::no-loc text="HomepageLocation":::](/deployedge/microsoft-edge-policies#homepagelocation) |
+| Microsoft Edge > Startup, home page and new tab page |**:::no-loc text="Home page URL (Device)":::** | _custom_ _url_ | | [:::no-loc text="HomepageLocation":::](/deployedge/microsoft-edge-policies#homepagelocation) |
+| Microsoft Edge > Startup, home page and new tab page |**:::no-loc text="Configure the new tab page URL":::** | Disabled | This policy determines the page that's opened when new tabs are created (including when new windows are opened). It also affects the startup page if that's set to open to the new tab page. | [:::no-loc text="NewTabPageLocation":::](/deployedge/microsoft-edge-policies#newtabpagelocation) |
+| Microsoft Edge > Startup, home page and new tab page |**:::no-loc text="New tab page URL (Device)":::** | _custom_ _url_ | | [:::no-loc text="NewTabPageLocation":::](/deployedge/microsoft-edge-policies#newtabpagelocation) |
+
+### [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **:::no-loc text="_MSLearn_Example_CommonEDU - Windows - Microsoft Edge (Optional)":::**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - Windows - Microsoft Edge (Optional)","description":"https://aka.ms/ManageEduDevices","platforms":"windows10","technologies":"mdm","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_restoreonstartup","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_restoreonstartup_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_restoreonstartup_restoreonstartup","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_restoreonstartup_restoreonstartup_5","children":[]}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_homepagelocation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_homepagelocation_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_homepagelocation_homepagelocation","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","value":"https://www.office.com"}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_newtabpagelocation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_newtabpagelocation_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_newtabpagelocation_newtabpagelocation","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","value":"https://www.office.com"}}]}}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
## (Optional) Content settings in Microsoft 365 admin center
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-onedrive-knownfoldermove.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-onedrive-knownfoldermove.md
index 8f05c990417..d51207ba384 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-onedrive-knownfoldermove.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-onedrive-knownfoldermove.md
@@ -7,6 +7,10 @@ author: yegor-a
ms.author: egorabr
ms.manager: dougeby
no-loc: [Microsoft, Windows, Autopatch, Autopilot]
+ms.collection:
+- graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
---
# OneDrive Known Folder Move
@@ -24,28 +28,52 @@ To learn more, see:
> [!TIP]
> When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
-## Settings catalog policies
-
-| **Name** | **Value** | **Notes** | **CSP** |
-|---|---|---|---|
-|**:::no-loc text="Allow syncing OneDrive accounts for only specific organizations":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="AllowTenantList":::](/sharepoint/use-group-policy#allow-syncing-onedrive-accounts-for-only-specific-organizations) |
-|**:::no-loc text="Allow syncing OneDrive accounts for only specific organizations > Tenant ID: (Device)":::** | _tenant ID_ | **Important!** This is a tenant-specific value. [How to find your Microsoft Entra tenant ID](/entra/fundamentals/how-to-find-tenant)| [:::no-loc text="AllowTenantList":::](/sharepoint/use-group-policy#allow-syncing-onedrive-accounts-for-only-specific-organizations) |
-|**:::no-loc text="Block file downloads when users are low on disk space":::** | Enabled | | [:::no-loc text="MinDiskSpaceLimitInMB":::](/sharepoint/use-group-policy#block-file-downloads-when-users-are-low-on-disk-space) |
-|**:::no-loc text="Block file downloads when users are low on disk space > Minimum available disk space: (Device)":::** | 1024 | Only enables the setting configuration. | [:::no-loc text="MinDiskSpaceLimitInMB":::](/sharepoint/use-group-policy#block-file-downloads-when-users-are-low-on-disk-space) |
-|**:::no-loc text="Convert synced team site files to online-only files":::** | Enabled | Files in currently syncing team sites are changed to online-only files, by default. Files later added or updated in the team site are also downloaded as online-only files. | [:::no-loc text="DehydrateSyncedTeamSites":::](/sharepoint/use-group-policy#convert-synced-team-site-files-to-online-only-files) |
-|**:::no-loc text="Disable the tutorial that appears at the end of OneDrive Setup (User)":::** | Enabled | | [:::no-loc text="DisableTutorial":::](/sharepoint/use-group-policy#disable-the-tutorial-that-appears-at-the-end-of-onedrive-setup) |
-|**:::no-loc text="Prevent users from redirecting their Windows known folders to their PC":::** | Enabled | | [:::no-loc text="KFMBlockOptOut":::](/sharepoint/use-group-policy#prevent-users-from-redirecting-their-windows-known-folders-to-their-pc) |
-|**:::no-loc text="Prevent users from syncing libraries and folders shared from other organizations":::** | Enabled | | [:::no-loc text="BlockExternalSync":::](/sharepoint/use-group-policy#prevent-users-from-syncing-libraries-and-folders-shared-from-other-organizations) |
-|**:::no-loc text="Prevent users from syncing personal OneDrive accounts (User)":::** | Enabled | | [:::no-loc text="DisablePersonalSync":::](/sharepoint/use-group-policy#prevent-users-from-syncing-personal-onedrive-accounts) |
-|**:::no-loc text="Set the sync app update ring":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="GPOSetUpdateRing":::](/sharepoint/use-group-policy#set-the-sync-app-update-ring) |
-|**:::no-loc text="Set the sync app update ring > Update ring: (Device)":::** | Production | Users get the latest features as they become available. | [:::no-loc text="GPOSetUpdateRing":::](/sharepoint/use-group-policy#set-the-sync-app-update-ring) |
-|**:::no-loc text="Silently move Windows known folders to OneDrive":::** | Enabled | **Important!** Make sure to pick the setting with 5 sub-settings listed below.Redirect and move your users' Documents, Pictures, and/or Desktop folders to OneDrive without any user interaction. | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
-|**:::no-loc text="Silently move Windows known folders to OneDrive > Desktop (Device)":::** | True | | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
-|**:::no-loc text="Silently move Windows known folders to OneDrive > Documents (Device)":::** | True | | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
-|**:::no-loc text="Silently move Windows known folders to OneDrive > Pictures (Device)":::** | True | | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
-|**:::no-loc text="Silently move Windows known folders to OneDrive > Show notification to users after folders have been redirected: (Device)":::** | No | | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
-|**:::no-loc text="Silently move Windows known folders to OneDrive > Tenant ID: (Device)":::** | _{tenant ID}_ | | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
-|**:::no-loc text="Silently sign in users to the OneDrive sync app with their Windows credentials":::** | Enabled | Users who are signed in on a PC that's joined to Microsoft Entra ID can set up the sync app without entering their account credentials. | [:::no-loc text="SilentAccountConfig":::](/sharepoint/use-group-policy#silently-sign-in-users-to-the-onedrive-sync-app-with-their-windows-credentials) |
-|**:::no-loc text="Use OneDrive Files On-Demand":::** | Enabled | New users who set up the sync app see online-only files in File Explorer, by default. | [:::no-loc text="FilesOnDemandEnabled":::](/sharepoint/use-group-policy#use-onedrive-files-on-demand) |
-|**:::no-loc text="Warn users who are low on disk space":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="WarningMinDiskSpaceLimitInMB":::](/sharepoint/use-group-policy#warn-users-who-are-low-on-disk-space) |
-|**:::no-loc text="Warn users who are low on disk space > Minimum available disk space: (Device)":::** | 2048 | Specify a miminimum amount of available disk space in MB, and warn users when the OneDrive sync app (OneDrive.exe) downloads a file that causes them to have less than this amount. | [:::no-loc text="WarningMinDiskSpaceLimitInMB":::](/sharepoint/use-group-policy#warn-users-who-are-low-on-disk-space) |
+## [**Settings**](#tab/settings)
+
+### Organization-specific settings catalog policies
+
+| **Category** | **Name** | **Value** | **Notes** | **CSP** |
+|---|---|---|---|---|
+| OneDrive |**:::no-loc text="Allow syncing OneDrive accounts for only specific organizations":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="AllowTenantList":::](/sharepoint/use-group-policy#allow-syncing-onedrive-accounts-for-only-specific-organizations) |
+| OneDrive |**:::no-loc text="Allow syncing OneDrive accounts for only specific organizations > Tenant ID: (Device)":::** | _tenant ID_ | **Important!** This is a tenant-specific value. [How to find your Microsoft Entra tenant ID](/entra/fundamentals/how-to-find-tenant)| [:::no-loc text="AllowTenantList":::](/sharepoint/use-group-policy#allow-syncing-onedrive-accounts-for-only-specific-organizations) |
+
+### General restrictions
+
+| **Category** | **Name** | **Value** | **Notes** | **CSP** |
+|---|---|---|---|---|
+| OneDrive |**:::no-loc text="Block file downloads when users are low on disk space":::** | Enabled | | [:::no-loc text="MinDiskSpaceLimitInMB":::](/sharepoint/use-group-policy#block-file-downloads-when-users-are-low-on-disk-space) |
+| OneDrive |**:::no-loc text="Block file downloads when users are low on disk space > Minimum available disk space: (Device)":::** | 1024 | Only enables the setting configuration. | [:::no-loc text="MinDiskSpaceLimitInMB":::](/sharepoint/use-group-policy#block-file-downloads-when-users-are-low-on-disk-space) |
+| OneDrive |**:::no-loc text="Convert synced team site files to online-only files":::** | Enabled | Files in currently syncing team sites are changed to online-only files, by default. Files later added or updated in the team site are also downloaded as online-only files. | [:::no-loc text="DehydrateSyncedTeamSites":::](/sharepoint/use-group-policy#convert-synced-team-site-files-to-online-only-files) |
+| OneDrive |**:::no-loc text="Disable the tutorial that appears at the end of OneDrive Setup (User)":::** | Enabled | | [:::no-loc text="DisableTutorial":::](/sharepoint/use-group-policy#disable-the-tutorial-that-appears-at-the-end-of-onedrive-setup) |
+| OneDrive |**:::no-loc text="Prevent users from redirecting their Windows known folders to their PC":::** | Enabled | | [:::no-loc text="KFMBlockOptOut":::](/sharepoint/use-group-policy#prevent-users-from-redirecting-their-windows-known-folders-to-their-pc) |
+| OneDrive |**:::no-loc text="Prevent users from syncing libraries and folders shared from other organizations":::** | Enabled | | [:::no-loc text="BlockExternalSync":::](/sharepoint/use-group-policy#prevent-users-from-syncing-libraries-and-folders-shared-from-other-organizations) |
+| OneDrive |**:::no-loc text="Prevent users from syncing personal OneDrive accounts (User)":::** | Enabled | | [:::no-loc text="DisablePersonalSync":::](/sharepoint/use-group-policy#prevent-users-from-syncing-personal-onedrive-accounts) |
+| OneDrive |**:::no-loc text="Set the sync app update ring":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="GPOSetUpdateRing":::](/sharepoint/use-group-policy#set-the-sync-app-update-ring) |
+| OneDrive |**:::no-loc text="Set the sync app update ring > Update ring: (Device)":::** | Production | Users get the latest features as they become available. | [:::no-loc text="GPOSetUpdateRing":::](/sharepoint/use-group-policy#set-the-sync-app-update-ring) |
+| OneDrive |**:::no-loc text="Silently move Windows known folders to OneDrive":::** | Enabled | **!Important**: Make sure to pick the setting with 5 sub-settings listed below. Redirect and move your users' Documents, Pictures, and/or Desktop folders to OneDrive without any user interaction. | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
+| OneDrive |**:::no-loc text="Silently move Windows known folders to OneDrive > Desktop (Device)":::** | True | | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
+| OneDrive |**:::no-loc text="Silently move Windows known folders to OneDrive > Documents (Device)":::** | True | | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
+| OneDrive |**:::no-loc text="Silently move Windows known folders to OneDrive > Pictures (Device)":::** | True | | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
+| OneDrive |**:::no-loc text="Silently move Windows known folders to OneDrive > Show notification to users after folders have been redirected: (Device)":::** | No | | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
+| OneDrive |**:::no-loc text="Silently move Windows known folders to OneDrive > Tenant ID: (Device)":::** | _{tenant ID}_ | | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
+| OneDrive |**:::no-loc text="Silently sign in users to the OneDrive sync app with their Windows credentials":::** | Enabled | Users who are signed in on a PC that's joined to Microsoft Entra ID can set up the sync app without entering their account credentials. | [:::no-loc text="SilentAccountConfig":::](/sharepoint/use-group-policy#silently-sign-in-users-to-the-onedrive-sync-app-with-their-windows-credentials) |
+| OneDrive |**:::no-loc text="Use OneDrive Files On-Demand":::** | Enabled | New users who set up the sync app see online-only files in File Explorer, by default. | [:::no-loc text="FilesOnDemandEnabled":::](/sharepoint/use-group-policy#use-onedrive-files-on-demand) |
+| OneDrive |**:::no-loc text="Warn users who are low on disk space":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="WarningMinDiskSpaceLimitInMB":::](/sharepoint/use-group-policy#warn-users-who-are-low-on-disk-space) |
+| OneDrive |**:::no-loc text="Warn users who are low on disk space > Minimum available disk space: (Device)":::** | 2048 | Specify a minimum amount of available disk space in MB, and warn users when the OneDrive sync app (OneDrive.exe) downloads a file that causes them to have less than this amount. | [:::no-loc text="WarningMinDiskSpaceLimitInMB":::](/sharepoint/use-group-policy#warn-users-who-are-low-on-disk-space) |
+
+## [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **:::no-loc text="_MSLearn_Example_CommonEDU - Windows - OneDrive Known Folder Move":::**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - Windows - OneDrive Known Folder Move","description":"https://aka.ms/ManageEduDevices","platforms":"windows10","technologies":"mdm","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist_allowtenantlistbox","simpleSettingCollectionValue":[{"value":" tenantId","@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue"}]}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv3~policy~onedrivengsc_mindiskspacelimitinmb","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_onedrivengscv3~policy~onedrivengsc_mindiskspacelimitinmb_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv3~policy~onedrivengsc_mindiskspacelimitinmb_mindiskspacemb","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","value":1024}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_dehydratesyncedteamsites","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_dehydratesyncedteamsites_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"user_vendor_msft_policy_config_onedrivengscv6~policy~onedrivengsc_disablefreanimation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"user_vendor_msft_policy_config_onedrivengscv6~policy~onedrivengsc_disablefreanimation_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_blockexternalsync","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_blockexternalsync_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"user_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_disablepersonalsync","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"user_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_disablepersonalsync_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_gposetupdatering","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_gposetupdatering_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_gposetupdatering_gposetupdatering_dropdown","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_gposetupdatering_gposetupdatering_dropdown_5","children":[]}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv2.updates~policy~onedrivengsc_kfmoptinnowizard","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_onedrivengscv2.updates~policy~onedrivengsc_kfmoptinnowizard_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv2.updates~policy~onedrivengsc_kfmoptinnowizard_kfmoptinnowizard_desktop_checkbox","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_onedrivengscv2.updates~policy~onedrivengsc_kfmoptinnowizard_kfmoptinnowizard_desktop_checkbox_1","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv2.updates~policy~onedrivengsc_kfmoptinnowizard_kfmoptinnowizard_documents_checkbox","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_onedrivengscv2.updates~policy~onedrivengsc_kfmoptinnowizard_kfmoptinnowizard_documents_checkbox_1","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv2.updates~policy~onedrivengsc_kfmoptinnowizard_kfmoptinnowizard_pictures_checkbox","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_onedrivengscv2.updates~policy~onedrivengsc_kfmoptinnowizard_kfmoptinnowizard_pictures_checkbox_1","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv2.updates~policy~onedrivengsc_kfmoptinnowizard_kfmoptinnowizard_dropdown","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_onedrivengscv2.updates~policy~onedrivengsc_kfmoptinnowizard_kfmoptinnowizard_dropdown_0","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv2.updates~policy~onedrivengsc_kfmoptinnowizard_kfmoptinnowizard_textbox","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","value":"tenantId"}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_silentaccountconfig","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_silentaccountconfig_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_filesondemandenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_filesondemandenabled_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv3~policy~onedrivengsc_warningmindiskspacelimitinmb","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_onedrivengscv3~policy~onedrivengsc_warningmindiskspacelimitinmb_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_onedrivengscv3~policy~onedrivengsc_warningmindiskspacelimitinmb_warningmindiskspacemb","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","value":2048}}]}}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-start-menu.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-start-menu.md
index 742874a055a..f16eecd043b 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-start-menu.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-start-menu.md
@@ -7,6 +7,10 @@ author: yegor-a
ms.author: egorabr
ms.manager: dougeby
no-loc: [Microsoft, Windows, Autopatch, Autopilot]
+ms.collection:
+- graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
---
# Start menu customization
@@ -28,17 +32,34 @@ To learn more, see:
> [!TIP]
> When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
-## Settings catalog policies
-
-| **Name** | **Value** | **Notes** | **CSP** |
-|---|---|---|---|
-| **:::no-loc text="Start Layout":::** | A custom XML string | Create and deploy a custom Start menu and taskbar layout. Please refer to articles in the learn more section above. | [:::no-loc text="StartLayout":::](/windows/client-management/mdm/policy-csp-start#startlayout) |
-| **:::no-loc text="Hide App List":::** | None | | [:::no-loc text="Start/HideAppList":::](/windows/client-management/mdm/policy-csp-start#hideapplist) |
-| **:::no-loc text="Hide Change Account Settings":::** | Disabled | | [:::no-loc text="Start/HideChangeAccountSettings":::](/windows/client-management/mdm/policy-csp-start#hidechangeaccountsettings) |
-| **:::no-loc text="Hide Frequently Used Apps":::** | Enabled | | [:::no-loc text="Start/HideFrequentlyUsedApps":::](/windows/client-management/mdm/policy-csp-start#hidefrequentlyusedapps) |
-| **:::no-loc text="Hide Power Button":::** | Disabled | | [:::no-loc text="Start/HidePowerButton":::](/windows/client-management/mdm/policy-csp-start#hidepowerbutton) |
-| **:::no-loc text="Hide Recent Jumplists":::** | Enabled | | [:::no-loc text="Start/HideRecentJumplists":::](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) |
-| **:::no-loc text="Hide Recently Added Apps":::** | Enabled | | [:::no-loc text="Start/HideRecentlyAddedApps":::](/windows/client-management/mdm/policy-csp-start#hiderecentlyaddedapps) |
-| **:::no-loc text="Hide User Tile":::** | Disabled | | [:::no-loc text="Start/HideUserTile":::](/windows/client-management/mdm/policy-csp-start#hideusertile) |
-| **:::no-loc text="Hide Lock":::** | Disabled | | [:::no-loc text="Start/HideLock":::](/windows/client-management/mdm/policy-csp-start#hidelock) |
-| **:::no-loc text="Hide Sign Out":::** | Disabled | | [:::no-loc text="Start/HideSignOut":::](/windows/client-management/mdm/policy-csp-start#hidesignout) |
+## [**Settings**](#tab/settings)
+
+| **Category** | **Name** | **Value** | **Notes** | **CSP** |
+|---|---|---|---|---|
+| Start | **:::no-loc text="Start Layout":::** | A custom XML string | Create and deploy a custom Start menu and taskbar layout. Please refer to articles in the learn more section above. | [:::no-loc text="StartLayout":::](/windows/client-management/mdm/policy-csp-start#startlayout) |
+| Start | **:::no-loc text="Hide App List":::** | None | | [:::no-loc text="Start/HideAppList":::](/windows/client-management/mdm/policy-csp-start#hideapplist) |
+| Start | **:::no-loc text="Hide Change Account Settings":::** | Disabled | | [:::no-loc text="Start/HideChangeAccountSettings":::](/windows/client-management/mdm/policy-csp-start#hidechangeaccountsettings) |
+| Start | **:::no-loc text="Hide Frequently Used Apps":::** | Enabled | | [:::no-loc text="Start/HideFrequentlyUsedApps":::](/windows/client-management/mdm/policy-csp-start#hidefrequentlyusedapps) |
+| Start | **:::no-loc text="Hide Power Button":::** | Disabled | | [:::no-loc text="Start/HidePowerButton":::](/windows/client-management/mdm/policy-csp-start#hidepowerbutton) |
+| Start | **:::no-loc text="Hide Recent Jumplists":::** | Enabled | | [:::no-loc text="Start/HideRecentJumplists":::](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) |
+| Start | **:::no-loc text="Hide Recently Added Apps":::** | Enabled | | [:::no-loc text="Start/HideRecentlyAddedApps":::](/windows/client-management/mdm/policy-csp-start#hiderecentlyaddedapps) |
+| Start | **:::no-loc text="Hide User Tile":::** | Disabled | | [:::no-loc text="Start/HideUserTile":::](/windows/client-management/mdm/policy-csp-start#hideusertile) |
+| Start | **:::no-loc text="Hide Lock":::** | Disabled | | [:::no-loc text="Start/HideLock":::](/windows/client-management/mdm/policy-csp-start#hidelock) |
+| Start | **:::no-loc text="Hide Sign Out":::** | Disabled | | [:::no-loc text="Start/HideSignOut":::](/windows/client-management/mdm/policy-csp-start#hidesignout) |
+
+## [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **:::no-loc text="_MSLearn_Example_CommonEDU - Windows - Start menu":::**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - Windows - Start menu","description":"https://aka.ms/ManageEduDevices","platforms":"windows10","technologies":"mdm","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_start_hideapplist","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_start_hideapplist_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_start_hidechangeaccountsettings","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_start_hidechangeaccountsettings_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_start_hidefrequentlyusedapps","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_start_hidefrequentlyusedapps_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_start_hidepowerbutton","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_start_hidepowerbutton_0","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_start_hiderecentjumplists","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_start_hiderecentjumplists_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_start_hiderecentlyaddedapps","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_start_hiderecentlyaddedapps_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_start_hideusertile","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_start_hideusertile_0","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_start_hidelock","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_start_hidelock_0","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_start_hidesignout","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_start_hidesignout_0","children":[]}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_start_startlayout","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","value":""}}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-windows-privacy.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-windows-privacy.md
index 835f0a63762..779d70a808d 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-windows-privacy.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-windows-privacy.md
@@ -7,6 +7,10 @@ author: yegor-a
ms.author: egorabr
ms.manager: dougeby
no-loc: [Microsoft, Windows, Autopatch, Autopilot]
+ms.collection:
+- graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
---
# Windows privacy
@@ -24,9 +28,26 @@ To learn more, see [Use the settings catalog to configure settings on Windows, i
> [!TIP]
> When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
-## Settings catalog policies
+## [**Settings**](#tab/settings)
-| **Name** | **Value** | **Notes** | **CSP** |
-|---|---|---|---|
-| **:::no-loc text="Allow Location":::** | Force Location On. All Location Privacy settings are toggled on and grayed out. Users can't change the settings and all consent permissions will be automatically suppressed. | Required to invoke **Locate device** action on Windows devices in Intune. | [:::no-loc text="System/AllowLocation":::](/windows/client-management/mdm/policy-csp-system#allowlocation) |
-| **:::no-loc text="Let Apps Access Location":::** | Force allow. | Windows apps are allowed to access location. You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting. | [:::no-loc text="Privacy/LetAppsAccessLocation":::](/windows/client-management/mdm/policy-csp-privacy#letappsaccesslocation) |
+| **Category** | **Name** | **Value** | **Notes** | **CSP** |
+|---|---|---|---|---|
+| Privacy | **:::no-loc text="Let Apps Access Location":::** | Force allow. | Windows apps are allowed to access location. You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting. | [:::no-loc text="Privacy/LetAppsAccessLocation":::](/windows/client-management/mdm/policy-csp-privacy#letappsaccesslocation) |
+| System | **:::no-loc text="Allow Location":::** | Force Location On. All Location Privacy settings are toggled on and grayed out. Users can't change the settings and all consent permissions will be automatically suppressed. | Required to invoke **Locate device** action on Windows devices in Intune. | [:::no-loc text="System/AllowLocation":::](/windows/client-management/mdm/policy-csp-system#allowlocation) |
+
+## [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **:::no-loc text="_MSLearn_Example_CommonEDU - Windows - Privacy":::**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - Windows - Privacy","description":"https://aka.ms/ManageEduDevices","platforms":"windows10","technologies":"mdm","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_privacy_letappsaccesslocation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_privacy_letappsaccesslocation_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_system_allowlocation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_system_allowlocation_2","children":[]}}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-windows-update.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-windows-update.md
index bef0859618e..b391d98b41d 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-windows-update.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-windows-update.md
@@ -7,6 +7,10 @@ author: yegor-a
ms.author: egorabr
ms.manager: dougeby
no-loc: [Microsoft, Windows, Autopatch, Autopilot]
+ms.collection:
+- graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
---
# Windows Update
@@ -26,6 +30,8 @@ To learn more, see:
- [YouTube: Windows Update for Business Fundamentals](https://www.youtube.com/watch?v=TXwp-jLDcg0&list=PLMuDtq95SdKvpS9zPyFt9fc9HgepQxaw9&index=1)
- [YouTube: Windows Update for Business Fundamentals (Japanese)](https://youtu.be/o6_eGOyv-_g)
+### [**Settings**](#tab/settings)
+
| **Update settings** | **Value** | **Notes** | **CSP** |
| --- | --- | --- | --- |
| **Microsoft product updates** | Allow | Don't set to Block. In order to revert the configuration, PowerShell commands have to be run on each device. | [:::no-loc text="AllowMUUpdateService":::](/windows/client-management/mdm/policy-csp-update#allowmuupdateservice) |
@@ -39,7 +45,7 @@ To learn more, see:
| **User experience settings** | **Value** | **Notes** | **CSP** |
| --- | --- | --- | --- |
| **Automatic update behavior** | Reset to default | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power.
**Note:** If Windows Update policy is configured via the settings catalog, the value should be **Auto install and restart**. | [:::no-loc text="AllowAutoUpdate":::](/windows/client-management/mdm/policy-csp-update#allowautoupdate) |
-| **Restart checks (EDU Restart)** | Allow | Must not be disabled in existing Windows Update Rings. This setting is no longer available when creating a new Windows Update Ring policy. | [:::no-loc text="SetEDURestart":::](/windows/client-management/mdm/policy-csp-update#setedurestart) |
+| **Restart checks (EDU Restart)** | Allow | Must not be disabled in existing Windows Update Rings.
This setting is no longer available when creating a new Windows Update Ring policy. | [:::no-loc text="SetEDURestart":::](/windows/client-management/mdm/policy-csp-update#setedurestart) |
| **Option to pause Windows updates** | Disable | | [:::no-loc text="SetDisablePauseUXAccess":::](/windows/client-management/mdm/policy-csp-update#setdisablepauseuxaccess) |
| **Option to check for Windows updates** | Disable | | [:::no-loc text="SetDisableUXWUAccess":::](/windows/client-management/mdm/policy-csp-update#setdisableuxwuaccess) |
| **Change notification update level** | Turn off all notifications, excluding restart warnings | | [:::no-loc text="UpdateNotificationLevel":::](/windows/client-management/mdm/policy-csp-update#updatenotificationlevel) |
@@ -49,6 +55,23 @@ To learn more, see:
| **Grace period** | 2 | | [:::no-loc text="ConfigureDeadlineGracePeriod":::](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiod)
[:::no-loc text="ConfigureDeadlineGracePeriodForFeatureUpdates":::](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates) |
| **Auto reboot before deadline** | Yes | | [:::no-loc text="ConfigureDeadlineNoAutoReboot":::](/windows/client-management/mdm/policy-csp-update#configuredeadlinenoautoreboot) |
+### [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **:::no-loc text="_MSLearn_Example_CommonEDU - Windows - Update ring":::**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
+Content-Type: application/json
+
+{"@odata.type":"#microsoft.graph.windowsUpdateForBusinessConfiguration","id":"","displayName":"_MSLearn_Example_CommonEDU - Windows - Update ring","description":"https://aka.ms/ManageEduDevices","roleScopeTagIds":["0"],"microsoftUpdateServiceAllowed":true,"driversExcluded":false,"qualityUpdatesDeferralPeriodInDays":7,"featureUpdatesDeferralPeriodInDays":30,"allowWindows11Upgrade":false,"qualityUpdatesPaused":false,"featureUpdatesPaused":false,"businessReadyUpdatesOnly":"userDefined","skipChecksBeforeRestart":false,"automaticUpdateMode":"windowsDefault","installationSchedule":null,"userPauseAccess":"disabled","userWindowsUpdateScanAccess":"disabled","updateNotificationLevel":"restartWarningsOnly","updateWeeks":null,"featureUpdatesRollbackWindowInDays":14,"deadlineForFeatureUpdatesInDays":7,"deadlineForQualityUpdatesInDays":3,"deadlineGracePeriodInDays":2,"postponeRebootUntilAfterDeadline":false,"engagedRestartDeadlineInDays":null,"engagedRestartSnoozeScheduleInDays":null,"engagedRestartTransitionScheduleInDays":null,"engagedRestartSnoozeScheduleForFeatureUpdatesInDays":null,"engagedRestartTransitionScheduleForFeatureUpdatesInDays":null,"autoRestartNotificationDismissal":"notConfigured","scheduleRestartWarningInHours":null,"scheduleImminentRestartWarningInMinutes":null}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
+
## Settings catalog
Settings described in this section aren't available in an Update ring policy and should be configured using a settings catalog type configuration profile.
