Merge branch 'main' into frankroj-patch-2

frankroj · web-flow · commit 74b08b6be978 · 2025-05-21T14:12:03.000-04:00
diff --git a/autopilot/requirements.md b/autopilot/requirements.md
@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: madakeva
 manager: aaroncz
-ms.date: 03/27/2025
+ms.date: 05/15/2025
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -68,6 +68,7 @@ The following editions of Windows 11 are supported:
 - Windows 11 Enterprise.
 - Windows 11 Education.
 - [Windows 11 Enterprise LTSC](/windows/whats-new/ltsc/overview).
+- Windows 11 IoT Enterprise only when used in Microsoft Teams Rooms devices.
 
 #### Windows 10
 
@@ -81,6 +82,7 @@ The following editions of Windows 10 are supported:
 - Windows 10 Enterprise.
 - Windows 10 Education.
 - [Windows 10 Enterprise LTSC](/windows/whats-new/ltsc/overview).
+- Windows 10 IoT Enterprise only when used in Microsoft Teams Rooms devices.
 
 #### HoloLens
 
diff --git a/intune/intune-service/apps/apps-supported-intune-apps.md b/intune/intune-service/apps/apps-supported-intune-apps.md
@@ -91,8 +91,8 @@ The below apps support the Core Intune App Protection Policy settings and are al
 |Microsoft Planner|[iOS](https://apps.apple.com/us/app/microsoft-planner/id1219301037)|✔|No settings|✖|N/A|✖|✖|N/A|✖|
 |Microsoft PowerPoint|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.powerpoint)|✔|No settings|✔|N/A|✖|✖|✔|✖|
 |Microsoft PowerPoint|[iOS](https://apps.apple.com/us/app/microsoft-powerpoint/id586449534)|✔|No settings|✔|N/A|✖|✖|✔|✖|
-|Microsoft Remote Desktop|[Android](https://play.google.com/store/apps/details?id=com.microsoft.rdc.androidx)|✔|✔|✖|N/A|N/A|N/A|N/A|✖|
-|Microsoft Windows App|[iOS](https://apps.apple.com/us/app/remote-desktop-mobile/id714464092)|✔|✔ see [Configure device redirection](/azure/virtual-desktop/client-device-redirection-intune).|✖|N/A|N/A|N/A|N/A|✖|
+|Microsoft Windows App|[Android](https://play.google.com/store/apps/details?id=com.microsoft.rdc.androidx)|✔|✔ see [Manage device redirection](/windows-app/manage-device-redirection-intune).|✖|N/A|N/A|N/A|N/A|✖|
+|Microsoft Windows App|[iOS](https://apps.apple.com/us/app/remote-desktop-mobile/id714464092)|✔|✔ see [Manage device redirection](/windows-app/manage-device-redirection-intune).|✖|N/A|N/A|N/A|N/A|✖| 
 |Microsoft SharePoint|[Android](https://play.google.com/store/apps/details?id=com.microsoft.sharepoint)|✔|No settings|✖|N/A|✖|✖|N/A|✖|
 |Microsoft SharePoint|[iOS](https://apps.apple.com/us/app/microsoft-sharepoint/id1091505266)|✔|No settings|✖|N/A|✖|✖|N/A|✖|
 |Microsoft Teams|[Android](https://play.google.com/store/apps/details?id=com.microsoft.teams)|✔|No settings|✔|N/A|✔|✔|✔|✔ Supported for v1416/1.0.0.2023226005 (2023226050) or later|
diff --git a/intune/intune-service/apps/apps-win32-prepare.md b/intune/intune-service/apps/apps-win32-prepare.md
@@ -28,6 +28,9 @@ ms.collection:
 
 Before you can add a Win32 app to Microsoft Intune, you must prepare the app by using the [Microsoft Win32 Content Prep Tool](https://go.microsoft.com/fwlink/?linkid=2065730).
 
+> [!TIP]
+> As a companion to this article, see our [‎Intune‎ app protection for ‎Windows‎ 10/11 setup guide](https://go.microsoft.com/fwlink/?linkid=2309605) to review best practices and learn to enforce policies, deploy apps, and protect corporate data across a variety of devices. For a customized experience based on your environment, you can access the [‎Intune‎ app protection for ‎Windows‎ 10/11 guide](https://go.microsoft.com/fwlink/?linkid=2309606) in the Microsoft 365 admin center.  
+
 ## Prerequisites
 
 To use Win32 app management, be sure you meet the following criteria:
diff --git a/intune/intune-service/apps/mamedge-2-app.md b/intune/intune-service/apps/mamedge-2-app.md
@@ -63,7 +63,7 @@ Use the following steps to apply the data protection framework.
 
