Merge branch 'main' into patch-5

.openpublishing.redirection.json

@@ -1,5 +1,60 @@
 {
   "redirections": [
+    {
+      "source_path": "memdocs/intune/enrollment/chrome-enterprise-device-details.md",
+      "redirect_url": "/mem/intune/remote-actions/chrome-enterprise-device-details",
+      "redirect_document_id": true
+    },    
+    {
+      "source_path": "memdocs/intune/enrollment/chrome-enterprise-remote-actions.md",
+      "redirect_url": "/mem/intune/remote-actions/chrome-enterprise-remote-actions",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "memdocs/intune/user-help/sso-dialog-faqs.yml",
+      "redirect_url": "https://support.microsoft.com/topic/a6505ceb-1a20-4b15-889c-250175481506",
+      "redirect_document_id": false
+    },  
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-zips-android.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },  
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-checkpoint-android.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },    
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-skycure-android.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },    
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-lookout-for-work-android.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },    
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-zips-ios.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-checkpoint-ios.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-skycure-ios.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-lookout-for-work-ios.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },
     {
       "source_path": "memdocs/intune/remote-actions/organizational-messages-reporting.md",
       "redirect_url": "/microsoft-365/admin/misc/organizational-messages-microsoft-365",

autopilot/device-preparation/known-issues.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 09/27/2024
+ms.date: 10/18/2024
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -40,6 +40,17 @@ This article describes known issues that can often be resolved with:
 
 ## Known issues
 
+## Deployments fail when Managed installer policy is enabled for the tenant
+
+Date added: *October 10, 2024*<br>
+Date updated: *October 18, 2024*
+
+When the [Managed installer policy](/mem/intune/protect/endpoint-security-app-control-policy#managed-installer) is **Active** for a tenant and Win32 apps are selected in the Windows Autopilot device preparation policy, Windows Autopilot device preparation deployments fails. The issue is being investigated.
+
+As a workaround, remove Win32 applications from the list of selected apps in all device preparation policies.
+
+For more information, see [Known issue: Windows Autopilot device preparation with Win32 apps and managed installer policy](https://techcommunity.microsoft.com/t5/intune-customer-success/known-issue-windows-autopilot-device-preparation-with-win32-apps/ba-p/4273286).
+
 ## Security group membership update failures might lead to non-compliant devices
 
 Date added: *September 27, 2024*

autopilot/device-preparation/whats-new.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 manager: aaroncz
 ms.reviewer: jubaptis
-ms.date: 09/18/2024
+ms.date: 10/15/2024
 ms.collection:
   - M365-modern-desktop
   - tier2
@@ -31,11 +31,17 @@ appliesto:
 >
 > For more information on using RSS for notifications, see [How to use the docs](/mem/use-docs#notifications) in the Intune documentation.
 
-## Windows Autopilot Device Preparation Support in Azure China 21Vianet
+## Diagnostics logs automatically available in Windows Autopilot device preparation deployment status report
+
+Date added: *October 9, 2024*
+
+Admins can now download diagnostics logs for failed Autopilot device preparation deployments directly from the **Windows Autopilot device preparation deployment status** report. Logs are available for download in the **Device deployment details** when you select a failed deployment under the **Device** tab. Logs are automatically collected when an error occurs during deployment.
+
+## Windows Autopilot Device Preparation Support in Intune operated by 21Vianet in China
 
 Date added: *September 18, 2024*
 
-As part of the 2409 Intune release, we're announcing support for Windows Autopilot Device Preparation policy in the [Azure China 21Vianet](/mem/intune/fundamentals/china) cloud. Customers with tenants located in China can now provision devices and manage through Microsoft Intune. For an overview, see [Overview of Windows Autopilot device preparation](overview.md). For a tutorial on how to set up Windows Autopilot device preparation, see [Windows Autopilot device preparation scenarios](tutorial/scenarios.md).
+As part of the 2409 Intune release, we're announcing support for Windows Autopilot Device Preparation policy in [Intune operated by 21Vianet in China](/mem/intune/fundamentals/china) cloud. Customers with tenants located in China can now provision devices and manage through Microsoft Intune. For an overview, see [Overview of Windows Autopilot device preparation](overview.md). For a tutorial on how to set up Windows Autopilot device preparation, see [Windows Autopilot device preparation scenarios](tutorial/scenarios.md).
 