@@ -58,9 +81,28 @@ To learn more, see [Use the settings catalog to configure settings on Windows, i
> [!TIP]
> When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
-| **Name** | **Value** | **Notes** | **CSP** |
-| --- | --- | --- | --- |
-| **:::no-loc text="No update notifications during active hours":::** | Enabled | | [:::no-loc text="NoUpdateNotificationsDuringActiveHours":::](/windows/client-management/mdm/policy-csp-update#noupdatenotificationsduringactivehours) |
+### [**Settings**](#tab/settings)
+
+| **Category** | **Name** | **Value** | **Notes** | **CSP** |
+|---|---|---|---|---|
+| Windows Update For Business | **:::no-loc text="No update notifications during active hours":::** | Enabled | | [:::no-loc text="NoUpdateNotificationsDuringActiveHours":::](/windows/client-management/mdm/policy-csp-update#noupdatenotificationsduringactivehours) |
+
+### [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **:::no-loc text="_MSLearn_Example_CommonEDU - Windows - Updates":::**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - Windows - Updates","description":"https://aka.ms/ManageEduDevices","platforms":"windows10","technologies":"mdm","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_update_noupdatenotificationsduringactivehours","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_update_noupdatenotificationsduringactivehours_1","children":[]}}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
## Windows Update Feature Control
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/configure-device-apps.md b/memdocs/intune/industry/education/tutorial-school-deployment/configure-device-apps.md
index 8f89c62def9..74044930c46 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/configure-device-apps.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/configure-device-apps.md
@@ -7,6 +7,8 @@ author: scottbreenmsft
ms.author: scbree
ms.manager: dougeby
ms.date: 5/2/2024
+ms.service: microsoft-intune
+ms.subservice: education
---
# Configure applications with Microsoft Intune
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/configure-device-settings.md b/memdocs/intune/industry/education/tutorial-school-deployment/configure-device-settings.md
index 09118441227..2e7c0daa8dd 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/configure-device-settings.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/configure-device-settings.md
@@ -7,6 +7,8 @@ author: scottbreenmsft
ms.author: scbree
ms.manager: dougeby
ms.date: 5/2/2024
+ms.service: microsoft-intune
+ms.subservice: education
---
# Configure and secure devices with Microsoft Intune
@@ -251,6 +253,7 @@ It is critical to ensure that the devices you manage are secured using the diffe
- [Account protection][MEM-7]
- [Security Baselines](/mem/intune/protect/security-baselines)
- [Local Administrator Password Solution](/windows-server/identity/laps/laps-overview)
+- [Web Content Filtering on Edge](/deployedge/microsoft-edge-web-content-filtering)
### [Intune For Education](#tab/intune-for-education)
@@ -280,6 +283,7 @@ For more information, see [Security][INT-4].
> - [Account protection][MEM-7]
> - [Security Baselines](/mem/intune/protect/security-baselines)
> - [Local Administrator Password Solution](/windows-server/identity/laps/laps-overview)
+> - [Web Content Filtering on Edge](/deployedge/microsoft-edge-web-content-filtering)
::: zone-end
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/configure-devices-overview.md b/memdocs/intune/industry/education/tutorial-school-deployment/configure-devices-overview.md
index 1f145e0e916..b7ab4ada447 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/configure-devices-overview.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/configure-devices-overview.md
@@ -3,10 +3,11 @@ title: Configure devices with Microsoft Intune
description: Learn how to configure policies and applications in preparation for device deployment.
ms.date: 5/2/2024
ms.topic: tutorial
-ms.collection: essentials-manage
author: scottbreenmsft
ms.author: scbree
ms.manager: dougeby
+ms.service: microsoft-intune
+ms.subservice: education
---
# Configure settings and applications with Microsoft Intune
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/enroll-autopilot.md b/memdocs/intune/industry/education/tutorial-school-deployment/enroll-autopilot.md
index 6fa6279abfa..1a9c3888623 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/enroll-autopilot.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/enroll-autopilot.md
@@ -6,6 +6,8 @@ ms.topic: tutorial
author: scottbreenmsft
ms.author: scbree
ms.manager: dougeby
+ms.service: microsoft-intune
+ms.subservice: education
---
# Windows Autopilot
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/enroll-entra-join.md b/memdocs/intune/industry/education/tutorial-school-deployment/enroll-entra-join.md
index fcc7f544de0..915974c8c8d 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/enroll-entra-join.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/enroll-entra-join.md
@@ -6,6 +6,8 @@ ms.topic: tutorial
author: scottbreenmsft
ms.author: scbree
ms.manager: dougeby
+ms.service: microsoft-intune
+ms.subservice: education
---
# Automatic Intune enrollment via Microsoft Entra join
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/enroll-ios-ade.md b/memdocs/intune/industry/education/tutorial-school-deployment/enroll-ios-ade.md
index e2522d0a31e..150a24cdcd3 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/enroll-ios-ade.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/enroll-ios-ade.md
@@ -6,6 +6,8 @@ ms.topic: tutorial
author: scottbreenmsft
ms.author: scbree
ms.manager: dougeby
+ms.service: microsoft-intune
+ms.subservice: education
---
# Enroll devices with Automated Device Enrollment
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/enroll-ios-apple-configurator.md b/memdocs/intune/industry/education/tutorial-school-deployment/enroll-ios-apple-configurator.md
index 705d9a787a2..226b0bb3e8e 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/enroll-ios-apple-configurator.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/enroll-ios-apple-configurator.md
@@ -6,6 +6,8 @@ ms.topic: tutorial
author: scottbreenmsft
ms.author: scbree
ms.manager: dougeby
+ms.service: microsoft-intune
+ms.subservice: education
---
# Bulk enrollment with Apple Configurator
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/enroll-ios-company-portal.md b/memdocs/intune/industry/education/tutorial-school-deployment/enroll-ios-company-portal.md
index a434db89fb1..7725f0099a6 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/enroll-ios-company-portal.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/enroll-ios-company-portal.md
@@ -6,6 +6,8 @@ ms.topic: tutorial
author: scottbreenmsft
ms.author: scbree
ms.manager: dougeby
+ms.service: microsoft-intune
+ms.subservice: education
---
# Enroll devices with Company Portal
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/enroll-overview.md b/memdocs/intune/industry/education/tutorial-school-deployment/enroll-overview.md
index 7ca721b1c42..b0c1af757f0 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/enroll-overview.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/enroll-overview.md
@@ -7,6 +7,8 @@ zone_pivot_groups: platforms-windows-ios
author: scottbreenmsft
ms.author: scbree
ms.manager: dougeby
+ms.service: microsoft-intune
+ms.subservice: education
---
# Device enrollment overview
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/enroll-package.md b/memdocs/intune/industry/education/tutorial-school-deployment/enroll-package.md
index 60af4e6818d..6ea6ed66627 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/enroll-package.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/enroll-package.md
@@ -6,6 +6,8 @@ ms.topic: tutorial
author: scottbreenmsft
ms.author: scbree
ms.manager: dougeby
+ms.service: microsoft-intune
+ms.subservice: education
---
# Enrollment with provisioning packages
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/introduction.md b/memdocs/intune/industry/education/tutorial-school-deployment/introduction.md
index 992b6e2bb31..49eaa896061 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/introduction.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/introduction.md
@@ -3,10 +3,11 @@ title: Introduction to the tutorial for deploying and managing devices in a scho
description: Introduction to deployment and management of devices in education environments.
ms.date: 5/2/2024
ms.topic: tutorial
-ms.collection: essentials-get-started
ms.author: scbree
author: scottbreenmsft
ms.manager: dougeby
+ms.service: microsoft-intune
+ms.subservice: education
---
# Tutorial: deploy and manage devices in a school
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/manage-avoid-policy-conflicts.md b/memdocs/intune/industry/education/tutorial-school-deployment/manage-avoid-policy-conflicts.md
index 8743b37a775..808df6198ff 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/manage-avoid-policy-conflicts.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/manage-avoid-policy-conflicts.md
@@ -5,6 +5,8 @@ ms.date: 7/11/2024
ms.topic: tutorial
ms.author: scbree
author: scottbreenmsft
+ms.service: microsoft-intune
+ms.subservice: education
---
# Avoiding policy conflicts
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/manage-overview.md b/memdocs/intune/industry/education/tutorial-school-deployment/manage-overview.md
index fe71e6eed80..e5add0dfe7d 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/manage-overview.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/manage-overview.md
@@ -6,6 +6,8 @@ ms.topic: tutorial
author: scottbreenmsft
ms.author: scbree
ms.manager: dougeby
+ms.service: microsoft-intune
+ms.subservice: education
---
# Manage devices with Microsoft Intune
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/manage-surface-devices.md b/memdocs/intune/industry/education/tutorial-school-deployment/manage-surface-devices.md
index 38ef96e2fad..e946f6b8d4c 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/manage-surface-devices.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/manage-surface-devices.md
@@ -8,6 +8,8 @@ ms.author: scbree
ms.manager: dougeby
appliesto:
- ✅ Surface devices
+ms.service: microsoft-intune
+ms.subservice: education
---
# Management functionalities for Surface devices
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/plan-grouping.md b/memdocs/intune/industry/education/tutorial-school-deployment/plan-grouping.md
index dad842eadc2..a2ebb511b4b 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/plan-grouping.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/plan-grouping.md
@@ -6,6 +6,8 @@ ms.topic: tutorial
ms.author: scbree
author: scottbreenmsft
zone_pivot_groups: platforms-windows-ios
+ms.service: microsoft-intune
+ms.subservice: education
---
# Plan Education device grouping and targeting
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/reset-wipe.md b/memdocs/intune/industry/education/tutorial-school-deployment/reset-wipe.md
index 8552e111064..df70c09c916 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/reset-wipe.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/reset-wipe.md
@@ -7,6 +7,8 @@ zone_pivot_groups: platforms-windows-ios
author: scottbreenmsft
ms.author: scbree
ms.manager: dougeby
+ms.service: microsoft-intune
+ms.subservice: education
---
# Reset and wipe devices
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/set-up-microsoft-entra-id.md b/memdocs/intune/industry/education/tutorial-school-deployment/set-up-microsoft-entra-id.md
index 5348436a922..5ed9a19003d 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/set-up-microsoft-entra-id.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/set-up-microsoft-entra-id.md
@@ -6,6 +6,8 @@ ms.topic: tutorial
author: scottbreenmsft
ms.author: scbree
ms.manager: dougeby
+ms.service: microsoft-intune
+ms.subservice: education
---
# Set up Microsoft Entra ID
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/set-up-microsoft-intune.md b/memdocs/intune/industry/education/tutorial-school-deployment/set-up-microsoft-intune.md
index 9da23f7f719..b21781c980c 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/set-up-microsoft-intune.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/set-up-microsoft-intune.md
@@ -7,6 +7,8 @@ ms.author: scbree
author: scottbreenmsft
zone_pivot_groups: platforms-windows-ios
ms.manager: dougeby
+ms.service: microsoft-intune
+ms.subservice: education
---
# Set up Microsoft Intune
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/troubleshoot-overview.md b/memdocs/intune/industry/education/tutorial-school-deployment/troubleshoot-overview.md
index 200f7f05590..99e678ea272 100644
--- a/memdocs/intune/industry/education/tutorial-school-deployment/troubleshoot-overview.md
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/troubleshoot-overview.md
@@ -7,6 +7,8 @@ ms.topic: tutorial
ms.author: scbree
author: scottbreenmsft
ms.manager: dougeby
+ms.service: microsoft-intune
+ms.subservice: education
---
# Troubleshoot devices
diff --git a/memdocs/intune/protect/actions-for-noncompliance.md b/memdocs/intune/protect/actions-for-noncompliance.md
index 1ccb1736ded..f6a3266ada7 100644
--- a/memdocs/intune/protect/actions-for-noncompliance.md
+++ b/memdocs/intune/protect/actions-for-noncompliance.md
@@ -269,7 +269,7 @@ You can add optional actions when you create a compliance policy, or update an e
- **Send push notification to end user**: Configure this action to send a push notification about noncompliance to a device through the Company Portal app or Intune App on the device.
-5. Configure a **Schedule**: Enter the number of days (0 to 365) after noncompliance to trigger the action on users' devices. After this grace period, you can enforce a [conditional access](conditional-access-intune-common-ways-use.md) policy. If you enter **0** (zero) number of days, then conditional access takes effect **immediately**. For example, if a device is noncompliant, use conditional access to block access to email, SharePoint, and other organization resources immediately.
+5. Configure a **Schedule**: Enter the number of days (0 to 365) after noncompliance to trigger the action on users' devices. After this grace period, you can enforce a [Conditional Access](conditional-access-intune-common-ways-use.md) policy. If you enter **0** (zero) number of days, then Conditional Access takes effect **immediately**. For example, if a device is noncompliant, use Conditional Access to block access to email, SharePoint, and other organization resources immediately.
When you create a compliance policy, the **Mark device noncompliant** action is automatically created, and automatically set to **0** days (immediately). With this action, when the device checks in with Intune and evaluates the policy, if it isn't compliant to that policy Intune immediately marks that device as noncompliant. If the client checks in at a later time after remediating the issues that lead to noncompliance, its status will update to its new compliance status. If you use Conditional Access, those policies also apply as soon as a device is marked as noncompliant. To set a grace period to allow for a condition of noncompliance to be remediated before the device is marked as noncompliant, change the **Schedule** on the **Mark device noncompliant** action.
diff --git a/memdocs/intune/protect/advanced-threat-protection-configure.md b/memdocs/intune/protect/advanced-threat-protection-configure.md
index 1b5618f4fb0..b2a888bacf0 100644
--- a/memdocs/intune/protect/advanced-threat-protection-configure.md
+++ b/memdocs/intune/protect/advanced-threat-protection-configure.md
@@ -1,13 +1,13 @@
---
# required metadata
-title: Configure Microsoft Defender for Endpoint in Microsoft Intune
-description: Configure Microsoft Defender for Endpoint in Intune, including connecting to Defender for Endpoint, onboarding devices, assigning compliance for risk levels, and conditional access policies.
+title: Onboard and Configure Devices with Microsoft Defender for Endpoint via Microsoft Intune
+description: Integrate Microsoft Defender for Endpoint with Microsoft Intune, including connecting the products, onboarding devices, and assigning policies for compliance and risk level assessment.
keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls, microsoft defender for endpoint, mde
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 04/17/2024
+ms.date: 12/13/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -31,80 +31,89 @@ ms.collection:
- sub-secure-endpoints
---
-# Configure Microsoft Defender for Endpoint in Intune
+# Integrate Microsoft Defender for Endpoint with Intune and Onboard Devices
-Use the information and procedures in this article to configure integration of Microsoft Defender for Endpoint with Intune. Configuration includes the following general steps:
+Use the information and procedures in this article to connect Microsoft Defender for Endpoint with Intune and to then onboard and configure devices for Defender for Endpoint. Information in this article includes the following general steps:
-- **Establish a service-to-service connection between Intune and Microsoft Defender for Endpoint**. This connection lets Microsoft Defender for Endpoint collect data about machine risk from supported devices you manage with Intune. See the [prerequisites](../protect/advanced-threat-protection.md#prerequisites) to use Microsoft Defender for Endpoint with Intune.
-- **Use Intune policy to onboard devices with Microsoft Defender for Endpoint**. You onboard devices to configure them to communicate with Microsoft Defender for Endpoint and to provide data that helps assess their risk level.
-- **Use Intune device compliance policies to set the level of risk you want to allow**. Microsoft Defender for Endpoint reports a devices risk level. Devices that exceed the allowed risk level are identified as noncompliant.
-- **Use a conditional access policy** to block users from accessing corporate resources from devices that are noncompliant.
+- **Establish a service-to-service connection between Intune and Microsoft Defender for Endpoint**. This connection enables Intune to interact with Microsoft Defender on devices, including installation (onboarding) and configuration of the Defender for Endpoint client, and integration of machine risk scores from supported devices you manage with Intune. See the [prerequisites](../protect/advanced-threat-protection.md#prerequisites) to use Microsoft Defender for Endpoint with Intune.
+- **Onboard devices to Defender for Endpoint**. You onboard devices to configure them to communicate with Microsoft Defender for Endpoint and to provide data that helps assess their risk level. Each platform has separate requirements to onboard to Defender.
+- **Use Intune device compliance policies to set the level of risk you want to allow**. Microsoft Defender for Endpoint reports on the risk level of devices. Devices that exceed the allowed risk level are identified as noncompliant.
+- **Use Conditional Access policy** to block users from accessing corporate resources while using a device that is identified as noncompliant.
- **Use** [**app protection policies**](../protect/mtd-app-protection-policy.md) for Android and iOS/iPadOS, to set device risk levels. App protection policies work with both enrolled and unenrolled devices.
-In addition to managing settings for Microsoft Defender for Endpoint on devices that enroll with Intune, you can manage Defender for Endpoint security configurations on devices that aren’t enrolled with Intune. This scenario is called *Security Management for Microsoft Defender for Endpoint* and requires configuring the *Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations* toggle to *On*. For more information, see [MDE Security Configuration Management](../protect/mde-security-integration.md).
+In addition to managing settings for Microsoft Defender for Endpoint on devices that enroll with Intune, you can manage Defender for Endpoint security configurations on devices that aren’t enrolled with Intune. This scenario is called *Security Management for Microsoft Defender for Endpoint* and requires configuring the *Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations* toggle to *On*. For more information, see [Microsoft Defender for Endpoint Security Configuration Management](../protect/mde-security-integration.md).
[!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
## Connect Microsoft Defender for Endpoint to Intune
-The first step you take is to set up the service-to-service connection between Intune and Microsoft Defender for Endpoint. Set up requires administrative access to both the Microsoft Defender Security Center, and to Intune.
+Before Intune and Defender for Endpoint can work together, you must set up the service-to-service connection between Intune and Microsoft Defender for Endpoint. This is a one-time action per tenant. Setup requires administrative access to both the Microsoft Defender Security Center and the Microsoft Intune admin center.
-You only need to enable Microsoft Defender for Endpoint a single time per tenant.
+### Enable Intune and Microsoft Defender for Endpoint integration
-### To enable Microsoft Defender for Endpoint
+1. Open the Microsoft Defender for Endpoint portal at [security.microsoft.com](https://security.microsoft.com). The Intune admin center also includes a link to the Defender for Endpoint portal.
-Open the Microsoft Defender for Endpoint portal at [security.microsoft.com](https://security.microsoft.com). The Intune admin center also includes a link to the Defender for Endpoint portal.
+ 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+ 2. Select **Endpoint security** > **Microsoft Defender for Endpoint** and review the **Connection status** at the top of the page. If it’s **Enabled**, Defender and Intune are already connected and you can skip to step #2.
-2. Select **Endpoint security** > **Microsoft Defender for Endpoint**, and then select **Open the Microsoft Defender Security Center**.
+ If the status is **Unavailable**, continue here.
+ 3. Scroll down to the bottom of the *Microsoft Defender for Endpoint* page and select the link **Open the Microsoft Defender Security Center** to open the Microsoft Defender for portal and continue with the next numbered step.
> [!TIP]
>
- > In the Intune admin center, if the **Connection status** at the top of the Microsoft Defender for Endpoint page is already set to **Enabled**, the connection to Intune is already active and the admin center displays different UI text for the link. In this event, select **Open the Microsoft Defender for Endpoint admin console** to open the Microsoft Defender for portal. Then you can use the guidance in the following step to confirm that the **Microsoft Intune connection** is set to **On**.
+ > If the connection is already active, the link to open the Defender portal reads: **Open the Microsoft Defender for Endpoint admin console**.
:::image type="content" source="./media/advanced-threat-protection-configure/atp-device-compliance-open-microsoft-defender.png" alt-text="Screen shot that shows the patch to open the Microsoft Defender Security Center.":::
-3. In **Microsoft Defender** portal (previously the *Microsoft Defender Security Center*):
- 1. Select [**Settings** > **Endpoints** >**Advanced features**](https://security.microsoft.com/preferences2/integration).
- 2. For **Microsoft Intune connection**, choose **On**:
+2. In [**Microsoft Defender** portal](https://security.microsoft.com/):
+
+ 1. Use the left-hand pane to scroll down and select **Settings** > **Endpoints** >**Advanced features**.
+ 2. On the advanced features pane, scroll down to locate the entry for **Microsoft Intune connection** and set the toggle to **On**.
:::image type="content" source="./media/advanced-threat-protection-configure/atp-security-center-intune-toggle.png" alt-text="Screen shot of the Microsoft Intune connection setting.":::
- 3. Select **Save preferences**.
+ 3. Select **Save preferences** to complete the connection between Intune and Defender for Endpoint.
> [!NOTE]
> Once the connection is established, the services are expected to sync with each other _at least_ once every 24 hours. The number of days without sync until the connection is considered unresponsive is configurable in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). Select **Endpoint security** > **Microsoft Defender for Endpoint** > **Number of days until partner is unresponsive**
-4. Return to **Microsoft Defender for Endpoint** page in the Microsoft Intune admin center.
+3. Return to **Microsoft Defender for Endpoint** page in the Microsoft Intune admin center where you configure aspects of the Defender for Endpoint integration. The Connection status should now display **Enabled**.
+
+ On this page, review each category and the available configurations for platform support and platforms specific options you plan to use, and set those toggles to **On**. You can return later to enable or disable any of these options.
+
+ To set up the following integrations of Microsoft Defender for Endpoint, your account must be assigned an Intune [role-based access control]( /mem/intune/fundamentals/role-based-access-control) (RBAC) role that includes *Read* and *Modify* for the *Mobile Threat Defense* permission in Intune. The *Endpoint Security Manager* built-in admin role for Intune has these permissions included.
+
+ **Compliance policy evaluation** - To use Defender for Endpoint with **compliance policies**, configure the following under **Compliance policy evaluation** for the platforms you support:
+
+ - Set **Connect Android devices** to Microsoft Defender for Endpoint to **On**
+ - Set **Connect iOS/iPadOS devices** to Microsoft Defender for Endpoint to **On**
+ - Set **Connect Windows devices** to Microsoft Defender for Endpoint to **On**
- 1. To use Defender for Endpoint with **compliance policies**, configure the following under **Compliance policy evaluation** for the platforms you support:
- - Set **Connect Android devices** to Microsoft Defender for Endpoint to **On**
- - Set **Connect iOS/iPadOS devices** to Microsoft Defender for Endpoint to **On**
- - Set **Connect Windows devices** to Microsoft Defender for Endpoint to **On**
+ When these configurations are *On*, applicable devices that you manage with Intune, and devices you enroll in the future, are connected to Microsoft Defender for Endpoint for compliance.
- When these configurations are *On*, applicable devices that you manage with Intune, and devices you enroll in the future, are connected to Microsoft Defender for Endpoint for compliance.
+ For iOS devices, Defender for Endpoint also supports the following settings that help provide the Vulnerability Assessment of apps on Microsoft Defender for Endpoint for iOS. For more information about using the following two settings, see [Configure vulnerability assessment of apps](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-vulnerability-assessment-of-apps).
- For iOS devices, Defender for Endpoint also supports the following settings that help provide the Vulnerability Assessment of apps on Microsoft Defender for Endpoint for iOS. For more information about using the following two settings, see [Configure vulnerability assessment of apps](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-vulnerability-assessment-of-apps).
+ - **Enable App Sync for iOS Devices**: Set to **On** to allow Defender for Endpoint to request metadata of iOS applications from Intune to use for threat analysis purposes. The iOS device must be MDM-enrolled and provide updated app data during device check-in.
- - **Enable App Sync for iOS Devices**: Set to **On** to allow Defender for Endpoint to request metadata of iOS applications from Intune to use for threat analysis purposes. The iOS device must be MDM-enrolled and provide updated app data during device check-in.
+ - **Send full application inventory data on personally owned iOS/iPadOS Devices**: This setting controls the application inventory data that Intune shares with Defender for Endpoint when Defender for Endpoint syncs app data and requests the app inventory list.
- - **Send full application inventory data on personally owned iOS/iPadOS Devices**: This setting controls the application inventory data that Intune shares with Defender for Endpoint when Defender for Endpoint syncs app data and requests the app inventory list.
+ When set to **On**, Defender for Endpoint can request a list of applications from Intune for personally owned iOS/iPadOS devices. This list includes unmanaged apps and apps that were deployed through Intune.
- When set to **On**, Defender for Endpoint can request a list of applications from Intune for personally owned iOS/iPadOS devices. This list includes unmanaged apps and apps that were deployed through Intune.
+ When set to **Off**, data about unmanaged apps isn’t provided. Intune does share data for the apps that were deployed through Intune.
- When set to **Off**, data about unmanaged apps isn’t provided. Intune does share data for the apps that were deployed through Intune.
+ For more information, see [Mobile Threat Defense toggle options](../protect/mtd-connector-enable.md#mobile-threat-defense-toggle-options).
- For more information, see [Mobile Threat Defense toggle options](../protect/mtd-connector-enable.md#mobile-threat-defense-toggle-options).
- 2. To use Defender for Endpoint with **app protection policies** for Android and iOS/iPadOS, configure the following under **App protection policy evaluation** for the platforms you use:
- - Set **Connect Android devices to Microsoft Defender** for Endpoint to **On**.
- - Set **Connect iOS/iPadOS devices to Microsoft Defender for Endpoint** on to **On**.
+ **App protection policy evaluation** - Configure the following toggles to use Defender for Endpoint with Intune **app protection policies** for Android and iOS/iPadOS, configure the following under **App protection policy evaluation** for the platforms you use:
- To set up an integration Microsoft Defender for Endpoint for compliance and app protection policy evaluation, you must have a role that includes *Read* and *Modify* for the *Mobile Threat Defense* permission in Intune. The *Endpoint Security Manager* built-in admin role for Intune has these permissions included. For more information about both MDM Compliance Policy Settings and App Protection Policy Settings, see [Mobile Threat Defense toggle options](../protect/mtd-connector-enable.md#mobile-threat-defense-toggle-options).
+ - Set **Connect Android devices to Microsoft Defender** for Endpoint to **On**.
+ - Set **Connect iOS/iPadOS devices to Microsoft Defender for Endpoint** on to **On**.
-5. Select **Save**.
+ For more information, see [Mobile Threat Defense toggle options](../protect/mtd-connector-enable.md#mobile-threat-defense-toggle-options).
+
+4. Select **Save**.
> [!TIP]
>
@@ -112,39 +121,55 @@ Open the Microsoft Defender for Endpoint portal at [security.microsoft.com](http
## Onboard devices
-When you enable support for Microsoft Defender for Endpoint in Intune, you established a service-to-service connection between Intune and Microsoft Defender for Endpoint. You can then onboard devices you manage with Intune to Microsoft Defender for Endpoint. Onboarding enables collection of data about device risk levels.
+After establishing the service-to-service connection between Intune and Microsoft Defender for Endpoint, use Intune to onboard your managed devices to Microsoft Defender for Endpoint. Onboarding involves enrolling devices into the Defender for Endpoint service to ensure they're protected and monitored for security threats and enables collection of data about device risk levels.
When onboarding devices, be sure to use the most recent version of Microsoft Defender for Endpoint for each platform.
+The process to onboard devices to Defender for Endpoint varies by platform.
+
### Onboard Windows devices
-- [**Endpoint detection and response**](../protect/endpoint-security-edr-policy.md) (EDR) policy. The *Microsoft Defender for Endpoint* page in the Intune admin center includes a link that directly opens the EDR policy creation workflow, which is part of endpoint security in Intune.
+With a connection between Intune and Defender established, Intune automatically receives an onboarding configuration package from Defender that can be used by Intune to onboard Windows devices. This package is used by Intune EDR policy to configure devices to communicate with [Microsoft Defender for Endpoint services](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and to scan files and detect threats. The onboarded devices also report their risk level to Microsoft Defender for Endpoint based on your compliance policies.
- Use EDR policies to configure device security without the overhead of the larger body of settings found in device configuration profiles. You can also use EDR policy with tenant attached devices, which are devices you manage with Configuration Manager.
+Onboarding of a device using the configuration package is a one-time action.
- When you configure EDR policy after connecting Intune to Defender, the policy setting *Microsoft Defender for Endpoint client configuration package type* has a new configuration option: **Auto from connector**. With this option, Intune automatically gets the onboarding package (blob) from your Defender for Endpoint deployment, replacing the need to manually configure an Onboard package.
+To deploy the onboarding package for Windows devices, you can choose to use a preconfigured EDR policy option, which deploys to the *All devices* group to onboard all applicable Windows devices, or you can manually create the EDR Policy for more granular deployments, which requires you to complete a few additional steps.
-- **Device configuration policy**. When creating a device configuration policy to onboard Windows devices, select the *Microsoft Defender for Endpoint* template. When you connected Intune to Defender, Intune received an onboarding configuration package from Defender. This package is used by the template to configure devices to communicate with [Microsoft Defender for Endpoint services](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and to scan files and detect threats. The onboarded devices also report their risk level to Microsoft Defender for Endpoint based on your compliance policies.
-After onboarding a device using the configuration package, you don't need to do it again.
+#### Use the preconfigured policy
-- [**Group policy or Microsoft Configuration Manager**](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). [Onboard Windows machines using Microsoft Configuration Manager](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) has more details on the Microsoft Defender for Endpoint settings.