 1. Navigate to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
-2. Select **Apps** > **Protection** > **Create policy** > **Windows**.
+2. Select **Apps** > **Protection** > **Create** > **Windows**.
 
 3. On the **Create policy** step, set the following details:
 
@@ -141,7 +141,7 @@ Next, you create a **Level 3** app protection policy for Microsoft Edge from Mic
 
 To create the app protection policy, follow these steps:
 
-1. Navigate to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Apps** > **Protection** > **Create policy**.
+1. Navigate to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Apps** > **Protection** > **Create**.
 
 2. Select **Create policy** > **Android** or **iOS/iPadOS**. Next, enter the following information:
 
diff --git a/intune/intune-service/apps/quickstart-create-assign-app-policy.md b/intune/intune-service/apps/quickstart-create-assign-app-policy.md
@@ -51,7 +51,7 @@ Sign in to the [Intune](https://aka.ms/intuneportal) as an [Intune administrator
 
 Use the following steps to create an app protection policy:
 
-1. In [Intune](https://aka.ms/intuneportal), select **Apps** > **Protection** > **Create Policy** > **Windows 10**.
+1. In [Intune](https://aka.ms/intuneportal), select **Apps** > **Protection** > **Create** > **Windows 10**.
 2. Enter the following details:
 
     - **Name**: *Windows 10 content protection*
diff --git a/intune/intune-service/apps/windows-information-protection-policy-create.md b/intune/intune-service/apps/windows-information-protection-policy-create.md
@@ -81,7 +81,7 @@ After you set up Intune in your organization, you can create a WIP-specific poli
 
 
 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Select **Apps** > **Protection** > **Create policy**.
+2. Select **Apps** > **Protection** > **Create**.
 3. Add the following values:
     - **Name:** Type a name (required) for your new policy.
     - **Description:** (Optional) Type a description.
diff --git a/intune/intune-service/configuration/device-restrictions-android-aosp.md b/intune/intune-service/configuration/device-restrictions-android-aosp.md
@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 04/15/2025
+ms.date: 05/14/2025
 ms.topic: reference
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -31,16 +31,14 @@ ms.collection:
 
 # Android (AOSP) device settings to allow or restrict features using Templates in Intune
 
-This article describes the different settings you can control on Android (AOSP) devices using Templates. You can use these restrictions to configure password requirements and access to device features.
+This article lists and describes the different settings you can configure on Android (AOSP) devices using templates in Microsoft Intune. Settings can be configured using **Templates** or the **[settings catalog](settings-catalog.md)**. This article focuses on the templates.
 
-Settings can be configured either through **Templates** or **Settings catalog**. For more information on **Settings catalog**, go to [Settings catalog](settings-catalog.md).
-
-The settings outlined below can be found as **Templates** under **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Android Enterprise** > **Templates**. 
+You can use these restrictions to configure password requirements and access to device features.
 
 > [!NOTE]
 >
->- If you can't find a setting in **Templates**, select **Settings catalog**. The settings catalog is a list of the settings you can configure for Android (AOSP) devices. It includes additional settings that you can configure that are not available under **Templates**.
->- If you can't find a setting in **Settings catalog**, check **Templates**.
+>- If you can't find a setting in templates, then look for the setting in the settings catalog. It can include more settings that aren't available in templates. If you can't find a setting in the settings catalog, then look at the template settings.
+>- Device configuration profiles aren't supported on Microsoft Teams devices running AOSP.
 
 This feature applies to:
 
@@ -49,21 +47,9 @@ This feature applies to:
 
 ## Before you begin
 
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Select **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy**.
-3. Enter the following properties:
-
-    - **Platform**: Select **Android (AOSP)**.
-    - **Profile type**: Select **Templates**.
-
-4. Select **Create**.
-5. In **Basics**, enter the following properties:
-
-    - **Name**: Name your profiles so you can easily identify them later.
-    - **Description**: This setting is optional but recommended.
-
-6. Select **Next**.
-
+- Create an [AOSP device restrictions profile](device-restrictions-configure.md).
+  - For platform, select **Android (AOSP)**.
+  - For profile type, select **Templates**
 
 ## Device password  
 
diff --git a/intune/intune-service/configuration/wi-fi-settings-windows.md b/intune/intune-service/configuration/wi-fi-settings-windows.md
@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 06/25/2024
+ms.date: 05/15/2025
 ms.topic: reference
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -147,7 +147,7 @@ Enterprise profiles use Extensible Authentication Protocol (EAP) to authenticate
   - **EAP-TLS**: Also enter:
 