 <!-- MAXADO-9313795 / INADO-28687730 -->
 

autopilot/dfci-management.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 09/13/2024
+ms.date: 10/09/2024
 ms.collection:
   - M365-modern-desktop
   - tier2
@@ -56,7 +56,7 @@ See the following figure:
 - A currently supported version of Windows and a supported UEFI is required.
 - The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or as a firmware update that can be installed. Work with the device vendors to determine the [manufacturers that support DFCI](#oems-that-support-dfci), or the firmware version needed to use DFCI.
 - The device must be managed with Microsoft Intune. For more information, see [Enroll Windows devices in Intune using Windows Autopilot](/mem/intune/enrollment/enrollment-autopilot).
-- The device must be registered for Windows Autopilot by a [Microsoft Cloud Solution Provider (CSP) partner](https://partner.microsoft.com/membership/cloud-solution-provider), or registered directly by the OEM. For Surface devices, Microsoft registration support is available at [Microsoft Devices Autopilot Support](https://prod.support.services.microsoft.com/supportrequestform/0d8bf192-cab7-6d39-143d-5a17840b9f5f).
+- The device must be registered for Windows Autopilot by a [Microsoft Cloud Solution Provider (CSP) partner](https://partner.microsoft.com/membership/cloud-solution-provider), or registered directly by the OEM. For Surface devices, Microsoft registration support is available at [Microsoft Devices Autopilot Support](https://support.microsoft.com/supportrequestform/0d8bf192-cab7-6d39-143d-5a17840b9f5f).
 
 > [!IMPORTANT]
 >
@@ -93,6 +93,14 @@ For more information, see [Intune devices and apps API overview](/graph/intune-c
 
 Other OEMs are pending.
 
+## Known issues
+
+### DFCI enrollment fails for Professional editions of Windows 11, version 24H2
+
+Date added: *October 9, 2024*
+
+DFCI can't currently be used on devices with Professional editions of Windows 11, version 24H2. The issue is being investigated. As a workaround, ensure the device is upgraded to the Enterprise edition of Windows 11, version 24H2 during or after OOBE onboarding. After upgrading to the Enterprise edition of Windows 11, version 24H2, sync the device. Once the device is synced, reboot it to get it enrolled in DFCI.
+
 ## Related content
 
 - [Microsoft DFCI Scenarios](https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Scenarios/DfciScenarios/).

autopilot/known-issues.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 08/29/2024
+ms.date: 10/09/2024
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -41,6 +41,12 @@ This article describes known issues that can often be resolved with configuratio
 
 ## Known issues
 
+### DFCI enrollment fails for Professional editions of Windows 11, version 24H2
+
+Date added: *October 9, 2024*
+
+DFCI can't currently be used on devices with Professional editions of Windows 11, version 24H2. The issue is being investigated. As a workaround, ensure the device is upgraded to the Enterprise edition of Windows 11, version 24H2 during or after OOBE onboarding. After upgrading to the Enterprise edition of Windows 11, version 24H2, sync the device. Once the device is synced, reboot it to get it enrolled in DFCI.
+
 ### Autopilot deployment report doesn't support sorting
 
 Date added: *August 29, 2024*

autopilot/tutorial/reset/autopilot-reset-overview.md

@@ -7,7 +7,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 06/19/2024
+ms.date: 10/08/2024
 ms.topic: tutorial
 ms.collection:
   - tier1
@@ -30,7 +30,8 @@ Windows Autopilot Reset takes the device back to a business-ready state, allowin
 
 The Windows Autopilot Reset process removes or resets the following information from the existing device:
 