+With this path, you provide a name for the onboarding policy and select both the *platform* and *profile*. Other settings are preselected and include use of the onboarding package without additional settings, use of the *Default* scope tag, and assignment to the *All Devices* group. You can’t change these options during policy creation, but can return later to edit the policy details.
-> [!TIP]
->
-> When using multiple policies or policy types like *device configuration* policy and *endpoint detection and response* policy to manage the same device settings (such as onboarding to Defender for Endpoint), you can create policy conflicts for devices. To learn more about conflicts, see [Manage conflicts](../protect/endpoint-security-policy.md#manage-conflicts) in the *Manage security policies* article.
+1. Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Endpoint security** > **Endpoint detection and response** > and select the **EDR Onboarding Status** tab.
+
+2. On this tab, select **Deploy preconfigured policy**.
-### Create the device configuration profile to onboard Windows devices
+ :::image type="content" source="./media/advanced-threat-protection-configure/select-preconfigured-policy.jpg" alt-text="Screen shot that displays the path to the preconfigured policy option.":::
+
+3. For Platform, select **Windows** for devices managed directly by Intune, or **Windows (ConfigMgr)** for devices managed through the Tenant Attach scenario. For Profile select **Endpoint detection and response**.
+
+4. Specify a Name for the policy.
+
+5. On the **Review and Create** page you can review this policies configuration. When ready select **Save** to save this policy, which immediately begins to deploy to the *All Devices* group.
+
+#### Create your own EDR policy:
+
+With this path, you can define all aspects of the initial onboarding policy before it begins to deploy to devices.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Select **Endpoint security** > **Endpoint detection and response** > **Create Policy**.
-3. For **Platform**, select **Windows 10, Windows 11, and Windows Server**.
-4. For **Profile type**, select **Endpoint detection and response**, and then select **Create**.
-5. On the **Basics** page, enter a *Name* and *Description* (optional) for the profile, then choose **Next**.
-6. On the **Configuration settings** page, configure the following options for **Endpoint Detection and Response**:
- - **Microsoft Defender for Endpoint client configuration package type**: Select *Auto from connector* to use the onboarding package (blob) from your Defender for Endpoint deployment. If you are onboarding to a different or disconnected Defender for Endpoint deployment, select *Onboard* and paste the text from the WindowsDefenderATP.onboarding blob file into the *Onboarding (Device)* field.
+2. Select **Endpoint security** > **Endpoint detection and response** > and in the *Summary* tab, select **Create Policy**.
+
+3. For *Platform* select **Windows**, for Profile select **Endpoint detection and response**, and then select **Create**.
+
+4. On the **Basics** page, enter a *Name and Description* (optional) for the profile, then choose Next.
+
+5. On the **Configuration settings** page, configure the following options depending on your needs:
+
+ - **Microsoft Defender for Endpoint client configuration package type**: Select **Auto from connector**. With this option, the onboarding policy automatically uses the onboarding blob that Intune received from Microsoft Defender. If you're onboarding to a different or disconnected Defender for Endpoint deployment, select Onboard and paste the text from the WindowsDefenderATP.onboarding blob file into the *Onboarding (Device)* field.
+
- **Sample Sharing**: Returns or sets the Microsoft Defender for Endpoint Sample Sharing configuration parameter.
- - **[Deprecated] Telemetry Reporting Frequency**: For devices that are at high risk, **Enable** this setting so it reports telemetry to the Microsoft Defender for Endpoint service more frequently.
+
+ - **[Deprecated] Telemetry Reporting Frequency**: This setting is deprecated and no longer applies to new devices. The setting remains visible in the policy UI for visibility for older policies that had this configured.
:::image type="content" source="./media/advanced-threat-protection-configure/automatic-package-configuration.png" alt-text="Screen shot of the configuration options for Endpoint Detection and Response.":::
@@ -154,65 +179,83 @@ After onboarding a device using the configuration package, you don't need to do
>
> If you haven’t configured this connection successfully, the setting *Microsoft Defender for Endpoint client configuration package type* only includes options to specify onboard and offboard blobs.
-7. Select **Next** to open the **Scope tags** page. Scope tags are optional. Select **Next** to continue.
+6. Select **Next** to open the **Scope tags** page. Scope tags are optional. Select **Next** to continue.
-8. On the **Assignments** page, select the groups that will receive this profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
+7. On the **Assignments** page, select the groups that will receive this profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
When you deploy to user groups, a user must sign in on a device before the policy applies and the device can onboard to Defender for Endpoint.
- Select **Next**.
+ Select **Next** to continue.
-9. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.
- **OK**, and then **Create** to save your changes, which creates the profile.
+8. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.
+
+ > [!TIP]
+ > When using multiple policies or policy types like *device configuration* policy and *endpoint detection and response* policy to manage the same device settings, you can create policy conflicts for devices. To learn more about conflicts, see [Manage conflicts](../protect/endpoint-security-policy.md#manage-conflicts) in the *Manage security policies* article.
### Onboard macOS devices
After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard macOS devices to Microsoft Defender for Endpoint. Onboarding configures devices to communicate with Microsoft Defender Endpoint, which then collects data about devices risk level.
-For configuration guidance for Intune, see [Microsoft Defender for Endpoint for macOS](../apps/apps-advanced-threat-protection-macos.md).
+Intune doesn't support an automatic onboarding package for macOS as it does for Windows devices. For configuration guidance for Intune, see [Microsoft Defender for Endpoint for macOS](../apps/apps-advanced-threat-protection-macos.md).
For more information about Microsoft Defender for Endpoint for Mac including what's new in the latest release, see [Microsoft Defender for Endpoint for Mac](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac?view=o365-worldwide&preserve-view=true) in the Microsoft 365 security documentation.
### Onboard Android devices
-After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard Android devices to Microsoft Defender for Endpoint. Onboarding configures devices to communicate with Defender for Endpoint, which then collects data about the devices risk level.
+After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard Android devices to Microsoft Defender for Endpoint.
-There isn't a configuration package for devices that run Android. Instead, see [Overview of Microsoft Defender for Endpoint for Android](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android) in the Microsoft Defender for Endpoint documentation for the prerequisites and onboarding instructions for Android.
+Intune doesn't support an automatic onboarding package for Android as it does for Windows devices. For configuration guidance for Intune, see [Overview of Microsoft Defender for Endpoint for Android](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android) in the Microsoft Defender for Endpoint documentation for the prerequisites and onboarding instructions for Android.
For devices that run Android, you can also use Intune policy to modify Microsoft Defender for Endpoint on Android. For more information, see [Microsoft Defender for Endpoint web protection](../protect/advanced-threat-protection-manage-android.md).
### Onboard iOS/iPadOS devices
-After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard iOS/iPadOS devices to Microsoft Defender for Endpoint. Onboarding configures devices to communicate with Defender for Endpoint, which then collects data about the devices risk level.
+After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard iOS/iPadOS devices to Microsoft Defender for Endpoint.
-There isn't a configuration package for devices that run iOS/iPadOS. Instead, see [Overview of Microsoft Defender for Endpoint for iOS](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios) in the Microsoft Defender for Endpoint documentation for prerequisites and onboarding instructions for iOS/iPadOS.
+Intune doesn't support an automatic onboarding package for iOS/iPadOS as it does for Windows devices. For configuration guidance for Intune, see [Overview of Microsoft Defender for Endpoint for iOS](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios) in the Microsoft Defender for Endpoint documentation for prerequisites and onboarding instructions for iOS/iPadOS.
-For devices that run iOS/iPadOS (in Supervised Mode), there's specialized ability given the increased management capabilities provided by the platform on these types of devices. To take advantage of these capabilities, the Defender app needs to know if a device is in Supervised Mode. Intune allows you to configure the Defender for iOS app through an App Configuration policy (for managed devices) that should be targeted to all iOS Devices as a best practice. For more information, see [Complete deployment for supervised devices](/microsoft-365/security/defender-endpoint/ios-install?#complete-deployment-for-supervised-devices).
+For devices that run iOS/iPadOS (in Supervised Mode), there's specialized ability given the increased management capabilities provided by the platform on these types of devices. To take advantage of these capabilities, the Defender app needs to know if a device is in *Supervised Mode*. For more information, see [Complete deployment for supervised devices](/microsoft-365/security/defender-endpoint/ios-install?#complete-deployment-for-supervised-devices).
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
2. Select **Apps** > **App configuration policies** > **+ Add**, and then select**Managed devices** from the drop down list.
+
3. On the **Basics** page, enter a *Name* and *Description* (optional) for the profile, select **Platform** as **iOS/iPadOS** then choose **Next**.
+
4. Select **Targeted app** as **Microsoft Defender for iOS**.
+
5. On the **Settings** page, set the **Configuration key** as **issupervised**, then **Value type** as **string** with the **{{issupervised}}** as the **Configuration value**.
+
6. Select **Next** to open the **Scope tags** page. Scope tags are optional. Select **Next** to continue.
+
7. On the **Assignments** page, select the groups that will receive this profile. For this scenario, it's a best practice to target **All Devices**. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
- When deploying policy to user groups, a user must sign-in on a device before the policy applies.
+ When you deploy policy to user groups, a user must sign-in on a device before the policy applies.
Select **Next**.
8. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles.
-Further, for devices that run iOS/iPadOS (in Supervised Mode), the Defender for iOS team has made available a custom .mobileconfig profile to deploy to iPad/iOS devices. The .mobileconfig profile is used to analyze network traffic to ensure a safe browsing experience - a feature of Defender for iOS.
+
### View the count of devices that are onboarded to Microsoft Defender for Endpoint
+You can view a report on device onboarding status from within the Intune admin center by going to **Endpoint security** > **Endpoint detection and response** > and selecting the **EDR Onboarding Status** tab.
-To view the onboarded devices from Microsoft Defender for Endpoint within the Microsoft Defender for Endpoint connector page, you need an Intune role that includes *Read* for the *Microsoft Defender Advanced Threat Protection* permission.
-
-:::image type="content" source="./media/advanced-threat-protection-configure/onboard-report.png" alt-text="Sample view of the onboarded device report.":::
+To view this information, your account must be assigned an Intune role that includes *Read* for the *Microsoft Defender Advanced Threat Protection* permission.
## Create and assign compliance policy to set device risk level
@@ -235,7 +278,7 @@ If you're not familiar with creating compliance policy, reference the [Create a
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Select **Devices** > **Compliance**. On the **Policies** tab, select **+ Create policy**.
+2. Select **Devices** > **Compliance**. On the **Policies** tab, select **+ Create policy**.
3. For **Platform**, use the drop-down box to select one of the following options:
- **Android device administrator**
@@ -263,7 +306,7 @@ If you're not familiar with creating compliance policy, reference the [Create a
Use the procedure to [create an application protection policy for either iOS/iPadOS or Android](../apps/app-protection-policies.md#app-protection-policies-for-iosipados-and-android-apps), and use the following information on the *Apps*, *Conditional launch*, and *Assignments* pages:
- **Apps**: Select the apps you wish to be targeted by app protection policies. For this feature set, these apps are blocked or selectively wiped based on device risk assessment from your chosen Mobile Threat Defense vendor.
-- **Conditional launch**: Below *Device conditions*, use the drop-down box to select **Max allowed device threat level**.
+- **Conditional launch**: Below *Device conditions*, use the drop-down box to select **Max allowed device threat level**.
Options for the threat level **Value**:
@@ -282,31 +325,31 @@ Use the procedure to [create an application protection policy for either iOS/iPa
> [!IMPORTANT]
> If you create an app protection policy for any protected app, the device's threat level is assessed. Depending on the configuration, devices that don’t meet an acceptable level are either blocked or selectively wiped through conditional launch. If blocked, they are prevented from accessing corporate resources until the threat on the device is resolved and reported to Intune by the chosen MTD vendor.
-## Create a conditional access policy
+## Create a Conditional Access policy
-Conditional access policies can use data from Microsoft Defender for Endpoint to block access to resources for devices that exceed the threat level you set. You can block access from the device to corporate resources, such as SharePoint or Exchange Online.
+Conditional Access policies can use data from Microsoft Defender for Endpoint to block access to resources for devices that exceed the threat level you set. You can block access from the device to corporate resources, such as SharePoint or Exchange Online.
> [!TIP]
>
> Conditional Access is a Microsoft Entra technology. The *Conditional Access* node found in the Microsoft Intune admin center is the node from *Microsoft Entra*.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Select **Endpoint security** > **Conditional access** > **Create new policy**. Because Intune presents the policy creation user interface for Conditional Access from the Azure portal, the interface is different than the policy creation workflow you might be familiar with.
+2. Select **Endpoint security** > **Conditional Access** > **Create new policy**. Because Intune presents the policy creation user interface for Conditional Access from the Azure portal, the interface is different than the policy creation workflow you might be familiar with.
3. Enter a policy **Name**.
4. For **Users**, use the *Include* and *Exclude* tabs to configure groups that will receive this policy.
5. For **Target resources**, set *Select what this policy applies to* to **Cloud apps**, and then choose which apps to protect. For example, choose **Select apps** and then for *Select*, search for and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**.
-6. For **Conditions**, select **Client apps** and then set *Configure* to **Yes**. Next, select the checkboxes for **Browser** and **Mobile apps and desktop clients**. Then, select **Done** to save the client app configuration.
-7. For **Grant**, configure this policy to apply based on device compliance rules. For example:
+6. For **Conditions**, select **Client apps** and then set *Configure* to **Yes**. Next, select the checkboxes for **Browser** and **Mobile apps and desktop clients**. Then, select **Done** to save the client app configuration.
+7. For **Grant**, configure this policy to apply based on device compliance rules. For example:
1. Select **Grant access**.
2. Select the checkbox for **Require device to be marked as compliant**.
3. Select **Require all the selected controls**.
Choose **Select** to save the Grant configuration.
-8. For **Enable policy**, select **On** and then **Create** to save your changes.
+8. For **Enable policy**, select **On** and then **Create** to save your changes.
-## Next steps
+## Related content
- [Configure Microsoft Defender for Endpoint settings on Android](../protect/advanced-threat-protection-manage-android.md)
- [Monitor compliance for risk levels](../protect/advanced-threat-protection-monitor.md)
diff --git a/memdocs/intune/protect/advanced-threat-protection-manage-android.md b/memdocs/intune/protect/advanced-threat-protection-manage-android.md
index 16b89cd4a5a..033f377a360 100644
--- a/memdocs/intune/protect/advanced-threat-protection-manage-android.md
+++ b/memdocs/intune/protect/advanced-threat-protection-manage-android.md
@@ -44,6 +44,27 @@ With Intune device configuration policy, you can turn off all or part of the web
- **Android Enterprise Fully Managed profile**. Use an app configuration profile and the [configuration designer](../apps/app-configuration-policies-use-android.md#use-the-configuration-designer) to disable the entire web protection feature or to disable only the use of VPNs.
+**The following browsers are supported with Defender loopback VPN:**
+- Chrome-
+- Microsoft Edge
+- Opera
+- Samsung Internet
+- Firefox
+- Brave
+- Tor
+- Browser Leopard
+- DuckDuckGo
+- Dolphin
+
+**The following browsers are supported with accessibility service without Defender loopback VPN:**
+- Chrome
+- Edge
+- Opera
+- Samsung Internet
+
+> [!IMPORTANT]
+> Work profile scenarios (Android Enterprise personally owned devices using a work profile and Android Enterprise corporate owned work profile) do not support the accessibility service.
+
To configure web protection on devices, use the following procedures to create and deploy the applicable configuration.
## Disable web protection for Android device administrator
@@ -114,18 +135,16 @@ To configure web protection on devices, use the following procedures to create a
6. Find and select configuration keys **Anti-Phishing** and **VPN**, and then select **OK** to return to the **Settings** page.
-7. For the **Configuration values** of both configuration keys (**Anti-Phishing** and **VPN**), enter **0** to disable web protection.
+1. For the **Configuration values** of both configuration keys (**Anti-Phishing** and **VPN**), enter **0** to disable web protection and enter **1** to enable web protection. By default, web protection is enabled.
> [!NOTE]
- >
- > The **Web Protection** configuration key is deprecated. If you've used this key in the past, complete the previous steps to re-configure the setting by setting the keys **Anti-Phishing** and **VPN** to enable or disable web protection.
-
+ > Values for Anti-Phishing and VPN should be same either to be 0 to disable or 1 to enable, otherwise both features will automatically be disabled.
+
> [!NOTE]
- >
- > Enter **1** for both configuration values (**Anti-Phishing** and **VPN**) to enable web protection. This setting is the default.
-
+ > The **Web Protection** configuration key is deprecated. If you've used this key in the past, complete the previous steps to re-configure the setting by setting the keys **Anti-Phishing** and **VPN** to enable or disable web protection.
+
Select **Next** to continue.
-
+
8. In **Assignments**, specify the groups that receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
9. In **Review + create**, when you're done, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.
@@ -134,21 +153,21 @@ To configure web protection on devices, use the following procedures to create a
1. Complete the same configuration steps [described previously](#disable-web-protection-for-the-android-enterprise-personally-owned-work-profile), and add web protection configuration keys **Anti-phishing** and **VPN**. The only difference is the **Profile Type** value. For this value, select **Fully Managed, Dedicated, and Corporate-Owned Work Profile Only**.
- - To disable web protection, enter **0** for configuration values **Anti-Phishing** and **VPN**.
+ - To disable web protection, enter **0** for configuration values **Anti-Phishing** and **VPN** and enter **1** for both configuration values (**Anti-Phishing** and **VPN**) to enable web protection. By default, web protection is enabled.
+
- To disable only the use of VPN by web protection, enter these configuration values:
- - **0** for **VPN**
- - **1** for **Anti-Phishing**
-
+ - **0** for **VPN**
+
+ - **1** for **Anti-Phishing**
+
> [!NOTE]
- >
- > You can't disable VPN for the Android Enterprise Fully Managed profile if you've configured the Auto Setup of Always-on VPN device configuration policy on the enrolled devices.
-
+ > For 'Android Enterprise corporate owned work profile' enrollment scenario values for VPN and Anti-Phishing should be same either both 0 to disable or 1 to enable, otherwise both features will automatically be disabled, but for 'Android Enterprise corporate owned fully managed - no work profile' enrollment scenario need not to have the same value for VPN and Anti-Phishing, each feature can work individually.
+
> [!NOTE]
- >
- > Enter **1** for both configuration values (**Anti-Phishing** and **VPN**) to enable web protection. This setting is the default.
-
+ > You can't disable VPN for the Android Enterprise Fully Managed profile if you've configured the Auto Setup of Always-on VPN device configuration policy on the enrolled devices.
+
Select **Next** to continue.
-
+
2. In **Assignments**, specify the groups that receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
3. In **Review + create**, when you're done, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you
@@ -162,4 +181,6 @@ To configure web protection on devices, use the following procedures to create a
- Learn more from the Microsoft Defender for Endpoint documentation:
- [Microsoft Defender for Endpoint Conditional Access](/windows/security/threat-protection/microsoft-defender-atp/conditional-access)
+
- [Microsoft Defender for Endpoint risk dashboard](/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
+
diff --git a/memdocs/intune/protect/advanced-threat-protection.md b/memdocs/intune/protect/advanced-threat-protection.md
index 8b4d8a00323..9dc035f70e7 100644
--- a/memdocs/intune/protect/advanced-threat-protection.md
+++ b/memdocs/intune/protect/advanced-threat-protection.md
@@ -45,7 +45,7 @@ To be successful, use the following configurations in concert, which are detaile
- **Use a device compliance policy to set the level of risk you want to allow**. Risk levels are reported by Microsoft Defender for Endpoint. Devices that exceed the allowed risk level are identified as noncompliant. See [Create and assign compliance policy to set device risk level](../protect/advanced-threat-protection-configure.md#create-and-assign-compliance-policy-to-set-device-risk-level) and [Create and assign app protection policy to set device risk level](../protect/advanced-threat-protection-configure.md#create-and-assign-app-protection-policy-to-set-device-risk-level).
-- **Use a conditional access policy** to block users from accessing corporate resources from devices that are noncompliant. See [Create a conditional access policy](../protect/advanced-threat-protection-configure.md#create-a-conditional-access-policy).
+- **Use a Conditional Access policy** to block users from accessing corporate resources from devices that are noncompliant. See [Create a Conditional Access policy](../protect/advanced-threat-protection-configure.md#create-a-conditional-access-policy).
When you integrate Intune with Microsoft Defender for Endpoint, you can take advantage of Microsoft Defender for Endpoints Threat & Vulnerability Management (TVM) and [use Intune to remediate endpoint weakness identified by TVM](atp-manage-vulnerabilities.md).
@@ -66,7 +66,7 @@ Microsoft Defender for Endpoint can help resolve security events like this scena
You can integrate Microsoft Defender for Endpoint with Microsoft Intune as a Mobile Threat Defense solution. Integration can help you prevent security breaches and limit the impact of breaches within an organization.
-Because you have an Intune device compliance policy to classify devices with a *Medium* or *High* level of risk as noncompliant, the compromised device is classified as noncompliant. This classification allows your conditional access policy to kick in and block access from that device to your corporate resources.
+Because you have an Intune device compliance policy to classify devices with a *Medium* or *High* level of risk as noncompliant, the compromised device is classified as noncompliant. This classification allows your Conditional Access policy to kick in and block access from that device to your corporate resources.
For devices that run Android, you can use Intune policy to modify the configuration of Microsoft Defender for Endpoint on Android. For more information, see [Microsoft Defender for Endpoint web protection](../protect/advanced-threat-protection-manage-android.md).
@@ -94,7 +94,7 @@ For the system requirements for Microsoft Defender for Endpoint, see [Minimum re
## Next steps
-- To connect Microsoft Defender for Endpoint to Intune, onboard devices, and configure conditional access policies, see [Configure Microsoft Defender for Endpoint in Intune](../protect/advanced-threat-protection-configure.md).
+- To connect Microsoft Defender for Endpoint to Intune, onboard devices, and configure Conditional Access policies, see [Configure Microsoft Defender for Endpoint in Intune](../protect/advanced-threat-protection-configure.md).
Learn more from the Intune documentation:
diff --git a/memdocs/intune/protect/app-based-conditional-access-intune-create.md b/memdocs/intune/protect/app-based-conditional-access-intune-create.md
index 7352b8095ce..71e5159966c 100644
--- a/memdocs/intune/protect/app-based-conditional-access-intune-create.md
+++ b/memdocs/intune/protect/app-based-conditional-access-intune-create.md
@@ -51,7 +51,7 @@ Before you can create Conditional Access policies from the Microsoft Intune admi
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-2. Select **Endpoint security** > **Conditional access** > **New policy**.
+2. Select **Endpoint security** > **Conditional Access** > **New policy**.
3. Enter a policy **Name**, and then under *Assignments*, select **Users or workload identities**, and apply the policy to *Users and groups*. Use the Include or Exclude options to add your groups for the policy.
diff --git a/memdocs/intune/protect/app-modern-authentication-block.md b/memdocs/intune/protect/app-modern-authentication-block.md
index 2a1f63f39cd..d5f4a111005 100644
--- a/memdocs/intune/protect/app-modern-authentication-block.md
+++ b/memdocs/intune/protect/app-modern-authentication-block.md
@@ -37,7 +37,7 @@ App-based Conditional Access with app protection policies rely on applications u
## Block access to apps
-To block access to apps that don't use modern authentication, use Intune app protection policies to implement conditional access. For more information, see [App-based Conditional Access with Intune](app-based-conditional-access-intune.md).
+To block access to apps that don't use modern authentication, use Intune app protection policies to implement Conditional Access. For more information, see [App-based Conditional Access with Intune](app-based-conditional-access-intune.md).
## Additional information
diff --git a/memdocs/intune/protect/atp-manage-vulnerabilities.md b/memdocs/intune/protect/atp-manage-vulnerabilities.md
index 282f27df14b..86dfe65d810 100644
--- a/memdocs/intune/protect/atp-manage-vulnerabilities.md
+++ b/memdocs/intune/protect/atp-manage-vulnerabilities.md
@@ -6,7 +6,7 @@ description: Use Microsoft Intune Security Tasks to manage threats and vulnerabi
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 03/15/2024
+ms.date: 12/06/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -28,72 +28,58 @@ ms.collection:
- sub-secure-endpoints
---
-# Use Microsoft Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint
+# Use Microsoft Intune security tasks to remediate device vulnerabilities identified by Microsoft Defender for endpoint
-When you integrate Microsoft Defender for Endpoint with Microsoft Intune, you can take advantage of Defender for Endpoint's threat and vulnerability management by using Intune security tasks. Security Tasks in Intune help Intune admins understand and then remediate many device weaknesses that Microsoft Defender for Endpoint's vulnerability management capability identifies. This integration brings a risk-based approach to the discovery and prioritization of vulnerabilities and can help improve remediation response time across your environment.
+When you [integrate Microsoft Defender for Endpoint with Microsoft Intune](/mem/intune/protect/advanced-threat-protection-configure#connect-microsoft-defender-for-endpoint-to-intune), you can leverage Defender's threat and vulnerability management through Intune security tasks. These tasks help Intune admins understand and address current vulnerabilities based on guidance from Defender for Endpoint. This integration enhances the discovery and prioritization of vulnerabilities, improving remediation response times across your environment.
[Threat & Vulnerability Management](/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt) is part of [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint).
## How integration works
+
+After you integrate Intune with Microsoft Defender for Endpoint, Defender for Endpoint receives threat and vulnerability details from Intune-managed devices. These details are visible to security admins in the Microsoft Defender Security Center console.
-After you [connect Intune to Microsoft Defender for Endpoint](../protect/advanced-threat-protection-configure.md), Defender for Endpoint receives threat and vulnerability details from the devices you manage with Intune. These details become visible to security admins from within the Microsoft Defender Security Center console.
+In the Security Center console, [security admins can review endpoint vulnerabilities](/defender-vulnerability-management/defender-vulnerability-management#remediation-and-tracking) and create security tasks managed through Intune. These tasks appear in the Microsoft Intune admin center, where Intune admins can act and remediate issues based on Defender's guidance:
-In the Microsoft Defender Security Center console, security admins can review and act on endpoint vulnerabilities by taking a few simple actions that create *security tasks* for Microsoft Intune. Security tasks immediately appear in the Microsoft Intune admin center where they're visible to Intune admins who can then use the details to act and remediate the issues.
-
-- Vulnerabilities are based on the threats or issues as evaluated by Microsoft Defender for Endpoint when it scans and evaluates a device.
-- Not all Vulnerabilities and issues that Defender for Endpoint identifies support remediation through Intune. Such issues don't result in the creation of a security task for Intune.
+- Vulnerabilities are identified through scans and assessments by Microsoft Defender for Endpoint.
+- Not all identified vulnerabilities support remediation through Intune; only those vulnerabilities that are compatible result in security tasks.
Security tasks identify:
- The type of vulnerability
- Priority
- Status
-- Steps to take to remediate the vulnerability
-
-In the admin center, an Intune admin can review and then choose to accept or reject the task. After an admin accepts a task in Intune, they can use Intune to remediate the vulnerability, guided by the details provided in the task.
+- Steps for remediation
-With successful remediation, the Intune admin sets the security task to **Complete Task**. This status displays in Intune and is passed back to Defender for Endpoint, where security admins can confirm the revised status for the vulnerability.
+Intune admins can view a security task and then choose to accept or reject it. For accepted tasks, the admin follows the guidance provided to use Intune for remediation. Once the remediation is successful, the admin sets the task to **Complete Task**, which updates its status in both Intune and Defender for Endpoint where security admins can verify the revised status of the vulnerability.
-**About security tasks**:
+### Types of security tasks
Each security task has a *Remediation Type*:
+- Application: For example, Microsoft Defender for Endpoint finds a vulnerability in an app like *Contoso Media Player v4*. An admin creates a task to update the app, which might involve applying a security update or installing a new version.
+- Configuration: For instance, if devices lack protection from *Potentially Unwanted Applications* (PUA), an admin creates a task to configure the setting in the Microsoft Defender Antivirus profile.
-- **Application** – An application is identified that has a vulnerability or issue you can mitigate with Intune. For example, Microsoft Defender for Endpoint identifies a vulnerability for an app named *Contoso Media Player v4*, and an admin creates a security task to update that app. The Contoso Media player is an unmanaged app that was deployed with Intune, and there could be a security update or newer version of an application that resolves the issue.
-
-- **Configuration** – Vulnerabilities or risks in your environment can be mitigated through use of Intune endpoint security policies. For example, Microsoft Defender for Endpoint identifies that devices lack protection from *Potentially Unwanted Applications* (PUA). An admin creates a security task for this issue, which identifies a mitigation of configuring the setting **Action to take on potentially unwanted apps** as part of the Microsoft Defender Antivirus profile for Antivirus policy.
+When Intune doesn’t support implementation of a suitable remediation, Microsoft Defender for Endpoint doesn't create a security task.
- When a configuration issue doesn't have a plausible remediation that Intune can provide, Microsoft Defender for Endpoint doesn't create a security task for it.
+### Remediation actions
-**Remediation actions**:
+Common security task remediations include:
-Common remediation actions include:
-
-- **Block** an application from being run.
+- **Block** an application from running.
- **Deploy** an operating system update to mitigate the vulnerability.
- **Deploy** endpoint security policy to mitigate the vulnerability.