     - **Certificate server names**: Enter one or more common names used in the certificates issued by your trusted certificate authority (CA). If you enter this information, you can bypass the dynamic trust dialog shown on user devices when they connect to this Wi-Fi network.
-    - **Root certificates for server validation**: Select one or more existing trusted root certificate profiles. When the client connects to the network, these certificates are used to establish a chain of trust with the server. If your authentication server uses a public certificate, then you don't need to include a root certificate.
+    - **Root certificates for server validation**: Select one or more existing trusted root certificate profiles. When the client connects to the network, these certificates are used to establish a chain of trust with the server. If your authentication server uses a public certificate that's already installed on your device, then you don't need to include a root certificate.
     - **Authentication method**: Select the authentication method used by your device clients. Your options:
 
       - **SCEP certificate**: Select the SCEP client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection.
@@ -157,7 +157,7 @@ Enterprise profiles use Extensible Authentication Protocol (EAP) to authenticate
   - **EAP-TTLS**: Also enter:
 
     - **Certificate server names**: Enter one or more common names used in the certificates issued by your trusted certificate authority (CA). If you enter this information, you can bypass the dynamic trust dialog shown on user devices when they connect to this Wi-Fi network.
-    - **Root certificates for server validation**: Select one or more existing trusted root certificate profiles. When the client connects to the network, these certificates are used to establish a chain of trust with the server. If your authentication server uses a public certificate, then you don't need to include a root certificate.
+    - **Root certificates for server validation**: Select one or more existing trusted root certificate profiles. When the client connects to the network, these certificates are used to establish a chain of trust with the server. If your authentication server uses a public certificate that's already installed on your device, then you don't need to include a root certificate.
     - **Authentication method**: Select the authentication method used by your device clients. Your options:
 
       - **Username and Password**: Prompt the user for a user name and password to authenticate the connection. Also enter:
@@ -181,7 +181,7 @@ Enterprise profiles use Extensible Authentication Protocol (EAP) to authenticate
 
     - **Certificate server names**: Enter one or more common names used in the certificates issued by your trusted certificate authority (CA). If you enter this information, you can bypass the dynamic trust dialog shown on user devices when they connect to this Wi-Fi network.  
 
-    - **Root certificates for server validation**: Select one or more existing trusted root certificate profiles. When the client connects to the network, these certificates are used to establish a chain of trust with the server. If your authentication server uses a public certificate, then you don't need to include a root certificate.  
+    - **Root certificates for server validation**: Select one or more existing trusted root certificate profiles. When the client connects to the network, these certificates are used to establish a chain of trust with the server. If your authentication server uses a public certificate that's already installed on your device, then you don't need to include a root certificate.  
 
     - **Perform server validation**: When set to **Yes**, in PEAP negotiation phase 1, devices validate the certificate, and verify the server. Select **No** to block or prevent this validation. When set to **Not configured**, Intune doesn't change or update this setting.
 
diff --git a/intune/intune-service/enrollment/android-aosp-corporate-owned-user-associated-enroll.md b/intune/intune-service/enrollment/android-aosp-corporate-owned-user-associated-enroll.md
@@ -79,7 +79,7 @@ Create an enrollment profile to enable enrollment on devices.
         If you select **WEP Pre-shared key** or **WPA Pre-shared key**, also enter:  
 
         - **Pre-shared key**: The pre-shared key that's used to authenticate with the network.  
-    - **For Microsoft Teams devices (preview)**: Select **Enabled** if this profile is applicable for Microsoft Teams Android devices. This setting should only be used for [Microsoft Teams Android devices](/microsoftteams/devices/teams-ip-phones). 
+    - **For Microsoft Teams devices**: Select **Enabled** if this profile is applicable for Microsoft Teams Android devices. This setting should only be used for [Microsoft Teams Android devices](/microsoftteams/devices/teams-ip-phones). You can enable this setting in one enrollment profile per tenant.  
 
 7. Select **Next** and optionally, select scope tags. 
 8. Select **Next**. Review the details of your profile and then select **Create** to save the profile.  
diff --git a/intune/intune-service/fundamentals/intune-endpoints.md b/intune/intune-service/fundamentals/intune-endpoints.md
@@ -8,7 +8,7 @@ keywords:
 author: Smritib17
 ms.author: smbhardwaj
 manager: dougeby
-ms.date: 04/01/2025
+ms.date: 05/21/2025
 ms.topic: reference
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -103,7 +103,7 @@ ID |Desc |Category |ER |Addresses |Ports
 97 | Consumer Outlook.com, OneDrive, Device authentication and Microsoft account | Default<BR>Required | False | `account.live.com`<BR>`login.live.com`<BR> |**TCP:** 443  |
 190 | Endpoint discovery | Default<BR>Required | False | `go.microsoft.com` | **TCP:** 80, 443|
 189 | Dependency - Feature Deployment| Default<BR>Required | False |`config.edge.skype.com`<BR>`ecs.office.com`<BR> | **TCP:** 443|
-192 | Organizational messages| Default<BR>Required | False | `fd.api.orgmsg.microsoft.com`<BR>`ris.prod.api.personalization.ideas.microsoft.com`<BR>`contentauthassetscdn-prod.azureedge.net`<BR>`contentauthassetscdn-prodeur.azureedge.net`<BR>`contentauthrafcontentcdn-prod.azureedge.net`<BR>`contentauthrafcontentcdn-prodeur.azureedge.net`<BR> | **TCP:** 443|
+192 | Organizational messages| Default<BR>Required | False | `fd.api.orgmsg.microsoft.com`<BR>`ris.prod.api.personalization.ideas.microsoft.com`<BR>` | **TCP:** 443|
 