-- The device's primary user is removed. The next user who signs in after the Windows Autopilot Reset will be set as the primary user.
+- The device's primary user is removed when a remote Windows Autopilot Reset is used. The next user who signs in after the Windows Autopilot Reset will be set as the primary user. Shared devices will remain shared after the remote Autopilot Reset.
+- The device's owner in Microsoft Entra is removed when a remote Windows Autopilot Reset is used. The next user who signs in after the Windows Autopilot Reset will be set as the owner.
 - Removes personal files, apps, and settings.
 - Reapplies a device's original settings.
 - Sets the region, language, and keyboard to the original values.
@@ -46,6 +47,7 @@ The Windows Autopilot Reset process automatically keeps the following informatio
 - A provisioning package present on a USB drive when the reset process is started.
 - Microsoft Entra device membership and Intune enrollment information.
 - System Center Endpoint Protection (SCEP) certificates.
+- The device's primary user and owner in Microsoft Entra aren't updated when a local Windows Autopilot Reset is used. 
 
 ## Windows Autopilot Reset requirements
 

autopilot/windows-autopilot-reset.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 08/22/2024
+ms.date: 10/09/2024
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -38,7 +38,7 @@ The Windows Autopilot Reset process automatically keeps information from the exi
 - Microsoft Entra device membership and mobile device management (MDM) enrollment information.
 - Simple Certificate Enrollment Protocol (SCEP) certificates.
 
-Windows Autopilot Reset blocks the user from accessing the desktop until this information is restored, including reapplying any provisioning packages. For devices enrolled in an MDM service, Windows Autopilot Reset also blocks until an MDM sync is completed. When Autopilot reset is used on a device, the device's primary user is removed. The next user who signs in after the reset will be set as the primary user.
+Windows Autopilot Reset blocks the user from accessing the desktop until this information is restored, including reapplying any provisioning packages. For devices enrolled in an MDM service, Windows Autopilot Reset also blocks until an MDM sync is completed.
 
 > [!NOTE]
 >
@@ -119,6 +119,10 @@ On the device where the local Windows Autopilot reset is being performed:
 
  Once the local Autopilot Reset is triggered, the reset process starts. Once provisioning is complete, the device is again ready for use.
 
+> [!NOTE]
+>
+> When local Autopilot Reset is used on a device, the device's primary user and the Microsoft Entra device owner aren't updated. Admins can update them manually after the Autopilot Reset completes.
+
 ## Reset devices with remote Windows Autopilot Reset
 
 An MDM service such a Microsoft Intune can be used to start the remote Windows Autopilot reset process. Resetting in this way avoids the need for IT staff to visit each machine to start the process.
@@ -135,6 +139,10 @@ To trigger a remote Windows Autopilot Reset via Intune, follow these steps:
 
 Once the reset is complete, the device is again ready for use.
 
+> [!NOTE]
+>
+> When remote Autopilot Reset is used on a device, the device's primary user and the Microsoft Entra device owner is removed. The next user who signs in after the reset will be set as the primary user and Microsoft Entra device owner. Shared devices will remain shared after the Autopilot Reset.
+
 ## Troubleshooting
 
 Windows Autopilot Reset requires that the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is correctly configured and enabled on the device. Before the Windows Autopilot Reset is started, it checks if WinRE is configured and enabled. If WinRE isn't configured and enabled, then the Windows Autopilot reset fails immediately on the device and an error such as `Error code: ERROR_NOT_SUPPORTED (0x80070032)` is reported in the logs.

memdocs/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business.md

@@ -29,7 +29,7 @@ The Microsoft Store for Business and Education supports two types of app:
 
 - **Offline**: This type lets you cache apps and licenses to deploy directly within your on-premises network. Devices don't need to connect to the store or have a connection to the internet.
 
-For more information, see the [Microsoft Store for Business and Education overview](/microsoft-store/microsoft-store-for-business-overview).
+For more information, see the [Microsoft Store for Business and Education overview](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business).
 
 ### Summary of capabilities
 
@@ -64,21 +64,21 @@ Before deploying Microsoft Store for Business and Education apps to devices that
 
 - When the local Administrator account signs in on the device, it can't access Microsoft Store for Business and Education apps.
 