- **Modify** a registry value.
- **Disable** or **Enable** a configuration to affect the vulnerability.
-- **Require Attention** alerts the admin to the threat when there's no suitable recommendation to provide.
-
-**Workflow example**:
-
-The following example demonstrates the workflow of discovering an application vulnerability to remediation. This same general workflow applies for configuration issues:
-
-- A Microsoft Defender for Endpoint scan identifies a vulnerability for an app named Contoso Media Player v4, and an admin creates a security task to update that app. The Contoso Media player is an unmanaged app that wasn't deployed with Intune.
-
- This security task appears in the Microsoft Intune admin center with a status of Pending:
-
- 
+- **Require Attention**, which alerts the admin when no suitable recommendation is available.
-- The Intune admin selects the security task to view details about the task. The admin then selects **Accept**, which updates the status in Intune, and in Defender for Endpoint to be *Accepted*.
+### Workflow Example
- 
+Following is an example of the workflow for discovering and remediating an application vulnerability:
-- The admin then remediates the task based on the guidance provided. The guidance varies depending on the type of remediation needed. When available, remediation guidance includes links that open relevant panes for configurations in Intune.
-
- Because the media player in this example isn't a managed app, Intune can only provide text instructions. For a managed app, Intune could provide instructions to download an updated version, and provide a link to open the deployment for the app so that the updated files can be added to the deployment.
-
-- After remediation is complete, the Intune admin opens the security task and selects **Complete Task**. The remediation status is updated for Intune and in Defender for Endpoint, where security admins confirm the revised status for the vulnerability.
+- A Microsoft Defender for Endpoint scan identifies a vulnerability in the app Contoso Media Player v4, which is an unmanaged app that isn't deployed by Intune. An admin creates a security task to update the app.
+- The security task appears in the Microsoft Intune admin center with a status of **Pending**.
+- The Intune admin views the task details and selects **Accept**, which changes the status of the task to Accepted in both Intune and Defender for Endpoint.
+- The admin follows the remediation guidance provided. For managed apps, Intune might include instructions or links to update the app. For unmanaged apps, Intune can only provide text instructions.
+- After addressing the vulnerability, the Intune admin marks the task as **Complete Task*. This action updates the status in both Intune and Defender for Endpoint, where security admins confirm the remediation is successful and complete.
## Prerequisites
@@ -102,29 +88,23 @@ The following example demonstrates the workflow of discovering an application vu
- Microsoft Intune Plan 1
- Microsoft Defender for Endpoint ([Sign up for a free trial](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-main-abovefoldlink).)
-**Intune configurations for Defender for Endpoint**:
-
-- Configure a service-to-service connection with Microsoft Defender for Endpoint.
-- Deploy a device configuration policy with a profile type of **Microsoft Defender for Endpoint (desktop devices running Windows 10 or later)** to devices that use Microsoft Defender for Endpoint to assess risk.
+Intune configurations for Defender for Endpoint:
+- Configure a [service-to-service connection](/mem/intune/protect/advanced-threat-protection-configure#connect-microsoft-defender-for-endpoint-to-intune) with Microsoft Defender for Endpoint.
+- Deploy an Intune policy that configures settings for **Microsoft Defender for Endpoint** to devices to assess risk.
- For information about how to set up Intune to work with Defender for Endpoint, see [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](advanced-threat-protection-configure.md#connect-microsoft-defender-for-endpoint-to-intune).
## Work with security tasks
-Before you can work with security tasks, they must be created from within the Defender Security Center. For information on using the Microsoft Defender Security Center to create security tasks, see [Remediate vulnerabilities with threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-remediation?view=o365-worldwide&preserve-view=true#request-remediation) in the Defender for Endpoint documentation.
+Before you manage security tasks, they must be created within the Defender Security Center. For detailed instructions, see the Defender for Endpoint documentation on [remediating vulnerabilities](/microsoft-365/security/defender-endpoint/tvm-remediation?view=o365-worldwide&preserve-view=true#request-remediation).
To manage security tasks:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Endpoint security** > **Security tasks**.
-
-3. Select a task from the list to open a resource window that displays more details for that security task.
-
- While viewing the security task resource window, you can select additional links:
-
+3. Choose a security task to view its details. In the task window, you can select additional links, including:
- MANAGED APPS - View the app that is vulnerable. When the vulnerability applies to multiple apps, Intune displays a filtered list of apps.
- - DEVICES - View a list of the *Vulnerable devices*, from which you can link through to an entry with more details for the vulnerability on that device.
+ - DEVICES - View a list of the *Vulnerable devices* from which you can link through to an entry with more details for the vulnerability on that device.
- REQUESTOR - Use the link to send mail to the admin who submitted this security task.
- NOTES - Read custom messages submitted by the requestor when opening the security task.
@@ -132,16 +112,12 @@ To manage security tasks:
5. After accepting a task, reopen the security task (if it closed), and follow the REMEDIATION details to remediate the vulnerability. The instructions provided by Defender for Endpoint in the security task details vary depending on the vulnerability involved.
- When it's possible to do so, the remediation instructions include links that open the relevant configuration objects in the Microsoft Intune admin center.
-
6. After completing the remediation steps, open the security task and select **Complete Task**. This action updates the security task status in both Intune and Defender for Endpoint.
-After remediation is successful, the risk exposure score in Defender for Endpoint can drop, based on new information from the remediated devices.
-
-## Next Steps
-
-Learn more about Intune and [Microsoft Defender for Endpoint](advanced-threat-protection.md).
+Successful remediation can reduce the risk exposure score in Defender for Endpoint based on subsequent status updates from the remediated devices.
-Review Intune [Mobile Threat Defense](mobile-threat-defense.md).
+## Related content
-Review the [Threat & Vulnerability Management dashboard](/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights) in Microsoft Defender for Endpoint.
+- Learn more about Intune and [Microsoft Defender for Endpoint](advanced-threat-protection.md).
+- Review Intune [Mobile Threat Defense](mobile-threat-defense.md).
+- Review the [Threat & Vulnerability Management dashboard](/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights) in Microsoft Defender for Endpoint.
diff --git a/memdocs/intune/protect/better-mobile-threat-defense-connector.md b/memdocs/intune/protect/better-mobile-threat-defense-connector.md
index 19a653dbe0a..6835606eab1 100644
--- a/memdocs/intune/protect/better-mobile-threat-defense-connector.md
+++ b/memdocs/intune/protect/better-mobile-threat-defense-connector.md
@@ -63,9 +63,12 @@ The Better Mobile app is installed and run on mobile devices. This app captures
- Microsoft Intune Plan 1 subscription
- Better Mobile Threat Defense subscription
+
+
## Sample scenarios
Here are some common scenarios.
diff --git a/memdocs/intune/protect/certificates-imported-pfx-configure.md b/memdocs/intune/protect/certificates-imported-pfx-configure.md
index f1c6b12b307..12a66ea0078 100644
--- a/memdocs/intune/protect/certificates-imported-pfx-configure.md
+++ b/memdocs/intune/protect/certificates-imported-pfx-configure.md
@@ -225,7 +225,7 @@ For more information about other available commands, see the readme file at [PFX
## Create a PKCS imported certificate profile
-After importing the certificates to Intune, create a **PKCS imported certificate** profile, and assign it to Microsoft Entra groups.
+After importing the certificates to Intune, create a **PKCS imported certificate** profile, and assign it to Microsoft Entra groups.
> [!NOTE]
> After you create a PKCS imported certificate profile, the **Intended Purpose** and **Key storage provider** (KSP) values in the profile are read-only and can't be edited. If you need a different value for either of these settings, create and deploy a new profile.
@@ -248,7 +248,7 @@ After importing the certificates to Intune, create a **PKCS imported certificate
7. In **Configuration settings**, enter the following properties:
- - **Intended purpose**: Specify the intended purpose of the certificates that are imported for this profile. Administrators can import certificates with different intended purposes (like S/MIME signing or S/MIME encryption). The intended purpose selected in the certificate profile matches the certificate profile with the right imported certificates. Intended purpose is a tag to group imported certificates together and doesn't guarantee that certificates imported with that tag will meet the intended purpose.
+ - **Intended purpose**: Specify the intended purpose of the certificates that are imported for this profile. Administrators can import certificates with different intended purposes (like S/MIME signing or S/MIME encryption). The intended purpose selected in the certificate profile matches the certificate profile with the right imported certificates. Intended purpose is a tag to group imported certificates together and doesn't guarantee that certificates imported with that tag will meet the intended purpose. When multiple certificates are imported for a single user, Intune selects the imported certificate that has the most recent certificate start date and time in case there is more than one certificate with the same intended purpose.
- **Key storage provider (KSP)**: For Windows, select where to store the keys on the device.
diff --git a/memdocs/intune/protect/certificates-pfx-configure.md b/memdocs/intune/protect/certificates-pfx-configure.md
index 06c5940cecb..dcfb48092df 100644
--- a/memdocs/intune/protect/certificates-pfx-configure.md
+++ b/memdocs/intune/protect/certificates-pfx-configure.md
@@ -5,7 +5,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 10/01/2024
+ms.date: 11/19/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -16,7 +16,7 @@ ms.localizationpriority: high
#ROBOTS:
#audience:
-ms.reviewer: lacranda
+ms.reviewer: sheetg
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -303,17 +303,18 @@ For guidance, see [Install and configure the Certificate Connector for Microsoft
|Setting | Platform | Details |
|------------|------------|------------|
- |**Renewal threshold (%)** |
Use a validity period of five days or up to 24 months. When the validity period is less than five days, there's a high likelihood of the certificate entering a near-expiry or expired state, which can cause the MDM agent on devices to reject the certificate before it’s installed. |
- |**Key storage provider (KSP)** |
This selection affects the Subject name format. |
- |**Subject name format** |
For the following platforms, the Subject name format is determined by the certificate type:
You can use variables or static text for the SAN of both certificate types. Use of a variable isn't required.
For more information, see [Subject name format](#subject-name-format) later in this article.|
+ |**Deployment channel**|macOS|Select how you want to deploy the profile. This setting also determines the keychain where the linked certificates are stored, so it's important to select the proper channel.
Always select the user deployment channel in profiles with user certificates. The user channel stores certificates in the user keychain. Always select the device deployment channel in profiles with device certificates. The device channel stores certificates in the system keychain.
It's not possible to edit the deployment channel after you deploy the profile. You must create a new profile to select a different channel.
+ |**Renewal threshold (%)** |All |Recommended is 20% |
+ |**Certificate validity period** |All |If you didn't change the certificate template, this option might be set to one year.
Use a validity period of five days or up to 24 months. When the validity period is less than five days, there's a high likelihood of the certificate entering a near-expiry or expired state, which can cause the MDM agent on devices to reject the certificate before it’s installed. |
+ |**Key storage provider (KSP)** |Windows 10/11 |For Windows, select where to store the keys on the device. |
+ |**Certification authority** |All |Displays the internal fully qualified domain name (FQDN) of your Enterprise CA. |
+ |**Certification authority name** |All |Lists the name of your Enterprise CA, such as "Contoso Certification Authority." |
+ |**Certificate template name** |All |Lists the name of your certificate template. |
+ |**Certificate type** |
This selection affects the Subject name format.
For macOS, if this profile is configured to use the device deployment channel, you can select **User** or **Device**. If the profile is configured to use the user deployment channel, you can select only **User**. |
+ |**Subject name format** |All |For details on how to configure the subject name format, see [Subject name format](#subject-name-format) later in this article.
For the following platforms, the Subject name format is determined by the certificate type:
You can use variables or static text for the SAN of both certificate types. Use of a variable isn't required.
For more information, see [Subject name format](#subject-name-format) later in this article.|
|**Extended key usage** |
For more information on this setting, see *AllowAllAppsAccess* the Certificate Payload section of [Configuration Profile Reference](https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf) in the Apple developer documentation. |
+ |**Allow all apps access to private key** |macOS |Set to **Enable** to give apps that are configured for the associated mac device access to the PKCS certificate's private key.
For more information on this setting, see *AllowAllAppsAccess* the Certificate Payload section of [Configuration Profile Reference](https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf) in the Apple developer documentation. |
|**Root Certificate** |
CAs created with a licensed Intune Suite or Cloud PKI Standalone Add-on automatically use HSM signing and encryption keys. No Azure subscription is required for Azure HSM. |
|Software Keys (signing and encryption) |CAs created during a trial period of Intune Suite or Cloud PKI standalone Add-on use software-backed signing and encryption keys using `System.Security.Cryptography.RSA`. |
| Certificate registration authority | Providing a Cloud Certificate Registration Authority supporting Simple Certificate Enrollment Protocol (SCEP) for each Cloud PKI Issuing CA.|
-|Certificate Revocation List (CRL) distribution points | Intune hosts the CRL distribution point (CDP) for each CA.
The CRL validity period is seven days. Publishing and refresh happens every 3.5 days. The CRL is updated with every certificate revocation. |
+|Certificate Revocation List (CRL) distribution points | Intune hosts the CRL distribution point (CDP) for each CA.
The CRL validity period is seven days. Publishing and refresh happen every 3.5 days. The CRL is updated with every certificate revocation. |
|Authority Information Access (AIA) end points | Intune hosts the AIA endpoint for each Issuing CA. The AIA endpoint can be used by relying parties to retrieve parent certificates. |
| End-entity certificate issuance for users and devices | Also referred to as *leaf certificate* issuance. Support is for the SCEP (PKCS#7) protocol and certification format, and Intune-MDM enrolled devices supporting the SCEP profile. |
| Certificate life-cycle management | Issue, renew, and revoke end-entity certificates. |
@@ -94,39 +94,48 @@ The following table lists the features and scenarios supported with Microsoft Cl
## Architecture
-Microsoft Cloud PKI is made up of several key components working together to simplify the complexity and management of a public key infrastructure; a Cloud PKI service for creating and hosting certification authorities, combined with a certificate registration authority to automatically service incoming certificate requests from Intune-enrolled devices. The registration authority supports the Simple Certificate Enrollment Protocol (SCEP).
+Microsoft Cloud PKI is made up of several key components working together to simplify the complexity and management of a public key infrastructure. It includes a Cloud PKI service for creating and hosting certification authorities, combined with a certificate registration authority to automatically service incoming certificate requests from Intune-enrolled devices. The registration authority supports the Simple Certificate Enrollment Protocol (SCEP).
> [!div class="mx-imgBorder"]
-> 
+> 
+`*` See **Components** for a breakdown of services.
**Components**:
* A - Microsoft Intune
* B - Microsoft Cloud PKI services
- * B.1 - Microsoft Cloud PKI service
- * B.2 - Microsoft Cloud PKI SCEP service
- * B.3 - Microsoft Cloud PKI SCEP validation service
+ * B1 - Microsoft Cloud PKI service
+ * B2 - Microsoft Cloud PKI SCEP service
+ * B3 - Microsoft Cloud PKI SCEP validation service
- The *certificate registration authority* makes up B.2 and B.3 in the diagram.
+ The *certificate registration authority* makes up B2 and B3 in the diagram.
These components replace the need for an on-premises certificate authority, NDES, and Intune certificate connector.
**Actions**:
-Before the device checks in to the Intune service, an Intune administrator or Intune role with permissions to manage the Microsoft Cloud PKI service must:
+Before the device checks in to the Intune service, an Intune administrator or Intune role with permissions to manage the Microsoft Cloud PKI service must complete the following actions:
* Create the required Cloud PKI certification authority for the root and issuing CAs in Microsoft Intune.
-* Create and assign the required trust certificate profiles for the root and issuing CAs. This flow isn't shown in the diagram.
-* Create and assign the required platform-specific SCEP certificate profiles. This flow isn't shown in the diagram.
+* Create and assign the required trust certificate profiles for the root and issuing CAs.
+* Create and assign the required platform-specific SCEP certificate profiles.
+
+These actions require components B1, B2, and B3.
> [!NOTE]
> A Cloud PKI Issuing Certification Authority is required to issue certificates for Intune managed devices. Cloud PKI provides a SCEP service that acts as a Certificate Registration Authority. The service requests certificates from the Issuing CA on behalf of Intune-managed devices using a SCEP profile.
-1. A device checks in with the Intune service and receives the trusted certificate and SCEP profiles.
-2. Based on the SCEP profile, the device creates a certificate signing request (CSR). The private key is created on the device, and never leaves the device. The CSR and the SCEP challenge are sent to the SCEP service in the cloud (SCEP URI property in the SCEP profile). The SCEP challenge is encrypted and signed using the Intune SCEP RA keys.
-3. The SCEP validation service verifies the CSR against the SCEP challenge (*shown as B.3 in diagram*). Validation ensures the request comes from an enrolled and managed device. It also ensures the Challenge is untampered, and that it matches the expected values from the SCEP profile. If any of these checks fail, the certificate request is rejected.
-4. After the CSR is validated, the SCEP validation service, also known as the *registration authority*, requests that the issuing CA signs the CSR (*shown as B.1 in diagram*).
-5. The signed certificate is delivered to the Intune MDM-enrolled device.
+The flow continues with the following actions, shown in the diagram as A1 through A5:
+
+A1. A device checks in with the Intune service and receives the trusted certificate and SCEP profiles.
+
+A2. Based on the SCEP profile, the device creates a certificate signing request (CSR). The private key is created on the device, and never leaves the device. The CSR and the SCEP challenge are sent to the SCEP service in the cloud (SCEP URI property in the SCEP profile). The SCEP challenge is encrypted and signed using the Intune SCEP RA keys.
+
+A3. The SCEP validation service verifies the CSR against the SCEP challenge. Validation ensures the request comes from an enrolled and managed device. It also ensures the challenge is untampered, and that it matches the expected values from the SCEP profile. If any of these checks fail, the certificate request is rejected.
+
+A4. After the CSR is validated, the SCEP validation service, also known as the *registration authority*, requests that the issuing CA signs the CSR.
+
+A5. The signed certificate is delivered to the Intune MDM-enrolled device.
>[!NOTE]
> The SCEP challenge is encrypted and signed using the Intune SCEP registration authority keys.
@@ -161,7 +170,7 @@ During the trial period, you can create up to six CAs in your tenant. Cloud PKI
## CA configuration examples
-Two-tier Cloud PKI root & issuing CAs, and bring-your-own CAs can coexist in Intune. You can use the following configurations, provided as examples, to create CAs in Microsoft Cloud PKI:
+Two-tier Cloud PKI root & issuing CAs, and bring-your-own CAs can coexist in Intune. You can use the following configurations, provided as examples, to create CAs in Microsoft Cloud PKI:
* One root CA with five issuing CAs
* Three root CAs with one issuing CA each
@@ -179,4 +188,4 @@ For the latest changes and additions, see [What's new in Microsoft Intune](../fu
* Cloud PKI Root CA
* Cloud PKI Issuing CA
* BYOCA Issuing CA
-* In the admin center, when you select **View all certificates** for an issuing CA, Intune only shows the first 1000 issued certificates. We're actively working to address this limitation. As a workaround, go to **Devices** > **Monitor**. Then select **Certificates** to view all issued certificates.
+* In the admin center, when you select **View all certificates** for an issuing CA, Intune only shows the first 1,000 issued certificates. We're actively working to address this limitation. As a workaround, go to **Devices** > **Monitor**. Then select **Certificates** to view all issued certificates.
diff --git a/memdocs/intune/protect/microsoft-tunnel-conditional-access.md b/memdocs/intune/protect/microsoft-tunnel-conditional-access.md
index 1b95225dfd6..cb8227603f5 100644
--- a/memdocs/intune/protect/microsoft-tunnel-conditional-access.md
+++ b/memdocs/intune/protect/microsoft-tunnel-conditional-access.md
@@ -54,7 +54,7 @@ Before you can configure Conditional Access policies for the tunnel, you must en
If you'll use Conditional Access policy to limit user access, we recommend configuring this policy after you provision your tenant to support the Microsoft Tunnel Gateway cloud app, but before you install the Tunnel Gateway.
-1. Sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Endpoint Security** > **Conditional access** > **Create new policy**. The admin center presents the Microsoft Entra interface for creating conditional access policies.
+1. Sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Endpoint Security** > **Conditional Access** > **Create new policy**. The admin center presents the Microsoft Entra interface for creating Conditional Access policies.
2. Specify a name for this policy.
diff --git a/memdocs/intune/protect/microsoft-tunnel-configure.md b/memdocs/intune/protect/microsoft-tunnel-configure.md
index 4b1fe3e74dc..4fe5c7c6800 100644
--- a/memdocs/intune/protect/microsoft-tunnel-configure.md
+++ b/memdocs/intune/protect/microsoft-tunnel-configure.md
@@ -130,9 +130,9 @@ However, if you plan to install the Microsoft Tunnel Gateway to a rootless Podma
- Download the tool directly by using a web browser. Go to
NOTE: Management names won't automatically populate for Android Enterprise dedicated, fully managed, and corporate-owned with work profile devices that were enrolled before November 2021. However, the admin may still edit the management name.|
|UDID|The device's Unique Device identifier.|macOS, iOS|
|Intune Device ID|A GUID that uniquely identifies the device.|Windows, macOS, iOS, Android|
-|Serial number|The device's serial number from the manufacturer.|Windows, macOS, iOS, iPadOS, Android
Intune doesn't display serial number for Android personally owned work profile devices running Android 12 and newer.|
+|Serial number|The device's serial number from the manufacturer.|Windows, macOS, iOS, iPadOS, Android
NOTE: Intune might not be able to display the serial number for personally owned work profile devices running Android 12 and newer due to platform limitations.|
|Shared device|If **Yes**, the device is shared by more than one user.|Windows, iOS|
|User approved enrollment|If **Yes**, then the device has user approved enrollment that lets admins manage certain security settings on the device.|Windows, iOS|
|Operating system|The operating system used on the device.|Windows, macOS, iOS, Android|
@@ -96,8 +96,8 @@ Depending on the carrier used by the devices, not all details might be collected
| PowerPrecision Battery Charge Cycles Consumed | Number of full charge cycles consumed as determined by Zebra (PowerPrecision batteries only). | Android |
| Last Battery Check-in | Date of last check-in for battery last found in the device as determined by Zebra (PowerPrecision and PowerPrecision+ batteries only). | Android |
| Battery Serial Number | Serial number of the battery pack last found in the device as determined by Zebra (PowerPrecision and PowerPrecision+ batteries only). | Android |
-|IMEI|The device's International Mobile Equipment Identity.|Windows, iOS/iPadOS, Android
NOTE: Intune doesn't display IMEI for Android personally owned work profile devices running Android 12 and newer|
-|MEID|The device's mobile equipment identifier.|Windows, iOS/iPadOS, Android
NOTE: Intune doesn't display MEID for Android personally owned work profile devices running Android 12 and newer|
+|IMEI|The device's International Mobile Equipment Identity.|Windows, iOS/iPadOS, Android
NOTE: Intune might not be able to display IMEI for personally owned work profile devices running Android 12 and newer due to platform limitations.|
+|MEID|The device's mobile equipment identifier.|Windows, iOS/iPadOS, Android
NOTE: Intune might not be able to display MEID for personally owned work profile devices running Android 12 and newer due to platform limitations.|
|Manufacturer|The manufacturer of the device.|Windows, macOS, iOS/iPadOS, Android|
|Model|The model of the device.|Windows, macOS, iOS/iPadOS, Android|
|Phone number|The phone number assigned to the device.|Windows, iOS/iPadOS, Android
NOTE: Reporting for phone number isn't supported for Android Enterprise corporate-owned work profile devices. For Android Enterprise fully managed and dedicated devices, reporting for phone number is supported; however, certain SIM cards won't write the data and therefore the phone number isn't reported in such cases.|
@@ -105,7 +105,7 @@ Depending on the carrier used by the devices, not all details might be collected
|Cellular technology|The radio system used by the device.|Windows, iOS/iPadOS, Android|
|Wi-Fi MAC|The device's Media Access Control address.|Windows, macOS, iOS/iPadOS, Android
**NOTE**: As of October 2021, Intune doesn't display Wi-Fi MAC addresses for newly enrolled personally owned work profile devices and devices managed with device administrator running Android 9 and later. |
|Ethernet MAC|The primary Ethernet MAC address for the device. For macOS devices with no ethernet, the device reports the Wi-Fi MAC address.|macOS|
-|ICCID|The Integrated Circuit Card Identifier, which is a SIM card's unique identification number.|Windows, iOS/iPadOS, Android
ICCID isn't inventoried on Android Enterprise Dedicated, Fully Managed, or Corporate-Owned Work Profile devices.|
+|ICCID|The Integrated Circuit Card Identifier, which is a SIM card's unique identification number.|Windows, iOS/iPadOS, Android BYOD, Android Enterprise Dedicated, Android Fully Managed
**Note**:Reporting for ICCID isn't supported for Android Enterprise corporate-owned work profile devices. For Android Enterprise fully managed and dedicated devices, reporting for ICCID is supported; however, certain SIM cards won't write the data and therefore the ICCID isn't reported in such cases.|
|EID|The eSIM identifier, which is a unique identifier for the embedded SIM (eSIM) for cellular devices that have an eSIM.|iOS/iPadOS|
|Wi-Fi IPv4 address|The device's IPv4 address.|Windows, Android Enterprise fully managed, dedicated and corp-owned work profiles.
**NOTE**: Any change to IPv4 or subnet ID may take up to 8 hours to reflect in Intune admin center from the time that network changes on device.|
|Wi-Fi subnet ID|The device's subnet ID.|Android Enterprise fully managed, dedicated and corp-owned work profiles.
**NOTE**: Any change to IPv4 or subnet ID may take up to 8 hours to reflect in Intune admin center from the time that network changes on device.|
@@ -125,13 +125,13 @@ Depending on the carrier used by the devices, not all details might be collected
> [!NOTE]
>
-- For Windows 10 devices that are registered with [Windows Autopilot service](/autopilot/add-devices), Enrolled date displays the time when devices were registered with Autopilot instead of the time when they were enrolled.
-- For Android Enterprise corporate-owned work profile devices, reporting for phone number is not supported. For Android Enterprise fully managed and dedicated devices, reporting for phone number is supported; however, certain SIM cards will not write the data and therefore the phone number won't get reported in those cases.
-- For multi-SIM iOS/iPadOS devices, Intune has no control over which SIM data is assigned to the Service Subscription slots on the device for the ICCID, IMEI, MEID, and Phone number values. Intune only reports the first available values received from the device in the following order:
- - CT Subscription Slot One
- - CT Subscription Slot Two
- - Top-level ICCID, IMEI, MEID, and Phone number properties (deprecated)
-
+ > - For Windows 10 devices that are registered with [Windows Autopilot service](/autopilot/add-devices), Enrolled date displays the time when devices were registered with Autopilot instead of the time when they were enrolled.
+ > - For Android Enterprise corporate-owned work profile devices, reporting for phone number is not supported. For Android Enterprise fully managed and dedicated devices, reporting for phone number is supported; however, certain SIM cards will not write the data and therefore the phone number won't get reported in those cases.
+ > - For multi-SIM iOS/iPadOS devices, Intune has no control over which SIM data is assigned to the Service Subscription slots on the device for the ICCID, IMEI, MEID, and Phone number values. Intune only reports the first available values received from the device in the following order:
+ > - CT Subscription Slot One
+ > - CT Subscription Slot Two
+ > - Top-level ICCID, IMEI, MEID, and Phone number properties (deprecated)
+
## Next steps
See what else you can do to [manage your devices](device-management.md) with Intune.
diff --git a/memdocs/intune/remote-actions/device-locate.md b/memdocs/intune/remote-actions/device-locate.md
index 4d7d081bce2..e325a91e655 100644
--- a/memdocs/intune/remote-actions/device-locate.md
+++ b/memdocs/intune/remote-actions/device-locate.md
@@ -69,6 +69,9 @@ You need to enable Windows location services in Windows Out of Box Experience (O
- Windows Holographic for Business
- Windows Phone
+> [!NOTE]
+> The locate device capability (excluding the lost device sound alert) is not supported on GCC High environments.
+
## Locate a lost or stolen device
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
diff --git a/memdocs/intune/remote-actions/device-management.md b/memdocs/intune/remote-actions/device-management.md
index 22fe7967a19..993ab0cb676 100644
--- a/memdocs/intune/remote-actions/device-management.md
+++ b/memdocs/intune/remote-actions/device-management.md
@@ -74,7 +74,7 @@ This article shows you how to see the available remote actions, and lists some o
- **By platform**: View lists of devices by the specific platform.
- **Enrollment**: Opens the enrollment page and lists the different enrollment options for each platform.
- - **Configuration**, **Compliance**, **Conditional access**: These options let you create new policies and view & update existing policies.
+ - **Configuration**, **Compliance**, **Conditional Access**: These options let you create new policies and view & update existing policies.
- **Device cleanup rules**: Automatically removes inactive devices from Intune. For more information, go to [Automatically delete devices with cleanup rules](devices-wipe.md#delete-devices-from-the-intune-admin-center).
- **Device categories**: Create [device categories](../enrollment/device-group-mapping.md) to help organize devices and build dynamic device groups.