 ### Windows Autopilot dependencies
 
@@ -270,10 +270,6 @@ You'll also need FQDNs that are covered as part of Microsoft 365 Requirements. F
 |lgmsapeweu.blob.core.windows.net | Collect Diagnostics |
 |fd.api.orgmsg.microsoft.com | Organizational messages |
 |ris.prod.api.personalization.ideas.microsoft.com | Organizational messages |
-|contentauthassetscdn-prod.azureedge.net | Organizational messages |
-|contentauthassetscdn-prodeur.azureedge.net | Organizational messages |
-|contentauthrafcontentcdn-prod.azureedge.net | Organizational messages |
-|contentauthrafcontentcdn-prodeur.azureedge.net | Organizational messages |
 |config.edge.skype.com | Feature Deployment |
 |go.microsoft.com | Endpoint discovery |
 
diff --git a/intune/intune-service/protect/microsoft-tunnel-mam-android.md b/intune/intune-service/protect/microsoft-tunnel-mam-android.md
@@ -198,7 +198,7 @@ Create an app protection policy to automatically start the Microsoft Tunnel VPN
 > [!NOTE]  
 > When the app is started, the Tunnel VPN connection will attempt to start, once started, the device will have access to the on-premises network routes available via the Microsoft Tunnel Gateway. If you wish to limit the tunnel network access to specific apps, then configure the "Per-App VPN (Android only) settings.
 
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Apps** > **Protection** > **Create policy** > **Android**.
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Apps** > **Protection** > **Create** > **Android**.
 
 2. On the *Basics* tab, enter a *Name* for this policy, and a *Description (optional)*, and then select **Next**.
 
diff --git a/intune/intune-service/protect/tutorial-protect-email-on-unmanaged-devices.md b/intune/intune-service/protect/tutorial-protect-email-on-unmanaged-devices.md
@@ -63,7 +63,7 @@ In this tutorial, we set up an Intune [app protection policy](../apps/app-protec
 
 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
-2. Select **Apps** > **Protection** > **Create policy**, and then select **iOS/iPadOS**.
+2. Select **Apps** > **Protection** > **Create**, and then select **iOS/iPadOS**.
 
 3. On the **Basics** page, configure the following settings:
 
diff --git a/intune/intune-service/protect/windows-driver-updates-overview.md b/intune/intune-service/protect/windows-driver-updates-overview.md
@@ -193,7 +193,7 @@ For more information about planning deployments, see [Create a deployment plan](
 
 ### Can I apply driver updates policy during Windows Autopilot?
 
-- No. Driver Updates aren't supported during autopilot at this time.
+- No. Driver Updates aren't supported during Windows Autopilot at this time.
 
 > [!NOTE]
 > Windows applies critical updates during Windows Autopilot. These updates may include critical driver updates that have not yet been approved by an admin.
diff --git a/intune/intune-service/remote-actions/find-primary-user.md b/intune/intune-service/remote-actions/find-primary-user.md
@@ -73,7 +73,7 @@ The Company Portal app expects that the user account that signed in to the Compa
 
 "This device is already assigned to someone in your organization. Contact company support about becoming the primary device user. You can continue to use Company Portal but functionality is limited."
 
-If an Intune device has no primary user assigned, then the Company Portal app detects it as a shared device. Shared devices are visually identifiable with a "shared" label appearing on the device tile. In this mode, the Company Portal can still be used to request and install available apps. However, self-service actions (reset/rename/retire) aren't available.
+If an Intune device has no primary user assigned, then the Company Portal app detects it as a shared device. Shared devices are visually identifiable with a "shared" label appearing on the device tile. In this mode, the Company Portal can still be used to request and install available apps. However, uninstalling apps and self-service actions (reset/rename/retire) aren't available.
 
 To appear in the Company Portal on shared devices, available apps must be assigned to a device group. They are installed in the system context or user context, depending on how the app was configured by the IT administrator. For more information about app context, see [Installing apps on Windows 10 devices](../apps/apps-windows-10-app-deploy.md). Company Portal version 10.3.4651.0 or later is required to use this feature.
 