-- Devices need a live internet connection to the Microsoft Store for Business and Education. For more information including proxy configuration, see [Prerequisites](/microsoft-store/prerequisites-microsoft-store-for-business).
+- Devices need a live internet connection to the Microsoft Store for Business and Education. For more information including proxy configuration, see [Prerequisites](/mem/intune/apps/store-apps-microsoft).
 
 ## Set up synchronization
 
 When you synchronize the list of Microsoft Store for Business and Education apps that your organization acquired, you see these apps in the Configuration Manager console.
 
 Connect your Configuration Manager site to Microsoft Entra ID and the Microsoft Store for Business and Education. For more information and details of this process, see [Configure Azure services](../../core/servers/deploy/configure/azure-services-wizard.md). Create a connection to the **Microsoft Store for Business** service.
 
-Make sure the service connection point and targeted devices can access the cloud service. For more information, see [Prerequisites for Microsoft Store for Business and Education - Proxy configuration](/microsoft-store/prerequisites-microsoft-store-for-business#proxy-configuration).
+Make sure the service connection point and targeted devices can access the cloud service. For more information, see [Prerequisites for Microsoft Store for Business and Education - Proxy configuration](/mem/intune/apps/store-apps-microsoft).
 
 ### Supplemental information and configuration
 
 On the **App** page of the Azure Services Wizard, first configure the **Azure environment** and **Web app**. Then read the **More Information** section at the bottom of the page. This information includes the following other actions in the Microsoft Store for Business and Education portal:
 
-- Configure Configuration Manager as the store management tool. For more information, see [Configure management provider](/microsoft-store/configure-mdm-provider-microsoft-store-for-business).
+- Configure Configuration Manager as the store management tool. For more information, see [Configure management provider](/windows/client-management/azure-active-directory-integration-with-mdm).
 
 - Enable support for offline licensed apps. For more information, see [Distribute offline apps](/microsoft-store/distribute-offline-apps).
 

memdocs/configmgr/comanage/autopilot-enrollment.md

@@ -131,6 +131,8 @@ Use these recommendations for a more successful deployment:
 
 ## Limitations
 
+- [Windows Autopilot device preparation](/autopilot/device-preparation/overview) policy doesn't support Autopilot into co-management. As a result, attempting to install co-management during the device preparation flow might result in failed deployments.
+
  - For Windows 11 devices in Microsoft Entra hybrid joined scenario, the management authority will be set to Microsoft Intune during the Windows Autopilot process. Installing Configuration Manager client as Win32 app does not change management authority to Configuration Manager and Microsoft Intune will continue to manage all the co-management workloads.
 
     To change the management authority to Configuration Manager, set the following registry key value:<br>

memdocs/configmgr/comanage/company-portal.md

@@ -83,7 +83,7 @@ For more information on client settings, see the following articles:
 
 - To require the app on co-managed devices, the deployment process depends upon the state of the [Client apps](workloads.md#client-apps) co-management workload:
 
-  - If the client apps workload is with Configuration Manager, [create and deploy an application with Configuration Manager](../apps/get-started/create-and-deploy-an-application.md). Download the offline Company Portal app from the [Microsoft Store for Business](https://www.microsoft.com/business-store).
+  - If the client apps workload is with Configuration Manager, [create and deploy an application with Configuration Manager](../apps/get-started/create-and-deploy-an-application.md).
 
   - If the client apps workload is with Intune, you can deploy it via Configuration Manager or [add the Company Portal app by using Microsoft Intune](../../intune/apps/store-apps-company-portal-app.md).
 

memdocs/configmgr/comanage/tutorial-co-manage-clients.md

@@ -2,7 +2,7 @@
 title: Tutorial: Enable co-management for existing clients
 titleSuffix: Configuration Manager
 description: Configure co-management with Microsoft Intune when you already manage Windows devices with Configuration Manager.
-ms.date: 03/21/2022
+ms.date: 10/18/2024
 ms.subservice: co-management
 ms.service: configuration-manager
 ms.topic: tutorial