- **Help and Support** provides a shortcut on troubleshooting tips, requesting support, or checking the status of Intune.
diff --git a/memdocs/intune/remote-actions/devices-wipe.md b/memdocs/intune/remote-actions/devices-wipe.md
index 1abf5f91df7..af131aa55e5 100644
--- a/memdocs/intune/remote-actions/devices-wipe.md
+++ b/memdocs/intune/remote-actions/devices-wipe.md
@@ -43,7 +43,7 @@ The **Wipe** device action restores a device to its factory default settings. Th
|**Wipe**| Checked | No | Wipes all MDM Policies. Keeps user accounts and data. Resets user settings back to default. Resets the operating system to its default state and settings.|
> [!NOTE]
-> The Wipe action is not available for iOS/iPadOS devices enrolled with User Enrollment. To create a User Enrollment profile: [Set up iOS/iPadOS and iPadOS User Enrollment](../enrollment/ios-user-enrollment.md)
+> The Wipe action is not available for iOS/iPadOS devices enrolled using Account Driven Apple User Enrollment. To create an Account Driven Apple User Enrollment profile, see [Set up iOS/iPadOS and iPadOS Account driven Apple User Enrollment](../enrollment/apple-account-driven-user-enrollment.md).
> [!NOTE]
> By design, Zebra has defined the Wipe action on any Android Zebra device to only remove corporate data from devices, and not perform a factory reset.
@@ -270,12 +270,15 @@ If you want to completely remove an Apple automated device enrollment (ADE) devi
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Choose **Devices** > **All devices** > choose the device > **Retire**.
-3. Visit [business.apple.com](http://business.apple.com) and search for the device by its serial number.
-4. Select the device, and then select **Release from Organization**.
+3. Visit [business.apple.com](http://business.apple.com), go to the **Devices** section, and search for the device by its serial number.
+4. Select the device, open the **...** menu, and then select **Release from Organization**.
-5. Check **I understand this cannot be undone**, and then select **Release**.
+5. Check **I understand this cannot be undone**, and then select **Continue**.
- 
+ 
+
+> [!NOTE]
+> In some cases, the iOS device must be restored with iTunes to apply this change. Please find further instructions from Apple [here](https://support.apple.com/guide/itunes/restore-to-factory-settings-itnsdb1fe305/windows).
## Device states
diff --git a/memdocs/intune/remote-actions/media/devices-wipe/ade-release-device.png b/memdocs/intune/remote-actions/media/devices-wipe/ade-release-device.png
new file mode 100644
index 00000000000..cfe3295a072
Binary files /dev/null and b/memdocs/intune/remote-actions/media/devices-wipe/ade-release-device.png differ
diff --git a/memdocs/intune/remote-actions/media/devices-wipe/apple-reassign.png b/memdocs/intune/remote-actions/media/devices-wipe/apple-reassign.png
deleted file mode 100644
index 6f852126ca2..00000000000
Binary files a/memdocs/intune/remote-actions/media/devices-wipe/apple-reassign.png and /dev/null differ
diff --git a/memdocs/intune/remote-actions/remove-apps-config.md b/memdocs/intune/remote-actions/remove-apps-config.md
index aa3f0a01449..ce491bedcb0 100644
--- a/memdocs/intune/remote-actions/remove-apps-config.md
+++ b/memdocs/intune/remote-actions/remove-apps-config.md
@@ -102,7 +102,10 @@ This action aims to resolve the issues that customers face outside of Intune and
## Permissions for Remove apps and configurations
-**Permissions**: To use the **Remove apps and configuration** device action, you require a role based permission known as **Remote tasks: Change assignments**. Set the Permission to **yes** to enable the action. With the permission set to **Yes**, IT admins can initiate a **Change Assignments** action.
+**Permissions**: To use the **Remove apps and configuration** device action, you require the following permissions:
+
+ - **Organization: Read** permission is needed.
+ - **Remote tasks: Change assignments**. Set the Permission to **yes** to enable the action. With the permission set to **Yes**, IT admins can initiate a **Change Assignments** action.
The administrator can:
diff --git a/memdocs/intune/toc.yml b/memdocs/intune/toc.yml
index 6850eb4bfd6..9b3a7ab276a 100644
--- a/memdocs/intune/toc.yml
+++ b/memdocs/intune/toc.yml
@@ -34,7 +34,7 @@ items:
- name: What's new in the app UI
href: ./fundamentals/whats-new-app-ui.md
- name: Features in development
- href: ./fundamentals/in-development.md
+ href: ./fundamentals/in-development.md
- name: Important notices
href: ./fundamentals/whats-new.md#notices
- name: Public preview
@@ -44,7 +44,7 @@ items:
items:
- name: Walkthrough Intune admin center
href: ./fundamentals/tutorial-walkthrough-endpoint-manager.md
- displayName: trial, free
+ displayName: trial, free
- name: Try Intune tasks
items:
- name: Overview
@@ -55,51 +55,41 @@ items:
- name: Step 2 - Create a user and assign a license
href: ./fundamentals/quickstart-create-user.md
- name: Step 3 - Create a group
- href: ./fundamentals/quickstart-create-group.md
+ href: ./fundamentals/quickstart-create-group.md
- name: Step 4 - Set up automatic enrollment
href: ./enrollment/quickstart-setup-auto-enrollment.md
- name: Step 5 - Enroll your Windows device
href: ./enrollment/quickstart-enroll-windows-device.md
- name: Step 6 - Create a device compliance policy
- href: ./protect/quickstart-set-password-length-android.md
+ href: ./protect/quickstart-set-password-length-android.md
- name: Step 7 - Send notifications to noncompliant devices
- href: ./protect/quickstart-send-notification.md
+ href: ./protect/quickstart-send-notification.md
- name: Step 8 - Add and assign an app
- href: ./apps/quickstart-add-assign-app.md
+ href: ./apps/quickstart-add-assign-app.md
- name: Step 9 - Create and assign an app protection policy
- href: ./apps/quickstart-create-assign-app-policy.md
+ href: ./apps/quickstart-create-assign-app-policy.md
- name: Step 10 - Create and assign a custom role
- href: ./fundamentals/quickstart-create-custom-role.md
+ href: ./fundamentals/quickstart-create-custom-role.md
- name: Step 11 - Create a device profile
- href: ./configuration/quickstart-email-profile.md
+ href: ./configuration/quickstart-email-profile.md
- name: Try Intune scenarios
items:
- name: Protect email on managed devices
href: ./protect/tutorial-protect-email-on-enrolled-devices.md
- name: Protect email on unmanaged devices
href: ./protect/tutorial-protect-email-on-unmanaged-devices.md
- - name: Configure Slack to use Intune
+ - name: Configure Slack to use Intune
href: ./apps/tutorial-configure-slack-enterprise-grid.md
- - name: Set up just in time (JIT) registration
- href: ./enrollment/set-up-just-in-time-registration.md
+ - name: Set up just in time (JIT) registration
+ href: ./enrollment/set-up-just-in-time-registration.md
- - name: Use automated device enrollment to enroll iOS/iPadOS devices
+ - name: Use automated device enrollment to enroll iOS/iPadOS devices
href: ./enrollment/tutorial-use-device-enrollment-program-enroll-ios.md
- name: Create an ADMX template
href: ./configuration/tutorial-walkthrough-administrative-templates.md
- displayName: admx, administrative template, gpo, windows
+ displayName: admx, administrative template, gpo, windows
- - name: Microsoft Copilot + Intune
- items:
- - name: Copilot in Intune
- href: ./copilot/copilot-intune-overview.md
- - name: Troubleshoot a device using Copilot
- href: ./copilot/copilot-devices.md
- - name: FAQ
- href: ./copilot/copilot-intune-faq.md
- - name: Intune plugin in Copilot for Security
- href: ./copilot/security-copilot.md
- name: Plan
items:
- name: Planning guide
@@ -115,7 +105,7 @@ items:
href: ./fundamentals/supported-devices-browsers.md
- name: Android Open Source Project Supported Devices
displayName: software updates, android open source project, supported devices
- href: ./fundamentals/android-os-project-supported-devices.md
+ href: ./fundamentals/android-os-project-supported-devices.md
- name: Software updates planning guides
items:
- name: BYOD and personal devices
@@ -146,17 +136,17 @@ items:
href: ./fundamentals/china.md
- name: Migrate to Intune
- items:
+ items:
- name: Move to Intune
displayName: help, get started, migrate, mdm, mam, android, ios, ipados, macos, windows
href: ./fundamentals/deployment-guide-intune-setup.md
- name: Migrate from Basic Mobility and Security
- items:
+ items:
- name: Move from Microsoft 365 device management
displayName: migrate, mdm, office, windows
href: ./fundamentals/migrate-to-intune.md
- name: Policy mapping
- items:
+ items:
- name: Access requirements policy mapping
displayName: migrate, mdm, office, windows
href: ./fundamentals/policy-map-access-requirements.md
@@ -189,6 +179,71 @@ items:
- name: Step 5 - Enroll devices
displayName: deployment, mdm, android, ios, ipados, macos, windows
href: ./fundamentals/deployment-guide-enroll.md
+ - name: Microsoft Copilot + Intune
+ items:
+ - name: Copilot in Intune
+ href: ./copilot/copilot-intune-overview.md
+ - name: Troubleshoot a device using Copilot
+ href: ./copilot/copilot-devices.md
+ - name: FAQ
+ href: ./copilot/copilot-intune-faq.md
+ - name: Intune plugin in Security Copilot
+ href: ./copilot/security-copilot.md
+
+ - name: Endpoint analytics
+ items:
+ - name: Overview
+ items:
+ - name: What is Endpoint analytics?
+ href: ../analytics/overview.md
+ - name: Concepts
+ items:
+ - name: Scores, baselines, and insights
+ href: ../analytics/scores.md
+ - name: How to guides
+ items:
+ - name: Enroll Intune devices
+ href: ../analytics/enroll-intune.md
+ - name: Enroll Configuration Manager devices
+ href: ../analytics/enroll-configmgr.md
+ - name: Manage settings
+ href: ../analytics/settings.md
+ - name: Reports
+ items:
+ - name: Startup performance
+ href: ../analytics/startup-performance.md
+ - name: Restart frequency
+ href: ../analytics/restart-frequency.md
+ - name: Application reliability
+ href: ../analytics/app-reliability.md
+ - name: Work from anywhere
+ href: ../analytics/work-from-anywhere.md
+ - name: Endpoint analytics in Microsoft Adoption Score
+ href: ../analytics/adoption-score.md
+ - name: Intune Advanced Analytics
+ items:
+ - name: What is Advanced Analytics?
+ href: ../analytics/advanced-endpoint-analytics.md
+ - name: Anomaly detection
+ href: ../analytics/anomaly-detection.md
+ - name: Enhanced device timeline
+ href: ../analytics/enhanced-device-timeline.md
+ - name: Device scopes
+ href: ../analytics/device-scopes.md
+ - name: Device query
+ href: ../analytics/device-query.md
+ - name: Data platform schema
+ href: ../analytics/data-platform-schema.md
+ - name: Battery health
+ href: ../analytics/battery-health.md
+ - name: Resource Performance
+ href: ../analytics/resource-performance-report.md
+ - name: Get support
+ href: ../analytics/get-support.md
+ - name: Data collection
+ href: ../analytics/data-collection.md
+ - name: Troubleshoot
+ href: ../analytics/troubleshoot.md
- name: How-to guides
items:
@@ -203,18 +258,18 @@ items:
- name: Add groups
href: ./fundamentals/groups-add.md
- name: Manage Intune licenses
- items:
+ items:
- name: Determine license needs
href: ./fundamentals/licenses.md
- name: Assign licenses
href: ./fundamentals/licenses-assign.md
- name: Allow access to unlicensed admins
- href: ./fundamentals/unlicensed-admins.md
+ href: ./fundamentals/unlicensed-admins.md
- name: Set the MDM authority
href: ./fundamentals/mdm-authority-set.md
- name: Configure multiple admin approvals
href: ./fundamentals/multi-admin-approval.md
-
+
- name: Manage roles
items:
- name: Role-based access control
@@ -224,41 +279,41 @@ items:
- name: Create a custom role
href: ./fundamentals/create-custom-role.md
- name: Use scope tags to determine what admins can see
- href: ./fundamentals/scope-tags.md
+ href: ./fundamentals/scope-tags.md
- name: Distributed IT environment with many admins in the same Intune tenant
href: ./fundamentals/intune-scale-guidelines.md
- name: Built-in roles permissions reference
- href: ./fundamentals/role-based-access-control-reference.md
+ href: ./fundamentals/role-based-access-control-reference.md
- name: Manage apps
items:
- name: App management overview
- href: ./apps/app-management.md
- - name: MAM for unenrolled devices
+ href: ./apps/app-management.md
+ - name: MAM for unenrolled devices
href: ./fundamentals/deployment-guide-enrollment-mamwe.md
displayName: mobile application management, mam-we, mamwe
- name: App solutions
items:
- name: Purchase and add apps for Microsoft Intune
- items:
+ items:
- name: Overview
href: /microsoft-365/solutions/apps-guide-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
displayName: purchase, buy, app, license
- name: Understand app types
items:
- - name: App types overview
+ - name: App types overview
href: /microsoft-365/solutions/apps-type-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- - name: Understand store apps
+ - name: Understand store apps
href: /microsoft-365/solutions/apps-type-store?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- - name: Understand line-of-business apps
+ - name: Understand line-of-business apps
href: /microsoft-365/solutions/apps-type-lob?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- - name: Understand built-in apps
- href: /microsoft-365/solutions/apps-type-built-in?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Understand built-in apps
+ href: /microsoft-365/solutions/apps-type-built-in?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Understand web apps
href: /microsoft-365/solutions/apps-type-web?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Understand Microsoft apps
- href: /microsoft-365/solutions/apps-type-microsoft?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-type-microsoft?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Understand app purchases
items:
- name: Purchase apps overview
@@ -286,10 +341,10 @@ items:
- name: Step 4. Add apps to Intune
href: /microsoft-365/solutions/apps-add-step-4?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Step 5. Manage apps and licenses
- href: /microsoft-365/solutions/apps-add-step-5?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-add-step-5?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Configure apps using Microsoft Intune
- items:
+ items:
- name: Overview
href: /microsoft-365/solutions/apps-config-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
displayName: configure, app, apps, channel
@@ -304,23 +359,23 @@ items:
- name: Step 5. Configure Microsoft Teams
href: /microsoft-365/solutions/apps-config-step-5?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Step 6. Configure other apps
- href: /microsoft-365/solutions/apps-config-step-6?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-config-step-6?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Step 7. Verify app configuration
- href: /microsoft-365/solutions/apps-config-step-7?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-config-step-7?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Secure and protect apps using Microsoft Intune
- items:
+ items:
- name: Overview
href: /microsoft-365/solutions/apps-protect-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
displayName: secure, protect, app, apps, conditional, launch, framework, basic, enhanced, high
- name: Understand app data protection
href: /microsoft-365/solutions/apps-protect-data-protection?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Understand app protection access requirements
- href: /microsoft-365/solutions/apps-protect-access-requirements?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-protect-access-requirements?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Understand app protection conditional launch
- href: /microsoft-365/solutions/apps-protect-conditional-launch?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-protect-conditional-launch?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Understand app protection health checks
- href: /microsoft-365/solutions/apps-protect-health-checks?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-protect-health-checks?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Use the app protection framework
items:
- name: App protection framework overview
@@ -334,12 +389,12 @@ items:
- name: Step 4. Understand app protection delivery
href: /microsoft-365/solutions/apps-protect-step-4?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Step 5. Verify and monitor app protection
- href: /microsoft-365/solutions/apps-protect-step-5?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-protect-step-5?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Step 6. Use app protection actions
href: /microsoft-365/solutions/apps-protect-step-6?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Assign and deploy apps using Microsoft Intune
- items:
+ items:
- name: Overview
href: /microsoft-365/solutions/apps-assign-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
displayName: assign, deploy, app, apps, monitor, troubleshoot
@@ -350,9 +405,9 @@ items:
- name: Understand app deployment
href: /microsoft-365/solutions/apps-assign-deployment?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Assign apps to your organization
- items:
- - name: Assign apps overview
- href: /microsoft-365/solutions/apps-assign-steps-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ items:
+ - name: Assign apps overview
+ href: /microsoft-365/solutions/apps-assign-steps-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Step 1. Confirm users, devices, or groups
href: /microsoft-365/solutions/apps-assign-step-1?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Step 2. Assign apps to users, devices, or groups
@@ -363,10 +418,10 @@ items:
href: /microsoft-365/solutions/apps-assign-step-4?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Secure your corporate data using Edge for Business
- items:
+ items:
- name: Overview
href: ./apps/mamedge-overview.md
- - name: Step 1. Create Microsoft Entra conditional access
+ - name: Step 1. Create Microsoft Entra Conditional Access
href: ./apps/mamedge-1-mamca.md
- name: Step 2. Create an app protection policy
href: ./apps/mamedge-2-app.md
@@ -390,14 +445,14 @@ items:
href: ./apps/manage-without-gms.md
- name: Data protection for Windows MAM
href: ./apps/protect-mam-windows.md
- displayName: Windows MAM
+ displayName: Windows MAM
- name: MAM FAQ
href: ./apps/mam-faq.yml
- displayName: MAM
-
+ displayName: MAM
+
- name: How-to guides
items:
- - name: Add apps
+ - name: Add apps
items:
- name: Add apps overview
href: ./apps/apps-add.md
@@ -442,7 +497,7 @@ items:
- name: Enterprise App Management overview
href: ./apps/apps-enterprise-app-management.md
- name: Add an Enterprise App Catalog app (Win32)
- href: ./apps/apps-add-enterprise-app.md
+ href: ./apps/apps-add-enterprise-app.md
- name: macOS LOB apps
href: ./apps/lob-apps-macos.md
- name: macOS app management
@@ -450,10 +505,10 @@ items:
- name: Intune management agent for macOS
href: ./apps/lob-apps-macos-agent.md
- name: Add a macOS DMG app
- href: ./apps/lob-apps-macos-dmg.md
+ href: ./apps/lob-apps-macos-dmg.md
- name: Add an unmanaged macOS PKG app
href: ./apps/macos-unmanaged-pkg.md
- displayName: unmanaged, pkg
+ displayName: unmanaged, pkg
- name: Win32 app management
items:
- name: Win32 app management overview
@@ -477,11 +532,11 @@ items:
- name: Company Portal app - Download
href: ./apps/store-apps-company-portal-app.md
- name: Company Portal app - macOS
- href: ./apps/apps-company-portal-macos.md
+ href: ./apps/apps-company-portal-macos.md
- name: Microsoft Edge for Windows 10
href: ./apps/apps-windows-edge.md
- name: Microsoft Edge for macOS
- href: ./apps/apps-edge-macos.md
+ href: ./apps/apps-edge-macos.md
- name: Microsoft Defender for Endpoint for macOS
href: ./apps/apps-advanced-threat-protection-macos.md
- name: PowerShell scripts
@@ -489,7 +544,7 @@ items:
- name: macOS shell scripts
href: ./apps/macos-shell-scripts.md
- name: Get the app bundle ID
- href: ./apps/get-app-bundle-id-intune-admin-center.md
+ href: ./apps/get-app-bundle-id-intune-admin-center.md
- name: Assign apps
items:
- name: Assign apps to groups
@@ -530,7 +585,7 @@ items:
- name: Configure Microsoft Edge for iOS/Android
href: ./apps/manage-microsoft-edge.md
- name: Configure Microsoft Edge for Windows
- href: ./apps/manage-microsoft-edge-windows.md
+ href: ./apps/manage-microsoft-edge-windows.md
- name: Configure Office
href: ./apps/manage-microsoft-office.md
- name: Configure Outlook
@@ -540,7 +595,7 @@ items:
- name: Configure Google Chrome for Android
href: ./apps/apps-configure-chrome-android.md
- name: VPN and per-app VPN on Android Enterprise
- href: ./apps/app-configuration-vpn-ae.md
+ href: ./apps/app-configuration-vpn-ae.md
- name: Volume-purchased apps and books
items:
- name: Volume-purchased overview
@@ -571,7 +626,7 @@ items:
- name: iOS settings
href: ./apps/app-protection-policy-settings-ios.md
- name: Windows settings
- href: ./apps/app-protection-policy-settings-windows.md
+ href: ./apps/app-protection-policy-settings-windows.md
- name: Conditional launch
href: ./apps/app-protection-policies-access-actions.md
- name: Data transfer exceptions
@@ -593,9 +648,9 @@ items:
- name: Review app protection logs
href: ./apps/app-protection-policy-settings-log.md
- name: Policies for Office apps
- href: ./apps/app-office-policies.md
+ href: ./apps/app-office-policies.md
- name: Quiet time policies
- href: ./apps/apps-quiet-time-policies.md
+ href: ./apps/apps-quiet-time-policies.md
- name: Troubleshoot
items:
- name: Help users troubleshoot problems
@@ -615,46 +670,46 @@ items:
items:
- name: Device protection overview
href: ./protect/device-protect.md
- displayName: compliant; noncompliant; mfa
+ displayName: compliant; noncompliant; mfa
- - name: How-to guides
+ - name: How-to guides
items:
- name: Use compliance rules to protect resources
items:
- name: Compliance overview
- href: ./protect/device-compliance-get-started.md
+ href: ./protect/device-compliance-get-started.md
- name: Create a policy
href: ./protect/create-compliance-policy.md
- name: Custom compliance settings
- href: ./protect/compliance-use-custom-settings.md
- items:
+ href: ./protect/compliance-use-custom-settings.md
+ items:
- name: JSON for custom settings
- href: ./protect/compliance-custom-json.md
+ href: ./protect/compliance-custom-json.md
- name: PowerShell script for custom settings
- href: ./protect/compliance-custom-script.md
- - name: Windows Subsystem for Linux
- href: ./protect/compliance-wsl.md
+ href: ./protect/compliance-custom-script.md
+ - name: Windows Subsystem for Linux
+ href: ./protect/compliance-wsl.md
- name: Actions for noncompliance
href: ./protect/actions-for-noncompliance.md
- name: Monitor device compliance
href: ./protect/compliance-policy-monitor.md
- name: Device compliance partners
- href: ./protect/device-compliance-partners.md
+ href: ./protect/device-compliance-partners.md
- name: Endpoint security
href: ./protect/endpoint-security.md
items:
- name: Manage devices
href: ./protect/endpoint-security-manage-devices.md
- name: Security baselines
- items:
+ items:
- name: Security baselines overview
href: ./protect/security-baselines.md
- - name: Manage security baselines
- href: ./protect/security-baselines-configure.md
+ - name: Manage security baselines
+ href: ./protect/security-baselines-configure.md
- name: Monitor your baselines
href: ./protect/security-baselines-monitor.md
- name: Security tasks
- href: ./protect/atp-manage-vulnerabilities.md
+ href: ./protect/atp-manage-vulnerabilities.md
- name: Security policy
items:
- name: Manage security policies
@@ -678,7 +733,7 @@ items:
- name: Microsoft Defender for Endpoint
items:
- name: Microsoft Defender for Endpoint
- href: ./protect/advanced-threat-protection.md
+ href: ./protect/advanced-threat-protection.md
- name: Configure Defender for Endpoint
href: ./protect/advanced-threat-protection-configure.md
- name: Android web protection
@@ -736,11 +791,11 @@ items:
- name: Microsoft Tunnel for MAM
items:
- name: Microsoft Tunnel for MAM Overview
- href: ./protect/microsoft-tunnel-mam.md
+ href: ./protect/microsoft-tunnel-mam.md
- name: MAM Tunnel for Android
- href: ./protect/microsoft-tunnel-mam-android.md
+ href: ./protect/microsoft-tunnel-mam-android.md
- name: MAM Tunnel for iOS
- href: ./protect/microsoft-tunnel-mam-ios.md
+ href: ./protect/microsoft-tunnel-mam-ios.md
- name: Monitor Microsoft Tunnel
href: ./protect/microsoft-tunnel-monitor.md
- name: Upgrade Microsoft Tunnel
@@ -803,14 +858,14 @@ items:
- name: Enable MTD for enrolled devices
href: ./protect/mtd-connector-enable.md
- name: MTD apps
- items:
+ items:
- name: Set up Better Mobile
href: ./protect/better-mobile-threat-defense-connector.md
items:
- name: Better Mobile and Intune integration
href: ./protect/better-mobile-mtd-connector-integration.md
displayName: sso
- - name: Set up BlackBerry Protect Mobile
+ - name: Set up BlackBerry Protect Mobile
href: ./protect/blackberry-mobile-threat-defense-connector.md
items:
- name: BlackBerry and Intune integration
@@ -839,7 +894,7 @@ items:
href: ./protect/trellix-mobile-threat-defense-connector.md
items:
- name: Trellix Mobile Security and Intune integration
- href: ./protect/trellix-mtd-connector-integration.md
+ href: ./protect/trellix-mtd-connector-integration.md
- name: Set up Pradeo
href: ./protect/pradeo-mobile-threat-defense-connector.md
items:
@@ -864,38 +919,38 @@ items:
href: ./protect/trend-micro-mobile-threat-defense-connector.md
items:
- name: Trend Micro Mobile Security as a Service and Intune integration
- href: ./protect/trend-micro-mtd-connector-integration.md
+ href: ./protect/trend-micro-mtd-connector-integration.md
- name: Set up Zimperium
href: ./protect/zimperium-mobile-threat-defense-connector.md
items:
- name: Zimperium and Intune integration
- href: ./protect/zimperium-mtd-connector-integration.md
+ href: ./protect/zimperium-mtd-connector-integration.md
- name: Network access control
href: ./protect/network-access-control-integrate.md
- - name: Microsoft Cloud PKI
+ - name: Microsoft Cloud PKI
items:
- - name: Microsoft Cloud PKI overview
+ - name: Microsoft Cloud PKI overview
href: ./protect/microsoft-cloud-pki-overview.md
- displayName: RBAC, requirements
- - name: PKI fundamentals
- href: ./protect/microsoft-cloud-pki-fundamentals.md
- - name: Configure and deploy
- items:
- - name: Deployment overview
- href: ./protect/microsoft-cloud-pki-deployment.md
- - name: Configure root and issuing CA for Cloud PKI
- href: ./protect/microsoft-cloud-pki-configure-ca.md
+ displayName: RBAC, requirements
+ - name: PKI fundamentals
+ href: ./protect/microsoft-cloud-pki-fundamentals.md
+ - name: Configure and deploy
+ items:
+ - name: Deployment overview
+ href: ./protect/microsoft-cloud-pki-deployment.md
+ - name: Configure root and issuing CA for Cloud PKI
+ href: ./protect/microsoft-cloud-pki-configure-ca.md
displayName: root, certification, authority, ca, issuing, BYO
- - name: Configure bring your own CA for Cloud PKI
- href: ./protect/microsoft-cloud-pki-configure-byoca.md
- - name: Monitor issued certificates
- href: ./protect/microsoft-cloud-pki-monitor.md
- - name: Get audit logs
- href: ./protect/microsoft-cloud-pki-audit-logs.md
- - name: Pause, revoke, and delete CA
- href: ./protect/microsoft-cloud-pki-delete.md
- - name: Certificates
- items:
+ - name: Configure bring your own CA for Cloud PKI
+ href: ./protect/microsoft-cloud-pki-configure-byoca.md
+ - name: Monitor issued certificates
+ href: ./protect/microsoft-cloud-pki-monitor.md
+ - name: Get audit logs
+ href: ./protect/microsoft-cloud-pki-audit-logs.md
+ - name: Pause, revoke, and delete CA
+ href: ./protect/microsoft-cloud-pki-delete.md
+ - name: Certificates
+ items:
- name: Use certificates for authentication
href: ./protect/certificates-configure.md
- name: Trusted certificate profiles
@@ -908,11 +963,11 @@ items:
href: ./protect/certificate-connector-prerequisites.md
- name: Install the connector
href: ./protect/certificate-connector-install.md
- - name: SCEP
+ - name: SCEP
items:
- name: SCEP infrastructure
href: ./protect/certificates-scep-configure.md
- displayName: ksp
+ displayName: ksp
- name: SCEP certificate profiles
href: ./protect/certificates-profile-scep.md
- name: Use third-party certificate authority with SCEP
@@ -931,7 +986,7 @@ items:
href: ./protect/certificates-digicert-configure.md
displayName: ca; pkcs; pki; ra; registration authority
- name: Remove SCEP or PKCS certificates
- href: ./protect/remove-certificates.md
+ href: ./protect/remove-certificates.md
- name: Derived credentials
href: ./protect/derived-credentials.md
- name: Software updates
@@ -941,16 +996,16 @@ items:
- name: Android FOTA update
href: ./protect/fota-updates-android.md
- name: Zebra LG OTA Integration
- href: ./protect/zebra-lifeguard-ota-integration.md
+ href: ./protect/zebra-lifeguard-ota-integration.md
- name: iOS/iPadOS & macOS updates
items:
- name: Managed software updates (DDM)
displayName: ddm
- href: ./protect/managed-software-updates-ios-macos.md
+ href: ./protect/managed-software-updates-ios-macos.md
- name: iOS/iPadOS update policies
href: ./protect/software-updates-ios.md
- name: macOS update policies
- href: ./protect/software-updates-macos.md
+ href: ./protect/software-updates-macos.md
- name: Windows updates
items:
- name: Use Windows Update for Business
@@ -962,7 +1017,7 @@ items:
- name: Expedite updates policy
href: ./protect/windows-10-expedite-updates.md
- name: Windows driver updates
- items:
+ items:
- name: Driver updates overview
href: ./protect/windows-driver-updates-overview.md
- name: Driver updates policy
@@ -972,7 +1027,7 @@ items:
- name: Windows Update compatibility reports
href: ./protect/windows-update-compatibility-reports.md
- name: Windows Update reports
- href: ./protect/windows-update-reports.md
+ href: ./protect/windows-update-reports.md
- name: Troubleshoot
items:
- name: Troubleshoot policies and profiles
@@ -1001,7 +1056,7 @@ items:
items:
- name: Troubleshoot Exchange connectors
href: /troubleshoot/mem/intune/troubleshoot-exchange-connector
- - name: Common errors
+ - name: Common errors
href: /troubleshoot/mem/intune/troubleshoot-exchange-connector-common-errors
- name: Troubleshoot BitLocker policies
href: /troubleshoot/mem/intune/troubleshoot-bitlocker-policies
@@ -1014,8 +1069,8 @@ items:
- name: Compliance policy settings
items:
- name: Compliance settings - Android device administrator
- href: ./protect/compliance-policy-create-android.md
- - name: Compliance settings - Android (AOSP)
+ href: ./protect/compliance-policy-create-android.md
+ - name: Compliance settings - Android (AOSP)
href: ./protect/compliance-policy-create-android-aosp.md
- name: Compliance settings - Android Enterprise
href: ./protect/compliance-policy-create-android-for-work.md
@@ -1048,21 +1103,21 @@ items:
displayName: AWA; Add Work Account
- name: Firewall policy settings
href: ./protect/endpoint-security-firewall-profile-settings.md
- - name: Tenant attach Firewall settings
+ - name: Tenant attach Firewall settings
href: ./protect/endpoint-security-firewall-profile-settings-tenant-attach.md
- name: Endpoint detection and response profile settings
- href: ./protect/endpoint-security-edr-profile-settings.md
+ href: ./protect/endpoint-security-edr-profile-settings.md
- name: Attack surface reduction profile settings
href: ./protect/endpoint-security-asr-profile-settings.md
- name: Account protection profile settings
href: ./protect/endpoint-security-account-protection-profile-settings.md
- name: Security baseline settings
- items:
+ items:
- name: Windows 10 MDM baseline settings
href: ./protect/security-baseline-settings-mdm-all.md
- - name: Microsoft Defender for Endpoint baseline settings
+ - name: Microsoft Defender for Endpoint baseline settings
href: ./protect/security-baseline-settings-defender.md
- - name: Microsoft 365 Apps for Enterprise baseline settings (Office)
+ - name: Microsoft 365 Apps for Enterprise baseline settings (Office)
href: ./protect/security-baseline-v2-office-settings.md
- name: Microsoft Edge baseline settings (version 112 and higher)
href: ./protect/security-baseline-v2-edge-settings.md
@@ -1079,8 +1134,8 @@ items:
- name: Software update errors
href: ./protect/software-update-agent-error-codes.md
- name: Deprecated certificate connectors
- href: ./protect/certificate-connectors.md
- - name: Scenario implementation guides
+ href: ./protect/certificate-connectors.md
+ - name: Scenario implementation guides
items:
- name: Protect Exchange Online
href: ./protect/exchange-online-protect.md
@@ -1114,6 +1169,9 @@ items:
- name: Universal Print policy
displayName: printers, gpo, admx, windows
href: ./configuration/settings-catalog-printer-provisioning.md
+ - name: Properties catalog
+ displayName: windows
+ href: ./configuration/properties-catalog.md
- name: Custom settings & scripts
items:
- name: Create custom profiles
@@ -1259,7 +1317,7 @@ items:
displayName: trusted sites, ipv4, ipv6, range
- name: Windows health monitoring
href: ./configuration/windows-health-monitoring.md
- displayName: endpoint analytics, microsoft productivity score
+ displayName: endpoint analytics, microsoft productivity score
- name: Education Take a Test app
displayName: windows
href: ./configuration/education-settings-configure.md
@@ -1271,10 +1329,16 @@ items:
- name: eSIM bulk activation with activation codes (import CSV)
href: ./configuration/esim-device-configuration.md
- - name: Configuration profile settings lists
+ - name: Settings catalog lists
+ items:
+ - name: Apple
+ displayName: ios, ipados, macos
+ href: ./configuration/apple-settings-catalog-configurations.md
+
+ - name: Device Configuration template settings lists
items:
- name: Android device administrator
- items:
+ items:
- name: Custom (OMA-URI)
items:
- name: Custom settings
@@ -1295,11 +1359,11 @@ items:
- name: Wi-Fi
displayName: wifi, wireless, android, device administrator, da
href: ./configuration/wi-fi-settings-android.md
- - name: Android (AOSP)
- items:
+ - name: Android (AOSP)
+ items:
- name: Device restrictions
displayName: android, aosp
- href: ./configuration/device-restrictions-android-aosp.md
+ href: ./configuration/device-restrictions-android-aosp.md
- name: Wi-Fi
displayName: wifi, wireless, android, aosp
href: ./configuration/wi-fi-settings-android-aosp.md
@@ -1435,7 +1499,7 @@ items:
href: ./configuration/kiosk-settings-holographic.md
- name: Shared multi-user device
displayName: windows holographic, hololens
- href: ./configuration/shared-user-device-settings-windows-holographic.md
+ href: ./configuration/shared-user-device-settings-windows-holographic.md
- name: Windows 8.1
items:
- name: Device restrictions
@@ -1446,7 +1510,7 @@ items:
href: ./configuration/vpn-settings-windows-8-1.md
- name: Assign and deploy policies
- items:
+ items:
- name: Assign policies to users & groups
displayName: deploy, push, android, ios, ipados, macos, windows
href: ./configuration/device-profile-assign.md
@@ -1490,119 +1554,119 @@ items:
displayName: android, ios, ipados, macos, windows
href: /troubleshoot/mem/intune/troubleshoot-policies-in-microsoft-intune
- - name: Enroll devices in Microsoft Intune
+ - name: Enroll devices in Microsoft Intune
items:
- - name: Device enrollment overview
- href: ./fundamentals/deployment-guide-enrollment.md
+ - name: Device enrollment overview
+ href: ./fundamentals/deployment-guide-enrollment.md
displayName: COD; BYOD; DEM; ADE; USB-SA; USB-Direct; co-management; GPO
- - name: Configure enrollment features
+ - name: Configure enrollment features
items:
- - name: Get Apple MDM push certificate
+ - name: Get Apple MDM push certificate
href: ./enrollment/apple-mdm-push-certificate-get.md
- displayName: digital; certificates; notifications; token; PEM; automated device enrollment; user enrollment; device enrollment
- - name: Configure Chrome Enterprise connector
- href: ./enrollment/chrome-enterprise-connector-configure.md
- displayName: chrome os; connector; device management; google admin
+ displayName: digital; certificates; notifications; token; PEM; automated device enrollment; user enrollment; device enrollment
+ - name: Configure Chrome Enterprise connector
+ href: ./enrollment/chrome-enterprise-connector-configure.md
+ displayName: chrome os; connector; device management; google admin
- name: Add corporate identifiers
href: ./enrollment/corporate-identifiers-add.md
- displayName: COD; corporate owned; IMEI; device ownership; serial
- - name: Add device enrollment manager
- href: ./enrollment/device-enrollment-manager-enroll.md
+ displayName: COD; corporate owned; IMEI; device ownership; serial
+ - name: Add device enrollment manager
+ href: ./enrollment/device-enrollment-manager-enroll.md
displayName: DEM; bulk enrollment; company portal; Azure AD; join; limitations
- - name: Add device categories
+ - name: Add device categories
href: ./enrollment/device-group-mapping.md
- displayName: group; category; categorize; security group;
- - name: Require multifactor authentication
- href: ./enrollment/multi-factor-authentication.md
- displayName: multi-factor; enrollment; MFA; verification; conditional access
- - name: Create terms and conditions policy
+ displayName: group; category; categorize; security group;
+ - name: Require multifactor authentication
+ href: ./enrollment/multi-factor-authentication.md
+ displayName: multi-factor; enrollment; MFA; verification; Conditional Access
+ - name: Create terms and conditions policy
href: ./enrollment/terms-and-conditions-create.md
- displayName: intune; enrollment; terms and conditions; policy
- - name: Set up enrollment notifications
+ displayName: intune; enrollment; terms and conditions; policy
+ - name: Set up enrollment notifications
href: ./enrollment/enrollment-notifications.md
- - name: Set up enrollment time grouping
+ - name: Set up enrollment time grouping
href: ./enrollment/enrollment-time-grouping.md
- displayName: enrollment time grouping; security groups; Entra
+ displayName: enrollment time grouping; security groups; Entra
- name: Configure device enrollment restrictions
- items:
- - name: Overview
- href: ./enrollment/enrollment-restrictions-set.md
- - name: Intune device limits vs. Microsoft Entra device limits
- href: ./enrollment/device-limit-intune-azure.md
- - name: Create device platform restrictions
- href: ./enrollment/create-device-platform-restrictions.md
- - name: Create device limit restrictions
- href: ./enrollment/create-device-limit-restrictions.md
-
+ items:
+ - name: Overview
+ href: ./enrollment/enrollment-restrictions-set.md
+ - name: Intune device limits vs. Microsoft Entra device limits
+ href: ./enrollment/device-limit-intune-azure.md
+ - name: Create device platform restrictions
+ href: ./enrollment/create-device-platform-restrictions.md
+ - name: Create device limit restrictions
+ href: ./enrollment/create-device-limit-restrictions.md
+
- name: Set up Windows enrollment
- items:
- - name: Get started with Windows enrollment
+ items:
+ - name: Get started with Windows enrollment
href: ./fundamentals/deployment-guide-enrollment-windows.md
- - name: Enrollment solutions
- items:
- - name: Set up automatic enrollment
+ - name: Enrollment solutions
+ items:
+ - name: Set up automatic enrollment
href: ./enrollment/windows-enroll.md
- - name: Set up bulk enrollment and workplace join
- href: ./enrollment/windows-bulk-enroll.md
- - name: Enrollment configurations
+ - name: Set up bulk enrollment and workplace join
+ href: ./enrollment/windows-bulk-enroll.md
+ - name: Enrollment configurations
items:
- - name: Create and validate CNAME records
+ - name: Create and validate CNAME records
href: ./enrollment/windows-enrollment-create-cname.md
- - name: Set up Intune Connector for Active Directory
- href: ./enrollment/autopilot-hybrid-connector-proxy.md
+ - name: Set up Intune Connector for Active Directory
+ href: /autopilot/windows-autopilot-hybrid
- name: Set up Enrollment Status Page
href: ./enrollment/windows-enrollment-status.md
- name: Set up Windows Enrollment Attestation
- href: ./enrollment/windows-enrollment-attestation.md
-
+ href: ./enrollment/windows-enrollment-attestation.md
+
- name: Set up Android enrollment
items:
- - name: Get started with Android enrollment
+ - name: Get started with Android enrollment
href: ./fundamentals/deployment-guide-enrollment-android.md
displayName: COBO
- - name: Android Enterprise enrollment solutions
+ - name: Android Enterprise enrollment solutions
items:
- - name: Prerequisite - Connect Intune to Android Enterprise
+ - name: Prerequisite - Connect Intune to Android Enterprise
href: ./enrollment/connect-intune-android-enterprise.md
- - name: Device staging overview
+ - name: Device staging overview
href: ./enrollment/device-staging-overview.md
- displayName: COBO; staged enrollment
+ displayName: COBO; staged enrollment
- name: Set up work profile management
- items:
- - name: Overview
+ items:
+ - name: Overview
href: ./enrollment/android-enterprise-overview.md
- - name: Work profile for personal devices
+ - name: Work profile for personal devices
href: ./enrollment/android-work-profile-enroll.md
- - name: Work profile for corporate-owned devices
- href: ./enrollment/android-corporate-owned-work-profile-enroll.md
+ - name: Work profile for corporate-owned devices
+ href: ./enrollment/android-corporate-owned-work-profile-enroll.md
- name: Set up enrollment for dedicated devices
href: ./enrollment/android-kiosk-enroll.md
- - name: Set up enrollment for fully managed devices
+ - name: Set up enrollment for fully managed devices
href: ./enrollment/android-fully-managed-enroll.md
- - name: Enroll corporate-owned devices
- href: ./enrollment/android-dedicated-devices-fully-managed-enroll.md
- - name: AOSP enrollment solutions
- items:
+ - name: Enroll corporate-owned devices
+ href: ./enrollment/android-dedicated-devices-fully-managed-enroll.md
+ - name: AOSP enrollment solutions
+ items:
- name: Enroll corporate-owned, userless devices
- href: ./enrollment/android-aosp-corporate-owned-userless-enroll.md
+ href: ./enrollment/android-aosp-corporate-owned-userless-enroll.md
- name: Enroll corporate-owned, user-associated devices
- href: ./enrollment/android-aosp-corporate-owned-user-associated-enroll.md
- - name: Android device administrator solutions
- items:
- - name: Set up enrollment for Android device administrator
+ href: ./enrollment/android-aosp-corporate-owned-user-associated-enroll.md
+ - name: Android device administrator solutions
+ items:
+ - name: Set up enrollment for Android device administrator
href: ./enrollment/android-enroll-device-administrator.md
- - name: Move to Android Enterprise work profile management
- href: ./enrollment/android-move-device-admin-work-profile.md
- - name: Move to mobile application management without enrollment
- href: ./enrollment/move-to-android-mobile-application-management.md
- - name: Samsung Knox enrollment solutions
- items:
- - name: Use Samsung Knox Mobile Enrollment
- href: ./enrollment/android-samsung-knox-mobile-enroll.md
+ - name: Move to Android Enterprise work profile management
+ href: ./enrollment/android-move-device-admin-work-profile.md
+ - name: Move to mobile application management without enrollment
+ href: ./enrollment/move-to-android-mobile-application-management.md
+ - name: Samsung Knox enrollment solutions
+ items:
+ - name: Use Samsung Knox Mobile Enrollment
+ href: ./enrollment/android-samsung-knox-mobile-enroll.md
- name: Set up iOS/iPadOS enrollment
items:
- - name: Get started with iOS/iPadOS enrollment
+ - name: Get started with iOS/iPadOS enrollment
href: ./fundamentals/deployment-guide-enrollment-ios-ipados.md
- name: Enrollment solutions
items:
@@ -1610,65 +1674,74 @@ items:
href: ./enrollment/apple-configurator-enroll-ios.md
- name: Set up Apple Automated Device Enrollment
items:
- - name: Set up Automated Device Enrollment
+ - name: Set up Automated Device Enrollment
href: ./enrollment/device-enrollment-program-enroll-ios.md
- - name: Choose enrollment authentication method
+ - name: Choose enrollment authentication method
href: ./enrollment/automated-device-enrollment-authentication.md
- - name: Set up enrollment for shared device mode
+ - name: Set up enrollment for shared device mode
href: ./enrollment/automated-device-enrollment-shared-device-mode.md
- displayName: devices, frontline worker, automated device enrollment
+ displayName: devices, frontline worker, automated device enrollment
- name: Walkthrough - Set up enrollment with Apple School Manager
- href: ./enrollment/apple-school-manager-set-up-ios.md
+ items:
+ - name: Prerequisites
+ href: ./enrollment/apple-school-manager-set-up-ios.md
+ - name: Step 1 - Get an Apple token and assign devices
+ href: ./enrollment/apple-school-manager-step-1.md
+ - name: Step 2 - Create an Apple enrollment profile
+ href: ./enrollment/apple-school-manager-step-2.md
+ - name: Step 3 - Sync managed devices
+ href: ./enrollment/apple-school-manager-step-3.md
+
- name: Set up Apple device enrollment
- items:
- - name: Overview
- href: ./enrollment/ios-device-enrollment.md
- - name: Set up web based device enrollment
- href: ./enrollment/web-based-device-enrollment-ios.md
+ items:
+ - name: Overview
+ href: ./enrollment/ios-device-enrollment.md
+ - name: Set up web based device enrollment
+ href: ./enrollment/web-based-device-enrollment-ios.md
- name: Set up Apple user enrollment
items:
- - name: Overview
- href: ./enrollment/ios-user-enrollment-supported-actions.md
- - name: Set up account driven user enrollment
- href: ./enrollment/apple-account-driven-user-enrollment.md
- - name: Set up user enrollment with Company Portal
- href: ./enrollment/apple-user-enrollment-with-company-portal.md
- - name: Set up Shared iPad
+ - name: Overview
+ href: ./enrollment/ios-user-enrollment-supported-actions.md
+ - name: Set up account driven user enrollment
+ href: ./enrollment/apple-account-driven-user-enrollment.md
+ - name: Set up user enrollment with Company Portal
+ href: ./enrollment/apple-user-enrollment-with-company-portal.md
+ - name: Set up Shared iPad
items:
- name: Overview of shared device solutions
href: ./enrollment/device-enrollment-shared-ios.md
- name: Set up Shared iPad
- href: ./enrollment/device-enrollment-shared-ipad.md
- - name: Enrollment configurations
- items:
- - name: Back up and restore for Automated Device Enrollment
- href: ./enrollment/backup-restore-ios.md
-
-
- - name: Set up Linux enrollment
+ href: ./enrollment/device-enrollment-shared-ipad.md
+ - name: Enrollment configurations
+ items:
+ - name: Back up and restore for Automated Device Enrollment
+ href: ./enrollment/backup-restore-ios.md
+
+
+ - name: Set up Linux enrollment
items:
- - name: Get started with Linux enrollment
+ - name: Get started with Linux enrollment
href: ./fundamentals/deployment-guide-enrollment-linux.md
- - name: Intune user help documentation
- href: ./user-help/enroll-device-linux.md
+ - name: Intune user help documentation
+ href: ./user-help/enroll-device-linux.md
- name: Set up macOS enrollment
items:
- - name: Get started with Mac enrollment
+ - name: Get started with Mac enrollment
href: ./fundamentals/deployment-guide-enrollment-macos.md
- - name: Enrollment solutions
- items:
+ - name: Enrollment solutions
+ items:
- name: Set up automated device enrollment for macOS
href: ./enrollment/device-enrollment-program-enroll-macos.md
- - name: Set up Direct Enrollment for macOS
- href: ./enrollment/device-enrollment-direct-enroll-macos.md
- - name: Enrollment configurations
- items:
- - name: Configure enrollment settings
- href: ./enrollment/macos-enroll.md
+ - name: Set up Direct Enrollment for macOS
+ href: ./enrollment/device-enrollment-direct-enroll-macos.md
+ - name: Enrollment configurations
+ items:
+ - name: Configure enrollment settings
+ href: ./enrollment/macos-enroll.md
- name: Troubleshoot enrollment
items:
- name: Get incomplete user enrollment report
- href: ./enrollment/enrollment-report-company-portal-abandon.md
+ href: ./enrollment/enrollment-report-company-portal-abandon.md
- name: Troubleshoot device enrollment
href: /troubleshoot/mem/intune/troubleshoot-device-enrollment-in-intune
- name: Troubleshoot iOS/iPadOS device enrollment
@@ -1678,7 +1751,7 @@ items:
- name: Troubleshoot Windows auto-enrollment
href: /troubleshoot/mem/intune/troubleshoot-windows-auto-enrollment
- name: Troubleshoot Android device enrollment
- href: /troubleshoot/mem/intune/troubleshoot-android-enrollment
+ href: /troubleshoot/mem/intune/troubleshoot-android-enrollment
- name: Use Intune Suite add-ons
href: ./fundamentals/intune-add-ons.md
@@ -1749,9 +1822,9 @@ items:
- name: Collect diagnostics
href: ./remote-actions/collect-diagnostics.md
- name: Remove apps and configuration
- href: ./remote-actions/remove-apps-config.md
+ href: ./remote-actions/remove-apps-config.md
- name: Pause config refresh
- href: ./remote-actions/pause-config-refresh.md
+ href: ./remote-actions/pause-config-refresh.md
- name: Bulk device actions
href: ./remote-actions/bulk-device-actions.md
- name: Troubleshooting
@@ -1768,22 +1841,20 @@ items:
- name: Export reports using Graph
href: ./fundamentals/reports-export-graph-apis.md
- name: Intune reports and properties using Graph
- href: ./fundamentals/reports-export-graph-available-reports.md
+ href: ./fundamentals/reports-export-graph-available-reports.md
- name: Use the Intune Data Warehouse
- href: ./developer/reports-nav-create-intune-reports.md
- - name: Monitor
+ href: ./developer/reports-nav-create-intune-reports.md
+ - name: Monitor
items:
- name: Audit logs for Intune activities
href: ./fundamentals/monitor-audit-logs.md
- name: Review logs with Azure Monitor
href: ./fundamentals/review-logs-using-azure-monitor.md
- name: Device configuration profile status
- href: ./configuration/device-profile-monitor.md
- - name: Endpoint analytics
- href: ../analytics/
+ href: ./configuration/device-profile-monitor.md
- name: Industry guides
- items:
+ items:
- name: Education
items:
- name: What is Intune for Education
@@ -1812,9 +1883,9 @@ items:
- name: Configure policies
href: ./industry/education/tutorial-school-deployment/configure-device-settings.md
- name: Configure applications
- href: ./industry/education/tutorial-school-deployment/configure-device-apps.md
+ href: ./industry/education/tutorial-school-deployment/configure-device-apps.md
- name: 4. Deploy devices
- items:
+ items:
- name: Overview
href: ./industry/education/tutorial-school-deployment/enroll-overview.md
- name: Windows
@@ -1834,11 +1905,11 @@ items:
- name: Bulk enrollment with Apple Configurator
href: ./industry/education/tutorial-school-deployment/enroll-ios-apple-configurator.md
- name: 5. Manage devices
- items:
+ items:
- name: Overview
href: ./industry/education/tutorial-school-deployment/manage-overview.md
- name: Management functionalities for Surface devices
- href: ./industry/education/tutorial-school-deployment/manage-surface-devices.md
+ href: ./industry/education/tutorial-school-deployment/manage-surface-devices.md
- name: Reset and wipe devices
href: ./industry/education/tutorial-school-deployment/reset-wipe.md
- name: Avoid policy conflicts
@@ -1846,7 +1917,7 @@ items:
- name: 6. Troubleshoot and get help
href: ./industry/education/tutorial-school-deployment/troubleshoot-overview.md
- name: 7. Common Education configuration
- items:
+ items:
- name: Overview
href: ./industry/education/tutorial-school-deployment/common-config-overview.md
- name: Intune policies for Windows in Education
@@ -1891,9 +1962,9 @@ items:
- name: Windows platform guide
href: ./fundamentals/deployment-guide-platform-windows.md
- name: Android, Android Enterprise platform guide
- href: ./fundamentals/deployment-guide-platform-android.md
+ href: ./fundamentals/deployment-guide-platform-android.md
- name: iOS/iPadOS platform guide
- href: ./fundamentals/deployment-guide-platform-ios-ipados.md
+ href: ./fundamentals/deployment-guide-platform-ios-ipados.md
- name: macOS platform guide
href: ./fundamentals/deployment-guide-platform-macos.md
- name: Linux platform guide
@@ -1906,7 +1977,7 @@ items:
href: ./fundamentals/surface-management-portal.md
- name: Scenario-based guidance
- items:
+ items:
- name: Manage operating system versions
href: ./fundamentals/manage-os-versions.md
- name: Frontline worker (FLW) device management
@@ -1924,13 +1995,13 @@ items:
displayName: kiosk, multi-app, single-app
href: ../solutions/frontline-worker/frontline-worker-overview-windows.md
- name: Guided scenarios
- items:
+ items:
- name: Guided scenarios overview
- href: ./fundamentals/guided-scenarios-overview.md
- - name: Deploy Microsoft Edge for Mobile
- href: ./fundamentals/guided-scenarios-edge.md
+ href: ./fundamentals/guided-scenarios-overview.md
+ - name: Deploy Microsoft Edge for Mobile
+ href: ./fundamentals/guided-scenarios-edge.md
- name: Cloud-managed Modern Desktop
- href: ./fundamentals/guided-scenarios-cloud-managed-pc.md
+ href: ./fundamentals/guided-scenarios-cloud-managed-pc.md
- name: Secure Microsoft Office mobile apps
href: ./fundamentals/guided-scenarios-office-mobile.md
- name: Windows 10/11 in cloud configuration
@@ -1974,24 +2045,24 @@ items:
- name: App solutions
items:
- name: Purchase and add apps for Microsoft Intune
- items:
+ items:
- name: Overview
href: /microsoft-365/solutions/apps-guide-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
displayName: purchase, buy, app, license
- name: Understand app types
items:
- - name: App types overview
+ - name: App types overview
href: /microsoft-365/solutions/apps-type-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- - name: Understand store apps
+ - name: Understand store apps
href: /microsoft-365/solutions/apps-type-store?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- - name: Understand line-of-business apps
+ - name: Understand line-of-business apps
href: /microsoft-365/solutions/apps-type-lob?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- - name: Understand built-in apps
- href: /microsoft-365/solutions/apps-type-built-in?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Understand built-in apps
+ href: /microsoft-365/solutions/apps-type-built-in?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Understand web apps
href: /microsoft-365/solutions/apps-type-web?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Understand Microsoft apps
- href: /microsoft-365/solutions/apps-type-microsoft?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-type-microsoft?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Understand app purchases
items:
- name: Purchase apps overview
@@ -2019,10 +2090,10 @@ items:
- name: Step 4. Add apps to Intune
href: /microsoft-365/solutions/apps-add-step-4?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Step 5. Manage apps and licenses
- href: /microsoft-365/solutions/apps-add-step-5?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-add-step-5?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Configure apps using Microsoft Intune
- items:
+ items:
- name: Overview
href: /microsoft-365/solutions/apps-config-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
displayName: configure, app, apps, channel
@@ -2037,23 +2108,23 @@ items:
- name: Step 5. Configure Microsoft Teams
href: /microsoft-365/solutions/apps-config-step-5?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Step 6. Configure other apps
- href: /microsoft-365/solutions/apps-config-step-6?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-config-step-6?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Step 7. Verify app configuration
- href: /microsoft-365/solutions/apps-config-step-7?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-config-step-7?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Secure and protect apps using Microsoft Intune
- items:
+ items:
- name: Overview
href: /microsoft-365/solutions/apps-protect-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
displayName: secure, protect, app, apps, conditional, launch, framework, basic, enhanced, high
- name: Understand app data protection
href: /microsoft-365/solutions/apps-protect-data-protection?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Understand app protection access requirements
- href: /microsoft-365/solutions/apps-protect-access-requirements?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-protect-access-requirements?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Understand app protection conditional launch
- href: /microsoft-365/solutions/apps-protect-conditional-launch?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-protect-conditional-launch?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Understand app protection health checks
- href: /microsoft-365/solutions/apps-protect-health-checks?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-protect-health-checks?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Use the app protection framework
items:
- name: App protection framework overview
@@ -2067,12 +2138,12 @@ items:
- name: Step 4. Understand app protection delivery
href: /microsoft-365/solutions/apps-protect-step-4?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Step 5. Verify and monitor app protection
- href: /microsoft-365/solutions/apps-protect-step-5?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ href: /microsoft-365/solutions/apps-protect-step-5?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Step 6. Use app protection actions
href: /microsoft-365/solutions/apps-protect-step-6?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Assign and deploy apps using Microsoft Intune
- items:
+ items:
- name: Overview
href: /microsoft-365/solutions/apps-assign-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
displayName: assign, deploy, app, apps, monitor, troubleshoot
@@ -2083,9 +2154,9 @@ items:
- name: Understand app deployment
href: /microsoft-365/solutions/apps-assign-deployment?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Assign apps to your organization
- items:
- - name: Assign apps overview
- href: /microsoft-365/solutions/apps-assign-steps-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ items:
+ - name: Assign apps overview
+ href: /microsoft-365/solutions/apps-assign-steps-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Step 1. Confirm users, devices, or groups
href: /microsoft-365/solutions/apps-assign-step-1?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Step 2. Assign apps to users, devices, or groups
@@ -2094,12 +2165,12 @@ items:
href: /microsoft-365/solutions/apps-assign-step-3?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
- name: Step 4. Troubleshoot app deployment issues
href: /microsoft-365/solutions/apps-assign-step-4?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
-
+
- name: Secure your corporate data using Edge for Business
- items:
+ items:
- name: Overview
href: ./apps/mamedge-overview.md
- - name: Step 1. Create Microsoft Entra conditional access
+ - name: Step 1. Create Microsoft Entra Conditional Access
href: ./apps/mamedge-1-mamca.md
- name: Step 2. Create an app protection policy
href: ./apps/mamedge-2-app.md
@@ -2121,7 +2192,7 @@ items:
- name: Intune API reference
href: /graph/api/resources/intune-graph-overview
- name: Graph APIs used to configure devices
- href: ./developer/graph-apis-used-by-intune-device-configuration-windows.md
+ href: ./developer/graph-apis-used-by-intune-device-configuration-windows.md
- name: Use PowerShell cmdlets to automate actions
href: https://github.com/Microsoft/Intune-PowerShell-SDK/
- name: Protect apps with Intune App SDK
@@ -2132,7 +2203,7 @@ items:
- name: Prepare LOB apps for app protection
href: ./developer/apps-prepare-mobile-application-management.md
- name: LOB app versioning
- href: ./developer/apps-lob-app-versioning.md
+ href: ./developer/apps-lob-app-versioning.md
- name: App Wrapping Tool for iOS
href: ./developer/app-wrapper-prepare-ios.md
- name: Intune App SDK for iOS
@@ -2176,9 +2247,9 @@ items:
href: ./developer/app-sdk-android-appendix.md
- name: Intune App SDK Xamarin Bindings
href: ./developer/app-sdk-xamarin.md
- - name: Microsoft Tunnel for MAM SDK
+ - name: Microsoft Tunnel for MAM SDK
items:
- - name: Microsoft Tunnel for MAM iOS SDK
+ - name: Microsoft Tunnel for MAM iOS SDK
href: ./developer/tunnel-mam-ios-sdk.md
- name: Microsoft Tunnel for MAM iOS Xamarin Bindings SDK
href: ./developer/mam-tunnel-ios-xamarin-bindings.md
@@ -2199,14 +2270,14 @@ items:
- name: Data Warehouse API endpoint
href: ./developer/reports-api-url.md
- name: Data Warehouse application-only authentication
- href: ./developer/data-warehouse-app-only-auth.md
+ href: ./developer/data-warehouse-app-only-auth.md
- name: Data Warehouse data model
href: ./developer/reports-ref-data-model.md
items:
- name: Data Warehouse collections
- href: ./developer/intune-data-warehouse-collections.md
+ href: ./developer/intune-data-warehouse-collections.md
- name: Data Warehouse collections (beta)
- items:
+ items:
- name: User lifetime representation in the Intune Data Warehouse
href: ./developer/reports-ref-user-timeline.md
- name: Reference for application entities
@@ -2228,9 +2299,12 @@ items:
- name: Move your Intune Data Warehouse account data
href: ./developer/data-warehouse-account-move.md
- - name: Privacy and personal data
- href: ./protect/privacy-personal-data.md
+ - name: Privacy, compliance, and personal data
items:
+ - name: Privacy and personal data
+ href: ./protect/privacy-personal-data.md
+ - name: Compliance in Intune
+ href: ./fundamentals/compliance-in-intune.md
- name: Optional diagnostic data in client apps
href: ./protect/client-apps-optional-data.md
- name: Data collection
@@ -2250,7 +2324,7 @@ items:
href: ./protect/data-intune-sends-to-google.md
- name: Data Intune sends to Zebra
href: ./protect/data-intune-sends-to-zebra.md
- - name: Enable Windows diagnostic data
+ - name: Enable Windows diagnostic data
href: ./protect/data-enable-windows-data.md
- name: Information shared from Jamf Pro to Intune
href: ./protect/data-jamf-sends-to-intune.md
@@ -2278,11 +2352,11 @@ items:
- name: Remote Help on macOS
href: ./fundamentals/remote-help-macos.md
- name: Remote Help Web App
- href: ./fundamentals/remote-help-webapp.md
+ href: ./fundamentals/remote-help-webapp.md
- name: Remote Help on Android
- href: ./fundamentals/remote-help-android.md
+ href: ./fundamentals/remote-help-android.md
- name: Troubleshooting Remote Help on Android
- href: ./fundamentals/remote-help-android-troubleshoot.md
+ href: ./fundamentals/remote-help-android-troubleshoot.md
- name: Remediations
items:
- name: Use Remediations
diff --git a/memdocs/intune/user-help/check-compliance-microsoft-intune-app-android.md b/memdocs/intune/user-help/check-compliance-microsoft-intune-app-android.md
index b19f384f57f..043031deb9e 100644
--- a/memdocs/intune/user-help/check-compliance-microsoft-intune-app-android.md
+++ b/memdocs/intune/user-help/check-compliance-microsoft-intune-app-android.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 08/01/2023
+ms.date: 01/27/2025
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
diff --git a/memdocs/intune/user-help/check-compliance-on-your-device-android.md b/memdocs/intune/user-help/check-compliance-on-your-device-android.md
index 9573fed2198..30933108a6c 100644
--- a/memdocs/intune/user-help/check-compliance-on-your-device-android.md
+++ b/memdocs/intune/user-help/check-compliance-on-your-device-android.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 07/01/2024
+ms.date: 01/27/2025
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
diff --git a/memdocs/intune/user-help/check-status-linux.md b/memdocs/intune/user-help/check-status-linux.md
index 3119602cb36..7a99e30eb57 100644
--- a/memdocs/intune/user-help/check-status-linux.md
+++ b/memdocs/intune/user-help/check-status-linux.md
@@ -20,7 +20,7 @@ searchScope:
ROBOTS:
#audience:
-ms.reviewer: ilwu
+ms.reviewer: arnab
ms.suite: ems
#ms.tgt_pltfrm:
ms.custom: intune-enduser
@@ -44,11 +44,11 @@ The Intune app routinely checks in with your device to verify that it complies w
There are three statuses in the Intune app:
- * **Compliant** – Your device meets your organization’s requirements. It should have access to work or school resources.
+ * **Compliant** – Your device meets your organization's requirements. It should have access to work or school resources.
* **Checking status** – Intune is checking the device settings.
- * **Not compliant** – Your device doesn't meet your organization’s requirements. It may be restricted from accessing work or school resources. Additional action is needed from you to update your settings.
+ * **Not compliant** – Your device doesn't meet your organization's requirements. It may be restricted from accessing work or school resources. Additional action is needed from you to update your settings.
## View compliance issues
@@ -65,21 +65,21 @@ The app shows you the following information:
* The action required, such as *Upgrade your operating system*.
- * The reason for noncompliance, such as *This device’s operating system is not supported*.
+ * The reason for noncompliance, such as *This device's operating system is not supported*.
* The **How to resolve this** link that, when available, points to a help article on learn.microsoft.com.
### Operating system and version
-When OS and version requirements are enforced, devices running Linux flavors or versions that aren't supported are marked as noncompliant. To resolve this issue, upgrade to or install a version that’s supported by your organization.
+When OS and version requirements are enforced, devices running Linux flavors or versions that aren't supported are marked as noncompliant. To resolve this issue, upgrade to or install a version that's supported by your organization.
-Contact your support person for more information about your organization’s OS requirements.
+Contact your support person for more information about your organization's OS requirements.
### Password complexity
-When password complexity requirements are enforced, devices with weak passwords are marked as noncompliant. To resolve this issue, update your device password so that it meets your organization’s requirements for length and quality.
+When password complexity requirements are enforced, devices with weak passwords are marked as noncompliant. To resolve this issue, update your device password so that it meets your organization's requirements for length and quality.
### Device encryption
-When encryption requirements are enforced, devices that aren’t encrypted are marked as noncompliant. To resolve this issue, encrypt the local data on your device in accordance with your organization’s encryption policies.
+When encryption requirements are enforced, devices that aren't encrypted are marked as noncompliant. To resolve this issue, encrypt the local data on your device in accordance with your organization's encryption policies.
Not all filesystem partitions need to be encrypted:
diff --git a/memdocs/intune/user-help/enroll-android-device-disa-purebred.md b/memdocs/intune/user-help/enroll-android-device-disa-purebred.md
index c6ea0db4792..e79822ebefc 100644
--- a/memdocs/intune/user-help/enroll-android-device-disa-purebred.md
+++ b/memdocs/intune/user-help/enroll-android-device-disa-purebred.md
@@ -34,14 +34,14 @@ ms.collection:
Enroll your device with the Microsoft Intune app to gain secure, mobile access to your work email, files, and apps. After your device is enrolled, it becomes *managed*, which means your organization can assign policies and apps to the device through a mobile device management (MDM) provider, such as Microsoft Intune.
-During enrollment, you'll also install a derived credential on your device. Your organization might require you to use the derived credential as an authentication method when accessing resources, or for signing and encrypting emails.
+During enrollment, you also install a derived credential on your device. Your organization might require you to use the derived credential as an authentication method when accessing resources, or for signing and encrypting emails.
You likely need to set up a derived credential if you use a smart card to:
* Sign in to school or work apps, Wi-Fi, and virtual private networks (VPN)
* Sign and encrypt school or work emails using S/MIME certificates
-In this article, you will:
+In this article, you learn how to:
* Enroll a mobile Android device with the Intune app
* Set up your smart card by installing a derived credential from your organization's derived credential provider, [DISA Purebred](https://public.cyber.mil/pki-pke/purebred/)
@@ -67,43 +67,34 @@ To complete enrollment, you must have:
* The Microsoft Intune app installed on your device
* The Purebred app installed on your device (App should automatically install shortly after device setup. If it doesn't, contact your IT support person.)
-You'll also need to contact a Purebred agent or representative during setup.
+You must also contact a Purebred agent or representative during setup.
## Enroll device
1. Turn on your new or factory-reset device.
-2. On the **Welcome** screen, select your language. If you've been instructed to enroll with a QR code or NFC, follow the step below that matches the method.
+2. On the **Welcome** screen, select your language. If you were instructed to enroll with a QR code or NFC, complete the step that matches the method:
* NFC: Tap your NFC-supported device against a programmer device to connect to your organization's network. Follow the onscreen prompts. When you reach the screen for Chrome's Terms of Service, continue to step 5.
* QR code: Complete the steps in [QR code enrollment](#qr-code-enrollment).
- If you've been instructed to use another method, continue to step 3.
+ If you were instructed to use another method, continue to step 3.
3. Connect to Wi-Fi and tap **NEXT**. Follow the step that matches your enrollment method.
* Token: When you get to the Google sign-in screen, complete the steps in [Token enrollment](#token-enrollment).
- * Google Zero Touch: After you connect to Wi-Fi, your device will be recognized by your organization. Continue to step 4 and follow the onscreen prompts until setup is complete.
-
- 
+ * Google Zero Touch: After you connect to Wi-Fi, your organization can recognize your device. Continue to step 4 and follow the onscreen prompts until setup is complete.
4. Review Google's terms. Then tap **ACCEPT & CONTINUE**.
- 
-
-5. Review Chrome's Terms of Service. Then tap **ACCEPT & CONTINUE**.
-
- 
+5. Review Chrome's Terms of Service. Then tap **ACCEPT & CONTINUE**.
6. On the sign-in screen, tap **Sign-in options** and then **Sign in from another device**.
7. Write down the onscreen code.
-8. Switch to your smart card-enabled device and go to the web address that's shown on your screen.
+8. Switch to your smart card-enabled device and go to the web address that appears on your screen.
-9. Enter the code you previously wrote down.
-
- > [!div class="mx-imgBorder"]
- > 
+9. Enter the code you previously wrote down.
10. Insert your smart card to sign in.
@@ -111,112 +102,96 @@ You'll also need to contact a Purebred agent or representative during setup.
12. Depending on your organization's requirements, you might be prompted to update settings, such as screen lock or encryption. If you see these prompts, tap **SET** and follow the onscreen instructions.
- 
-
13. To install work apps on your device, tap **INSTALL**. After installation is complete, tap **NEXT**.
-
- 
-
14. Tap **START** to open the Microsoft Intune app.
- 
-
15. Return to the Intune app on your mobile device and follow the onscreen instructions until enrollment is done.
- 
-
16. Continue to the [set up your smart card](enroll-android-device-disa-purebred.md#set-up-smart-card) section in this article to finish setting up your device.
### QR code enrollment
-In this section, you'll scan your company-provided QR code. When you're done, we'll redirect you back to the device enrollment steps.
+In this section, you scan your company-provided QR code. When you're done, we'll redirect you back to the device enrollment steps.
1. On the **Welcome** screen, tap the screen five times to start QR code setup.
-
- 
-
2. Follow any onscreen instructions to connect to Wi-Fi.
-3. If your device doesn't have a QR code scanner, the setup screens will show the progress as a scanner is installed. Wait for installation to complete.
-4. When prompted, scan the enrollment profile QR code that your organization gave you.
-5. Return to [Enroll device](#enroll-device), step 4 to continue setup.
+3. If your device doesn't have a QR code scanner, the setup screens show the installation progress as a scanner installs. Wait for installation to complete.
+4. Scan the enrollment profile QR code that your organization gave you.
+5. Return to [Enroll device](#enroll-device) > step 4 to continue setup.
### Token enrollment
-In this section, you'll enter your company-provided token. When you're done, we'll redirect you back to the device enrollment steps.
-
-1. On the Google sign-in screen, in the **Email or phone** box, type **afw#setup**. Tap **Next**.
+In this section, you enter your company-provided token. When you're done, we'll redirect you back to the device enrollment steps.
- 
+1. On the Google sign-in screen, in the **Email or phone** box, type **afw#setup**. Tap **Next**.
-2. Choose **Install** for the **Android Device Policy** app. Continue through the installation. Depending on your device, you might need to review and accept additional terms.
+2. Choose **Install** for the **Android Device Policy** app. Continue through the installation. Depending on your device, you might need to review and accept other terms.
3. On the **Enroll this device** screen, select **Next**.
4. Select **Enter code**.
-5. On the **Scan or enter code** screen, type in the code that your organization gave you. Then click **Next**.
-
- 
+5. On the **Scan or enter code** screen, type in the code that your organization gave you. Then click **Next**.
-6. Return to [Enroll device](#enroll-device), step 4 to continue setup.
+6. Return to [Enroll device](#enroll-device) > step 4 to continue setup.
## Set up smart card
> [!NOTE]
-> The Purebred app is required to complete these steps and will automatically install on your device after enrollment. If you still don't have the app after waiting a short while, contact your IT support person.
+> The Purebred app is required to complete these steps and automatically installs on your device after enrollment. If you still don't have the app after waiting a short while, contact your IT support person.
-1. After enrollment is complete, the Intune app will notify you to set up your smart card. Tap the notification. If you don't get a notification, check your email.
+1. After enrollment is complete, the Intune app prompts you to set up your smart card via a notification. Tap the notification. If you don't get a notification, check your email.
> [!div class="mx-imgBorder"]
> 
2. On the **Set up smart card** screen:
- 1. Tap the link to your organization's setup instructions and review them. If your organization doesn't provide additional instructions, you'll be sent to this article.
+ 1. Tap the link to your organization's setup instructions and review them. If your organization doesn't provide other instructions, you're sent to this article.
2. Tap **BEGIN**.
> [!div class="mx-imgBorder"]
> 
-3. On the **Get certificates** screen, tap **LAUNCH PUREBRED** to open the Purebred app. (The app should have been installed automatically on your device. If you don't have it, contact your support person.)
+3. On the **Get certificates** screen, tap **LAUNCH PUREBRED** to open the Purebred app. (The app should be on your device already, because it installs automatically. If you don't have it, contact your support person.)
> [!div class="mx-imgBorder"]
> 
-4. The Purebred app might need additional permissions from you in order to run properly. Tap **Allow** or **Allow all the time** when prompted. For more information about why these permissions are required, speak with your support person or Purebred agent.
+4. The Purebred app might need other permissions from you in order to run properly. Tap **Allow** or **Allow all the time** when prompted. For more information about why these permissions are required, speak with your support person or Purebred agent.
5. Once you're in the Purebred app, work with your organization's Purebred agent to download and install the certificates you need to access work or school resources.
> [!IMPORTANT]
> During this process, tap **OK** or **Install** when prompted. Don't change the names of any certificate authorities (CAs) or certificates that you're prompted to install.
-6. After installation is complete, you'll receive a notification that your certificates are ready. Tap the notification to return to the Intune app.
+6. After installation is complete, you receive a notification that your certificates are ready. Tap the notification to return to the Intune app.
> [!div class="mx-imgBorder"]
- > 
+ > 
-7. From the **Allow access to certificates** screen, you'll give the Intune app permission to access the derived credential you got from DISA Purebred. This step ensures that your organization can verify your identity whenever you access protected work or school resources.
+7. From the **Allow access to certificates** screen, give the Intune app permission to access the derived credential you got from DISA Purebred. This step ensures that your organization can verify your identity whenever you access protected work or school resources.
1. Tap **NEXT**.
> [!div class="mx-imgBorder"]
- > 
+ > 
2. When you're prompted to **Choose certificate**, don't change the selection. The correct certificate is already selected, so just tap **Select** or **OK**.
> [!div class="mx-imgBorder"]
- > 
+ > 
3. Your derived credential is made up of multiple certificates, so you might see the **Choose certificate** prompt multiple times. Repeat the previous step until no more prompts appear.
-8. Once all of the certificates are processed, wait for the Intune app to finish setting up your device. You'll know setup is complete when you see the **You're all set!** screen.
+8. Once all of the certificates are processed, wait for the Intune app to finish setting up your device. You know setup is complete when you see the **You're all set!** screen.
> [!div class="mx-imgBorder"]
- > 
+ > 
## Next steps
-After enrollment is complete, you'll have access to work resources, such as email, Wi-Fi, and any apps that your organization makes available. For more information about how to get, search for, install, and uninstall apps in the Intune app see:
+After enrollment is complete, you have access to work resources, such as email, Wi-Fi, and any apps that your organization makes available. For more information about how to get, search for, install, and uninstall apps in the Intune app see:
* [Use managed apps on your device](use-managed-apps-on-your-device-android.md)
* [Manage apps from the Company Portal website](manage-apps-cpweb.md)
diff --git a/memdocs/intune/user-help/enroll-android-device-entrust-datacard.md b/memdocs/intune/user-help/enroll-android-device-entrust-datacard.md
index 69d12312246..6a4b23a8fa6 100644
--- a/memdocs/intune/user-help/enroll-android-device-entrust-datacard.md
+++ b/memdocs/intune/user-help/enroll-android-device-entrust-datacard.md
@@ -34,7 +34,7 @@ ms.collection:
Enroll your device with the Microsoft Intune app to gain secure, mobile access to your work or school mail, files, and apps. After your device is enrolled, it becomes *managed*, meaning your organization can assign policies and apps to the device through a mobile device management (MDM) provider, such as Microsoft Intune.
-During enrollment, you'll also install a derived credential on your device. Your organization might require you to use the derived credential as an authentication method when accessing resources, or for signing and encrypting emails.
+During enrollment, you also install a derived credential on your device. Your organization might require you to use the derived credential as an authentication method when accessing resources, or for signing and encrypting emails.
You likely need to set up a derived credential if you use a smart card to:
@@ -48,7 +48,7 @@ In this article, you will:
## What are derived credentials?
-A derived credential is a certificate that's derived from your smart card credentials and installed on your device. It grants you remote access to work resources, while preventing unauthorized users from accessing sensitive information.
+A derived credential is a certificate derived from your smart card credentials and installed on your device. It grants you remote access to work resources, while preventing unauthorized users from accessing sensitive information.
Derived credentials are used to:
@@ -69,107 +69,83 @@ Derived credentials are an implementation of the National Institute of Standards
## Enroll device
1. Turn on your new or factory-reset device.
-2. On the **Welcome** screen, select your language. If you've been instructed to enroll with a QR code or NFC, follow the step below that matches the method.
+2. On the **Welcome** screen, select your language. If your organizations instructed you to enroll with a QR code or near-field communication (NFC), follow the step that matches the method.
* NFC: Tap your NFC-supported device against a programmer device to connect to your organization's network. Follow the onscreen prompts. When you reach the screen for Chrome's Terms of Service, continue to step 5.
* QR code: Complete the steps in [QR code enrollment](#qr-code-enrollment).
- If you've been instructed to use another method, continue to step 3.
+ If your organization instructed you to use another method, continue to step 3.
3. Connect to Wi-Fi and tap **NEXT**. Follow the step that matches your enrollment method.
* Token: When you get to the Google sign-in screen, complete the steps in [Token enrollment](#token-enrollment).
- * Google Zero Touch: After you connect to Wi-Fi, your device will be recognized by your organization. Continue to step 4 and follow the onscreen prompts until setup is complete.
-
- 
-
+ * Google Zero Touch: After you connect to Wi-Fi, your organization can recognize your device. Continue to step 4 and follow the onscreen prompts until setup is complete.
+
4. Review Google's terms. Then tap **ACCEPT & CONTINUE**.
- 
-
5. Review Chrome's Terms of Service. Then tap **ACCEPT & CONTINUE**.
- 
-
6. On the sign-in screen, tap **Sign-in options** and then **Sign in from another device**.
7. Write down the onscreen code.
-8. Switch to your smart card-enabled device and go to the web address that's shown on your screen.
-
-9. Enter the code you previously wrote down.
+8. Switch to your smart card-enabled device and go to the web address shown on your screen.
- > [!div class="mx-imgBorder"]
- > 
+9. Enter the code you previously wrote down.
10. Insert your smart card to sign in.
11. On the sign-in screen, select your work or school account. Then switch back to your mobile device.
-12. Depending on your organization's requirements, you might be prompted to update settings, such as screen lock or encryption. If you see these prompts, tap **SET** and follow the onscreen instructions.
-
- 
-
-13. To install work apps on your device, tap **INSTALL**. After installation is complete, tap **NEXT**.
+12. Depending on your organization's requirements, you might be prompted to update settings, such as screen lock or encryption. If you see these prompts, tap **SET** and follow the onscreen instructions.
- 
+13. To install work apps on your device, tap **INSTALL**. After installation is complete, tap **NEXT**.
14. Tap **START** to open the Microsoft Intune app.
- 
-
-15. Return to the Intune app on your mobile device and follow the onscreen instructions until enrollment is done.
-
- 
+15. Return to the Intune app on your mobile device and follow the onscreen instructions until enrollment is done.
16. Continue to the [set up your smart card](enroll-android-device-entrust-datacard.md#set-up-smart-card) section in this article to finish setting up your device.
### QR code enrollment
-In this section, you'll scan your company-provided QR code. When you're done, we'll redirect you back to the device enrollment steps.
+In this section, you scan your company-provided QR code. When you're done, we'll redirect you back to the device enrollment steps.
1. On the **Welcome** screen, tap the screen five times to start QR code setup.
-
- 
-
2. Follow any onscreen instructions to connect to Wi-Fi.
-3. If your device doesn't have a QR code scanner, the setup screens will show the progress as a scanner is installed. Wait for installation to complete.
+3. If your device doesn't have a QR code scanner, a scanner automatically installs. Wait for installation to complete.
4. When prompted, scan the enrollment profile QR code that your organization gave you.
-5. Return to [Enroll device](#enroll-device), step 4 to continue setup.
+5. Return to [Step 4: Enroll device](#enroll-device) to continue setup.
### Token enrollment
-In this section, you'll enter your company-provided token. When you're done, we'll redirect you back to the device enrollment steps.
-
-1. On the Google sign-in screen, in the **Email or phone** box, type **afw#setup**. Then tap **Next**.
-
- 
+In this section, you enter your company-provided token. When you're done, we'll redirect you back to the device enrollment steps.
-2. Choose **Install** for the **Android Device Policy** app. Continue through the installation. Depending on your device, you might need to review and accept additional terms.
+1. On the Google sign-in screen, in the **Email or phone** box, type **afw#setup**. Then tap **Next**.
-3. On the **Enroll this device** screen, select **Next**.
+2. Choose **Install** for the **Android Device Policy** app. Continue through the installation. Depending on your device, you might need to review and accept other terms.
-4. Select **Enter code**.
+3. On the **Enroll this device** screen, tap **Next**.
-5. On the **Scan or enter code** screen, type in the code that your organization gave you. Then click **Next**.
+4. Tap **Enter code**.
- 
+5. On the **Scan or enter code** screen, enter the code that your organization gave you. Then tap **Next**.
-6. Return to [Enroll device](#enroll-device), step 4 to continue setup.
+6. Return to [Step 4: Enroll device](#enroll-device) to continue setup.
## Set up smart card
-1. After enrollment is complete, the Intune app will notify you to set up your smart card. Tap the notification. If you don't get a notification, check your email.
+1. After enrollment is complete, the Intune app prompts you to set up your smart card via notification. Tap the notification. If you don't get a notification, check your email.
> [!div class="mx-imgBorder"]
- > 
+ > 
2. On the **Set up smart card** screen:
- 1. Tap the link to your organization's setup instructions. If your organization doesn't provide additional instructions, you'll be sent to this article.
+ 1. Tap the link to your organization's instructions. If your organization doesn't provide more instruction, you are sent to this article.
2. Tap **BEGIN**.
> [!div class="mx-imgBorder"]
- > 
+ > 
3. Switch to your smart card-enabled device and open IdentityGuard.
@@ -179,46 +155,46 @@ In this section, you'll enter your company-provided token. When you're done, we'
6. Enter your smart card PIN.
-7. You'll be asked to choose from a list of actions. Select the one that lets you enroll for a derived mobile smart credential. The link or button might say **I'd like to enroll for a derived mobile smart card credential.**
+7. Choose from the list of actions. Select the one that lets you enroll for a derived mobile smart credential. The link or button might say **I'd like to enroll for a derived mobile smart card credential.**
-8. Select that you've successfully downloaded and installed the smart credential-enabled application. Then continue to the next screen.
+8. Select the option that says you successfully downloaded and installed the smart credential-enabled application. Then continue to the next screen.
9. Enter information about your derived smart card credential:
1. For the identity name, enter any name, such as *Entrust Derived Cred*.
2. In the dropdown menu, select **Entrust IdentityGuard Mobile Smart Credential**.
- 3. Continue to the next screen. You'll see a QR code with a numerical password under it.
+ 3. Continue to the next screen. The screen shows a QR code with a numerical password under it.
10. Return to your Android device. On the Intune app > **Get QR code** screen, tap **NEXT**.
> [!div class="mx-imgBorder"]
- > 
+ > 
11. If you're prompted to allow the Intune app to use your camera, tap **Allow**.
-12. Scan the image of the QR code that's on your smart card-enabled device.
+12. Scan the image of the QR code shown on your smart card-enabled device.
13. On the **Password required** screen, enter the password that appears under the QR code.
> [!div class="mx-imgBorder"]
- > 
+ > 
-14. The Intune app will start downloading and installing the certificates needed to access work or school resources. Depending on your internet connection, this process might take some time. Don't close the app during this time.
+14. The Intune app starts downloading and installing the certificates needed to access work or school resources. Depending on your internet connection, this process could take some time. Don't close the app during this time.
> [!div class="mx-imgBorder"]
- > 
+ > 
-15. Once all of the certificates are processed, wait for the Intune app to finish setting up your device. You'll know setup is complete when you see the **You're all set!** screen.
+15. Once all of the certificates are processed, wait for the Intune app to finish setting up your device. Setup is complete when you see the **You're all set!** screen.
> [!div class="mx-imgBorder"]
- > 
+ > 
## Next steps
-After enrollment is complete, you'll have access to work resources, such as email, Wi-Fi, and any apps that your organization makes available. For more information about how to get, search for, install, and uninstall apps in the Intune app see:
+After enrollment is complete, you have access to work resources, such as email, Wi-Fi, and any apps that your organization makes available. For more information about how to get, search for, install, and uninstall apps in the Intune app see:
* [Use managed apps on your device](use-managed-apps-on-your-device-android.md)
* [Manage apps from the Company Portal website](manage-apps-cpweb.md)
-Still need help? Contact your company support. For contact information, check the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980).
\ No newline at end of file
+Still need help? Contact your company support. For contact information, check the [ website](https://go.microsoft.com/fwlink/?linkid=2010980).
diff --git a/memdocs/intune/user-help/enroll-device-android-company-portal.md b/memdocs/intune/user-help/enroll-device-android-company-portal.md
index 031f4f6ad7f..929d93a2c50 100644
--- a/memdocs/intune/user-help/enroll-device-android-company-portal.md
+++ b/memdocs/intune/user-help/enroll-device-android-company-portal.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 10/21/2024
+ms.date: 11/13/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -29,9 +29,7 @@ ms.collection:
---
# Enroll your device with Company Portal
-Enroll your personal or corporate-owned Android device with Intune Company Portal to get secure access to company email, apps, and data.
-
-
+Enroll your personal or corporate-owned Android device with Intune Company Portal to get secure access to company email, apps, and data.
## Prerequisites
The Intune Company Portal app supports devices running Android 8.0 and later, including devices secured by Samsung Knox Standard 2.4 and later. To learn how to update your Android device to meet requirements, see [Check & update your Android version](https://support.google.com/android/answer/7680439).
@@ -39,7 +37,7 @@ The Intune Company Portal app supports devices running Android 8.0 and later, in
> [!VIDEO https://www.youtube.com/embed/k0Q_sGLSx6o]
> [!NOTE]
-> Samsung Knox is a type of security that certain Samsung devices use for additional protection outside of what native Android provides. To check if you have a Samsung Knox device, go to **Settings** > **About device**. If you don't see **Knox version** listed there, you have a native Android device.
+> Samsung Knox is a type of security that certain Samsung devices use for additional protection outside of what native Android provides. To check if you have a Samsung Knox device, go to **Settings** > **About device**. If you don't see the **Knox version** listed there, you have a native Android device.
## Install Company Portal app
Install the Intune Company Portal app [from Google Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal). See [Install Company Portal app in People's Republic of China](install-company-portal-android-china.md) for a list of stores that offer the app in People's Republic of China.
@@ -48,34 +46,33 @@ Install the Intune Company Portal app [from Google Play](https://play.google.com
2. Search for and install **Intune Company Portal**.
- 
-
3. When prompted about app permissions, tap **ACCEPT**.
## Enroll device
During enrollment, you might be asked to choose a category that best describes how you use your device. Company Portal uses your answer to check for work and school apps relevant to you.
-1. Open the Company Portal app and sign in with your work or school account. If prompted to, review notification permissions for Company Portal. You can adjust notification permissions anytime in the Settings app.
+1. Open the Company Portal app and sign in with your work or school account. Review notification permissions for Company Portal as they pop up. You can adjust notification permissions anytime in the Settings app.
2. If you're prompted to accept your organization's terms and conditions, tap **ACCEPT ALL**.
- 
+ 
3. Review what your organization can and can't see. Then tap **CONTINUE**.
- 
+ 
+
4. Review what to expect in the upcoming steps. Then tap **NEXT**.
- 
+ 
-5. Depending on your version of Android, you might be prompted to allow access to certain parts of your device. These prompts are required by Google and not controlled by Microsoft.
+5. Depending on your version of Android, you might be prompted to allow access to certain parts of your device. These prompts are a Google requirement and not controlled by Microsoft.
Tap **Allow** for the following permissions:
- * **Allow Company Portal to make and manage phone calls**: This permission enables your device to share its international mobile station equipment identity (IMEI) number with Intune, your organization's device management provider. It's safe to allow this permission. Microsoft will never make or manage phone calls.
- * **Allow Company Portal to access your contacts**: This permission lets the Company Portal app create, use, and manage your work account. It's safe to allow this permission. Microsoft will never access your contacts.
+ * **Allow Company Portal to make and manage phone calls**: This permission enables your device to share its international mobile station equipment identity (IMEI) number with Intune, your organization's device management provider. It's safe to allow this permission. Microsoft never makes or manages phone calls.
+ * **Allow Company Portal to access your contacts**: This permission lets the Company Portal app create, use, and manage your work account. It's safe to allow this permission. Microsoft never accesses your contacts.
If you deny permission, you'll be prompted again the next time you sign in to Company Portal. To turn off these messages, select **Never ask again**. To manage app permissions, go to the Settings app > **Apps** > **Company Portal** > **Permissions** > **Phone**.
@@ -83,31 +80,29 @@ During enrollment, you might be asked to choose a category that best describes h
Company Portal needs device administrator permissions to securely manage your device. Activating the app lets your organization identify possible security issues, such as repeated failed attempts to unlock your device, and respond appropriately.
- 
+ 
> [!NOTE]
> Microsoft does not control the messaging on this screen. We understand that its phrasing can seem somewhat drastic. Company Portal can't specify which restrictions and access are relevant to your organization. If you have questions about how your organization uses the app, contact your IT support person. Go to the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980) to find your organization's contact information.
-7. Your device begins enrolling. If you're using a Samsung Knox device, you'll be prompted to review and acknowledge the ELM Agent privacy policy first.
-
- 
+7. Your device begins enrolling. Review and acknowledge the ELM Agent privacy policy if Company Portal prompts for it.
8. On the **Company Access Setup** screen, check that your device is enrolled. Then tap **CONTINUE**.
- 
+ 
9. Your organization might require you to update your device settings. Tap **RESOLVE** to adjust a setting. When you're done updating settings, tap **CONTINUE**.
- 
+ 
10. When setup is complete, tap **DONE**.
- 
+ 
## Next steps
-Before you try to install a school or work app, modify device settings to allow app installations from unknown sources. If you don't make this change on your device, apps installations will be blocked. Open the **Settings** app on your device. Then go to **Security and privacy** > **Install unknown apps**.
+Before you try to install a school or work app, modify device settings to allow app installations from unknown sources. If you don't make this change on your device, Company Portal blocks app installations. Open the **Settings** app on your device. Then go to **Security and privacy** > **Install unknown apps**.
If you get an error while you try to enroll your device in Intune, you can [email your company support](send-logs-to-your-it-admin-by-email-android.md).
diff --git a/memdocs/intune/user-help/enroll-device-android-microsoft-intune-app.md b/memdocs/intune/user-help/enroll-device-android-microsoft-intune-app.md
index 4450ed089c9..96816b190d8 100644
--- a/memdocs/intune/user-help/enroll-device-android-microsoft-intune-app.md
+++ b/memdocs/intune/user-help/enroll-device-android-microsoft-intune-app.md
@@ -62,9 +62,7 @@ Complete these steps to set up and enroll your device.
1. Review the terms from Google. Then tap **ACCEPT & CONTINUE**.
-1. Review Chrome's Terms of Service. Then tap **ACCEPT & CONTINUE**.
-
- 
+1. Review Chrome's Terms of Service. Then tap **ACCEPT & CONTINUE**.
1. On the sign in screens, sign in with your work or school account.
@@ -81,8 +79,6 @@ Complete these steps to set up and enroll your device.
1. When you see the message that your device is ready, tap **DONE**.
- 
-
If you have trouble accessing your organization's resources, you might need to update other settings on your device. Sign in to the Microsoft Intune app to check for required updates.
diff --git a/memdocs/intune/user-help/enroll-device-android-work-profile.md b/memdocs/intune/user-help/enroll-device-android-work-profile.md
index e4e10cd77bb..85f8c6e5b3c 100644
--- a/memdocs/intune/user-help/enroll-device-android-work-profile.md
+++ b/memdocs/intune/user-help/enroll-device-android-work-profile.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 07/01/2024
+ms.date: 11/13/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -46,7 +46,7 @@ This article describes how to enroll your device using the Intune Company Portal
[Install the Intune Company Portal app from Google Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal). The Company Portal app is used to enroll and manage your device, install work apps, and get IT support.
## Enroll device
-Make sure you're signed in to the primary user account on your device. Work profile enrollment is not supported on secondary user accounts.
+Make sure you're signed in to the primary user account on your device. Work profile enrollment isn't supported on secondary user accounts.
1. Open the Intune Company Portal app and sign in with your work or school account.
@@ -56,7 +56,7 @@ Make sure you're signed in to the primary user account on your device. Work prof
3. On the privacy information screen, review the list of items that your organization can and can't see on your device. Then tap **CONTINUE**.
- 
+ 
4. Review the Google terms for creating a work profile. Accept the terms to continue. The appearance of this screen varies based on OS version.
@@ -73,7 +73,7 @@ Make sure you're signed in to the primary user account on your device. Work prof
> [!div class="mx-imgBorder"]
> 
-7. On the **Company Access Setup** screen, confirm that the profile has been created. Then tap **CONTINUE** to proceed to the next enrollment task.
+7. On the **Company Access Setup** screen, confirm that you created the profile. Then tap **CONTINUE** to proceed to the next enrollment task.
> [!div class="mx-imgBorder"]
> 
@@ -84,22 +84,22 @@ Make sure you're signed in to the primary user account on your device. Work prof
> [!div class="mx-imgBorder"]
> 
-10. In the Company Portal app, review the list of settings your organization requires. Update the settings on your device if necessary. Tap **RESOLVE** to open the setting on your device. After you're done updating settings, tap **CONFIRM DEVICE SETTINGS**.
+10. In the Company Portal app, review the list of settings your organization requires. Update the settings on your device if necessary. Tap **RESOLVE** to open the setting on your device. After you're done updating settings, tap **CONFIRM DEVICE SETTINGS**.
> [!div class="mx-imgBorder"]
- > 
+ > 
-11. When setup and enrollment are complete, you are sent back to the setup list, where you should see a green checkmark next to each enrollment task. Tap **DONE**.
+11. When setup and enrollment are complete, you're sent back to the setup list, where you should see a green checkmark next to each enrollment task. Tap **DONE**.
- 
+ 
12. Optionally, when prompted to view suggested work apps in Google Play Store, tap **OPEN**. If you're not ready to install apps, you can do it later by going to the Play Store app in your work profile.
- 
+ 
You can also access available apps from the Company Portal menu > **Get Apps**.
- 
+ 
## Android Enterprise availability
diff --git a/memdocs/intune/user-help/enroll-device-linux.md b/memdocs/intune/user-help/enroll-device-linux.md
index 1f2146f788e..4c32be27764 100644
--- a/memdocs/intune/user-help/enroll-device-linux.md
+++ b/memdocs/intune/user-help/enroll-device-linux.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 05/15/2024
+ms.date: 11/04/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -20,7 +20,7 @@ searchScope:
ROBOTS:
#audience:
-ms.reviewer: ilwu
+ms.reviewer: arnab
ms.suite: ems
#ms.tgt_pltfrm:
ms.custom: intune-enduser
@@ -34,11 +34,12 @@ ms.collection:
Enroll a Linux device in Microsoft Intune to get secure access to work or school resources in Microsoft Edge. This article describes how to enroll and register a work or school-provided device on your organization's network.
## System requirements
-Enrollment is supported on the following versions of Linux:
-* Ubuntu Desktop 22.04 or 20.04 LTS (physical or Hyper-V machine with x86/64 CPUs)
+Enrollment is supported on the following versions of Linux:
+
+* Ubuntu Desktop 24.04, 22.04 or 20.04 LTS (physical or Hyper-V machine with x86/64 CPUs)
* RedHat Enterprise Linux 8
-* RedHat Enterprise Linux 9
+* RedHat Enterprise Linux 9
Devices must be configured with a GNOME graphical desktop environment, which is automatically included with Ubuntu Desktop 22.04 and 20.04 LTS.
diff --git a/memdocs/intune/user-help/microsoft-intune-app-linux.md b/memdocs/intune/user-help/microsoft-intune-app-linux.md
index 7ab06b3410e..3949bae04ee 100644
--- a/memdocs/intune/user-help/microsoft-intune-app-linux.md
+++ b/memdocs/intune/user-help/microsoft-intune-app-linux.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 08/27/2024
+ms.date: 11/04/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -20,7 +20,7 @@ searchScope:
ROBOTS:
#audience:
-ms.reviewer: ilwu
+ms.reviewer: arnab
ms.suite: ems
#ms.tgt_pltfrm:
ms.custom: intune-enduser
@@ -35,11 +35,12 @@ This article describes how to install, update, and remove the Microsoft Intune a
The Microsoft Intune app package is available at [https://packages.microsoft.com/](https://packages.microsoft.com/). For more information about how to use, install, and configure Linux software packages for Microsoft products, see [Linux Software Repository for Microsoft Products](/windows-server/administration/linux-package-repository-for-microsoft-software).
## Requirements
+
The Microsoft Intune app is supported with the following operating systems:
- - Ubuntu Desktop 22.04 or 20.04 LTS (physical or Hyper-V machine with x86/64 CPUs)
+ - Ubuntu Desktop 24.04, 22.04 or 20.04 LTS (physical or Hyper-V machine with x86/64 CPUs)
- RedHat Enterprise Linux 8
- - RedHat Enterprise Linux 9
+ - RedHat Enterprise Linux 9
## Install Microsoft Intune app for Ubuntu Desktop
Run the following commands in a command line to manually install the Microsoft Intune app and its dependencies on your device.
@@ -52,32 +53,26 @@ Run the following commands in a command line to manually install the Microsoft I
2. Install the Microsoft package signing key.
- For Ubuntu 20.04:
+ ```bash
+ curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
+ sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings/
+ rm microsoft.gpg
+ ```
- ```bash
- curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
- sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings/
- sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/20.04/prod focal main" > /etc/apt/sources.list.d/microsoft-ubuntu-focal-prod.list'
- sudo rm microsoft.gpg
- ```
-
- For Ubuntu 22.04:
+3. Add and update Microsoft Linux Repository to the system repository list.
- ```bash
- curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
- sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings/
- sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/22.04/prod jammy main" > /etc/apt/sources.list.d/microsoft-ubuntu-jammy-prod.list'
- sudo rm microsoft.gpg
- ```
+ ```bash
+ sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/$(lsb_release -rs)/prod $(lsb_release -cs) main" >> /etc/apt/sources.list.d/microsoft-ubuntu-$(lsb_release -cs)-prod.list'
+ sudo apt update
+ ```
-3. Install the Intune app.
+4. Install the Intune app.
```bash
- sudo apt update
sudo apt install intune-portal
```
-4. Reboot your device.
+5. Reboot your device.
### Update app for Ubuntu Desktop
The Microsoft Intune app automatically updates when updates become available in Software Updater. Run the following commands to update the app manually.
diff --git a/memdocs/intune/user-help/move-to-new-device-management-setup.md b/memdocs/intune/user-help/move-to-new-device-management-setup.md
index 715fb4849c9..c86bf6992d1 100644
--- a/memdocs/intune/user-help/move-to-new-device-management-setup.md
+++ b/memdocs/intune/user-help/move-to-new-device-management-setup.md
@@ -8,7 +8,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 07/01/2024
+ms.date: 01/27/2025
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
diff --git a/memdocs/intune/user-help/set-up-migrate-iphone-for-work.md b/memdocs/intune/user-help/set-up-migrate-iphone-for-work.md
index 8a77d9abc1d..6c6501b708d 100644
--- a/memdocs/intune/user-help/set-up-migrate-iphone-for-work.md
+++ b/memdocs/intune/user-help/set-up-migrate-iphone-for-work.md
@@ -89,7 +89,7 @@ Set up your new iPhone. Complete these steps on your new iPhone unless otherwise
4. Initiate the device enrollment workflow:
1. On your new device, open a productivity app, such as Microsoft Teams, and sign in with your work account.
2. Complete the MFA requirements or passwordless authentication using Authenticator on your old phone.
- 3. You'll get blocked by conditional access and prompted to enroll your new device.
+ 3. You'll get blocked by Conditional Access and prompted to enroll your new device.
## Step 3: Device enrollment
When you open a productivity app, such as Microsoft Teams, and sign in with your work account, you'll be prompted to install the Company Portal app for iOS and enroll your device. Complete these steps to finish setting up your device for work.
diff --git a/memdocs/intune/user-help/set-up-mobile-threat-defense.md b/memdocs/intune/user-help/set-up-mobile-threat-defense.md
index ef82f76b8f4..ceb07e7f0b7 100644
--- a/memdocs/intune/user-help/set-up-mobile-threat-defense.md
+++ b/memdocs/intune/user-help/set-up-mobile-threat-defense.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 06/27/2024
+ms.date: 01/27/2025
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
diff --git a/memdocs/intune/user-help/sign-in-to-the-company-portal.md b/memdocs/intune/user-help/sign-in-to-the-company-portal.md
index 47c1548cbfd..112787f6d40 100644
--- a/memdocs/intune/user-help/sign-in-to-the-company-portal.md
+++ b/memdocs/intune/user-help/sign-in-to-the-company-portal.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 06/27/2024
+ms.date: 01/27/2025
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
diff --git a/memdocs/intune/user-help/use-managed-apps-on-your-device-android.md b/memdocs/intune/user-help/use-managed-apps-on-your-device-android.md
index 77a1fe37dcb..b62a120aef0 100644
--- a/memdocs/intune/user-help/use-managed-apps-on-your-device-android.md
+++ b/memdocs/intune/user-help/use-managed-apps-on-your-device-android.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 06/27/2024
+ms.date: 01/27/2025
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
diff --git a/memdocs/intune/user-help/use-managed-devices-to-get-work-done.md b/memdocs/intune/user-help/use-managed-devices-to-get-work-done.md
index 3225616f27e..79a1abcfa72 100644
--- a/memdocs/intune/user-help/use-managed-devices-to-get-work-done.md
+++ b/memdocs/intune/user-help/use-managed-devices-to-get-work-done.md
@@ -6,7 +6,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 04/08/2024
+ms.date: 01/27/2025
ms.topic: end-user-help
ms.localizationpriority: high
ms.service: microsoft-intune
diff --git a/memdocs/intune/user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune.md b/memdocs/intune/user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune.md
index b33a93509dc..6c83ff20fc5 100644
--- a/memdocs/intune/user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune.md
+++ b/memdocs/intune/user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 04/24/2024
+ms.date: 01/27/2025
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
diff --git a/memdocs/intune/user-help/why-enroll-android-device.md b/memdocs/intune/user-help/why-enroll-android-device.md
index 5e8e11817f6..9ef0500b347 100644
--- a/memdocs/intune/user-help/why-enroll-android-device.md
+++ b/memdocs/intune/user-help/why-enroll-android-device.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 05/15/2024
+ms.date: 01/27/2025
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
diff --git a/memdocs/solutions/cloud-native-endpoints/azure-ad-joined-hybrid-azure-ad-joined.md b/memdocs/solutions/cloud-native-endpoints/azure-ad-joined-hybrid-azure-ad-joined.md
index 326ec4a3ef9..44d5421d3b1 100644
--- a/memdocs/solutions/cloud-native-endpoints/azure-ad-joined-hybrid-azure-ad-joined.md
+++ b/memdocs/solutions/cloud-native-endpoints/azure-ad-joined-hybrid-azure-ad-joined.md
@@ -75,7 +75,7 @@ To join Windows endpoints to Microsoft Entra, you have some options:
### Organization IT benefits
-- Using conditional access, you can allow or restrict access to organization resources that meet, or don't meet your requirements.
+- Using Conditional Access, you can allow or restrict access to organization resources that meet, or don't meet your requirements.
- Settings and work data roam through enterprise compliant clouds. No personal Microsoft accounts, like Hotmail are used, and can be blocked.
- Using Windows Hello for Business, you can reduce the risk of credential theft.
@@ -171,13 +171,13 @@ Microsoft Intune, which is a 100% cloud solution, can manage Windows client devi
The [High level planning guide to move to cloud-native endpoints: Intune features you should know](cloud-native-endpoints-planning-guide.md#intune-features-you-should-know) lists some of these features. [What is Intune](../../intune/fundamentals/what-is-intune.md) is also a good resource.
-On Hybrid Microsoft Entra Join endpoints, you can use on-premises group policies objects (GPO) or Intune to control policy settings. It's possible to also use a combination of GPO and Intune, but this combination adds administrative overhead and complexity. If you enable [co-management](../../configmgr/comanage/overview.md) (Intune (cloud) + Configuration Manager (on-premises)), then you can use some Microsoft Entra features, such as conditional access.
+On Hybrid Microsoft Entra Join endpoints, you can use on-premises group policies objects (GPO) or Intune to control policy settings. It's possible to also use a combination of GPO and Intune, but this combination adds administrative overhead and complexity. If you enable [co-management](../../configmgr/comanage/overview.md) (Intune (cloud) + Configuration Manager (on-premises)), then you can use some Microsoft Entra features, such as Conditional Access.
For some guidance, go to [Deployment guide: Setup or move to Microsoft Intune](../../intune/fundamentals/deployment-guide-intune-setup.md).
-#### What device join states are required for device compliance and/or conditional access?
+#### What device join states are required for device compliance and/or Conditional Access?
-Both Hybrid Microsoft Entra Join and Microsoft Entra Join endpoints support [compliance policies](../../intune/protect/device-compliance-get-started.md) and [conditional access](../../intune/protect/conditional-access.md) when managed by Intune or co-managed by Intune and Configuration Manager.
+Both Hybrid Microsoft Entra Join and Microsoft Entra Join endpoints support [compliance policies](../../intune/protect/device-compliance-get-started.md) and [Conditional Access](../../intune/protect/conditional-access.md) when managed by Intune or co-managed by Intune and Configuration Manager.
#### Are there limitations for Hybrid Microsoft Entra Join?
diff --git a/memdocs/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md b/memdocs/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md
index 07a27c70f00..da54d069531 100644
--- a/memdocs/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md
+++ b/memdocs/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md
@@ -6,10 +6,9 @@ titleSuffix: Microsoft Intune
description: To support hybrid and remote workers, convert or migrate your workloads to support cloud-native endpoints. This planning guide focuses on deploying apps and updates with Intune, moving from Group Policy Objects, and using Windows Autopilot.
keywords:
author: MandiOhlinger
-
ms.author: mandia
manager: dougeby
-ms.date: 01/09/2024
+ms.date: 01/08/2025
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice:
@@ -143,7 +142,7 @@ Your exact workloads, details, and how to update the workloads for cloud-native
- Traditional policy enforcement using group policy isn't possible with cloud-native endpoints. Instead, you can use Intune to create policies to configure many settings, including built-in features like the [Settings Catalog](../../intune/configuration/settings-catalog.md) and [administrative templates](../../intune/configuration/administrative-templates-windows.md).
- [Group Policy analytics in Intune](../../intune/configuration/group-policy-analytics.md) can analyze your on-premises GPOs, see if those same settings are supported in the cloud, and create a policy using those settings.
+ You can reference and analyze existing GPOs using [Group Policy analytics in Intune](../../intune/configuration/group-policy-analytics.md), which allows you to see if settings within your GPOs are supported in the cloud. Group Policy analytics also allows you to create Intune policies from GPOs, if that's the right step for your organization. In general, we recommend that customers implement policies that conform to their requirements, instead of directly migrating existing GPOs to Intune. When you create policies based off your requirements, then you rationalize, optimize, and streamline your Intune policies.
- If you have existing policies that issue certificates, manage BitLocker, and provide endpoint protection, then you need to create new policies in Intune or Configuration Manager (with a [CMG](../../configmgr/core/clients/manage/cmg/overview.md) and [co-management](../../configmgr/comanage/how-to-prepare-win10.md)).
diff --git a/memdocs/solutions/end-to-end-guides/macos-endpoints-get-started.md b/memdocs/solutions/end-to-end-guides/macos-endpoints-get-started.md
index 3c64045cf8c..061232f7df4 100644
--- a/memdocs/solutions/end-to-end-guides/macos-endpoints-get-started.md
+++ b/memdocs/solutions/end-to-end-guides/macos-endpoints-get-started.md
@@ -565,7 +565,7 @@ In [Phase 1 - Set up your environment](#phase-1---set-up-your-environment), you
If you're deploying the VPP version of OneDrive, then enter `com.microsoft.OneDrive-Mac.FinderSync`.
- During Microsoft OneDrive configuration, end users are prompted to allow sync icons by enabling the Finder Sync extension. There's a sample script that can configure the finder extension for the user. For more information on the script, go to the [GitHub - Microsoft Intune Shell samples](https://github.com/microsoft/shell-intune-samples/blob/master/macOS/Config/EnableOneDriveFinderSync/EnableOneDriveFinderSync.sh).
+ During Microsoft OneDrive configuration, end users are prompted to allow sync icons by enabling the Finder Sync extension. There's a sample script that can configure the finder extension for the user. For more information on the script, go to the [GitHub - Microsoft Intune Shell samples](https://github.com/microsoft/shell-intune-samples/blob/master/macOS/Config/Enable%20OneDrive%20Finder%20Sync/EnableOneDriveFinderSync.sh).
### Device Configuration
diff --git a/windows-365/TOC.yml b/windows-365/TOC.yml
index f047f545a2a..3ceeb9b8788 100644
--- a/windows-365/TOC.yml
+++ b/windows-365/TOC.yml
@@ -15,6 +15,8 @@ items:
href: public-preview.md
- name: Windows 365 privacy and data
href: enterprise/privacy-personal-data.md
+- name: Compliance overview
+ href: compliance-overview.md
- name: Cloud PC feature support with RDP
href: /azure/virtual-desktop/compare-remote-desktop-clients?pivots=windows-365
- name: What if my subscription expires?
diff --git a/windows-365/breadcrumb/toc.yml b/windows-365/breadcrumb/toc.yml
index 857cd0644db..bc41a493e04 100644
--- a/windows-365/breadcrumb/toc.yml
+++ b/windows-365/breadcrumb/toc.yml
@@ -25,4 +25,6 @@ items:
- name: Windows 365
tocHref: /azure/virtual-desktop/
topicHref: /windows-365/enterprise/index
-
\ No newline at end of file
+ - name: Windows 365 Link
+ tocHref: /windows-365/link/
+ topicHref: /windows-365/link/index
\ No newline at end of file
diff --git a/windows-365/business-continuity-disaster-recovery.md b/windows-365/business-continuity-disaster-recovery.md
index 029605ee5dd..f9f5b181fe1 100644
--- a/windows-365/business-continuity-disaster-recovery.md
+++ b/windows-365/business-continuity-disaster-recovery.md
@@ -10,7 +10,7 @@ manager: dougeby
ms.date: 08/28/2024
ms.topic: overview
ms.service: windows-365
-ms.subservice:
+ms.subservice: windows-365-business
ms.localizationpriority: high
ms.assetid:
diff --git a/windows-365/business/TOC.yml b/windows-365/business/TOC.yml
index 93968802c2d..14d1d44b87e 100644
--- a/windows-365/business/TOC.yml
+++ b/windows-365/business/TOC.yml
@@ -39,13 +39,7 @@ items:
href: restore-overview.md
- name: Identity and access management
items:
- - name: Set conditional access policies
+ - name: Set Conditional Access policies
href: set-conditional-access-policies.md
- name: Configure single sign-on
href: configure-single-sign-on.md
-- name: Troubleshoot
- items:
- - name: Troubleshooting
- href: troubleshoot-windows-365-business.md
- - name: Known issues
- href: known-issues.md
diff --git a/windows-365/business/add-user-assign-licenses.md b/windows-365/business/add-user-assign-licenses.md
index 4cb6db510cc..8a29118d96f 100644
--- a/windows-365/business/add-user-assign-licenses.md
+++ b/windows-365/business/add-user-assign-licenses.md
@@ -10,7 +10,7 @@ manager: dougeby
ms.date: 06/16/2023
ms.topic: how-to
ms.service: windows-365
-ms.subservice:
+ms.subservice: windows-365-business
ms.localizationpriority: high
ms.assetid:
diff --git a/windows-365/business/apps-install-admin.md b/windows-365/business/apps-install-admin.md
index 4a09e5dfe92..d0f04fe9b9f 100644
--- a/windows-365/business/apps-install-admin.md
+++ b/windows-365/business/apps-install-admin.md
@@ -10,7 +10,7 @@ ms.date: 09/26/2024
audience: Admin
ms.topic: how-to
ms.service: windows-365
-ms.subservice:
+ms.subservice: windows-365-business
ms.localizationpriority: high
ms.assetid:
diff --git a/windows-365/business/apps-install.md b/windows-365/business/apps-install.md
index 817f2bef314..1c721bdd394 100644
--- a/windows-365/business/apps-install.md
+++ b/windows-365/business/apps-install.md
@@ -10,7 +10,7 @@ ms.date: 05/20/2024
audience: Admin
ms.topic: how-to
ms.service: windows-365
-ms.subservice:
+ms.subservice: windows-365-business
ms.localizationpriority: high
ms.assetid:
diff --git a/windows-365/business/assign-unassign-license.md b/windows-365/business/assign-unassign-license.md
index 94c918765f5..d5d9513ed90 100644
--- a/windows-365/business/assign-unassign-license.md
+++ b/windows-365/business/assign-unassign-license.md
@@ -10,7 +10,7 @@ manager: dougeby
ms.date: 09/24/2024
ms.topic: how-to
ms.service: windows-365
-ms.subservice:
+ms.subservice: windows-365-business
ms.localizationpriority: high
ms.assetid:
diff --git a/windows-365/business/change-organization-default-settings.md b/windows-365/business/change-organization-default-settings.md
index 1a7d17ce3d6..090838177f6 100644
--- a/windows-365/business/change-organization-default-settings.md
+++ b/windows-365/business/change-organization-default-settings.md
@@ -10,7 +10,7 @@ manager: dougeby
ms.date: 02/21/2024
ms.topic: how-to
ms.service: windows-365
-ms.subservice:
+ms.subservice: windows-365-business
ms.localizationpriority: high
ms.assetid:
diff --git a/windows-365/business/cloud-pc-location.md b/windows-365/business/cloud-pc-location.md
index ba5273854b5..8a7a0588862 100644
--- a/windows-365/business/cloud-pc-location.md
+++ b/windows-365/business/cloud-pc-location.md
@@ -10,7 +10,7 @@ ms.date: 08/28/2024
audience: Admin
ms.topic: article
ms.service: windows-365
-ms.subservice:
+ms.subservice: windows-365-business
ms.localizationpriority: high
ms.assetid:
diff --git a/windows-365/business/configure-single-sign-on.md b/windows-365/business/configure-single-sign-on.md
index a1b97cdb29c..cedec00d7f1 100644
--- a/windows-365/business/configure-single-sign-on.md
+++ b/windows-365/business/configure-single-sign-on.md
@@ -10,7 +10,7 @@ manager: dougeby
ms.date: 03/27/2024
ms.topic: how-to
ms.service: windows-365
-ms.subservice:
+ms.subservice: windows-365-business
ms.localizationpriority: high
ms.assetid:
@@ -39,7 +39,7 @@ To enable SSO using Microsoft Entra ID authentication, there are four tasks you
1. Configure the target device groups.
-1. Review your conditional access policies.
+1. Review your Conditional Access policies.
1. Configure your organizational settings to enable SSO.
@@ -53,7 +53,7 @@ When SSO is enabled, users sign in to Windows using a Microsoft Entra ID authent
- Users benefit from a single sign-on experience and can reconnect without authentication prompt when allowed.
- Users can sign back into their session using passwordless authentication like FIDO keys.
-- Conditional access policies, including multifactor authentication and sign-in frequency, are re-evaluated when the user reconnects to their session.
+- Conditional Access policies, including multifactor authentication and sign-in frequency, are re-evaluated when the user reconnects to their session.
## Prerequisites
@@ -186,9 +186,9 @@ To configure the service principal, use the [Microsoft Graph PowerShell SDK](/po
Remove-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $WCLspId -TargetDeviceGroupId "