Merge pull request #16467 from MicrosoftDocs/main

Publish main to live, Monday 10:30 AM PST, 10/28

Author: padmagit77

memdocs/configmgr/core/servers/manage/configuring-reporting.md

@@ -92,6 +92,8 @@ Before you can view or manage reports in the Configuration Manager console, you
     If you need to change the report server URL, first remove the existing reporting services point. Change the URL, and then reinstall the reporting services point.  
 
 - When you install a reporting services point, specify a [Reporting services point account](../../plan-design/hierarchy/accounts.md#reporting-services-point-account). For users from a different domain to run a report, create a two-way trust between domains. Otherwise the report fails to run.
+  
+- The account that runs Reporting Services service must belong to the domain local security group **Windows Authorization Access Group**. This grants the account **Allow Read** permissions on the **tokenGroupsGlobalAndUniversal** attribute for all user objects within the domain. Users in a different domain than the reporting services point account need a two-way trust between the domains to successfully run reports.
 
 ### <a name="bkmk_install"></a> Install the reporting services point on a site system  
 
@@ -125,11 +127,7 @@ For more information about configuring site systems, see [Install site system ro
         > [!IMPORTANT]  
         > Configuration Manager makes a connection in the context of the current user to WMI on the selected site system. It uses this connection to retrieve the instance of SQL Server for Reporting Services. The current user must have **Read** access to WMI on the site system, or the wizard can't get the Reporting Services instances.  
 
-    - **Reporting services point account**: Select **Set**, and then select an account to use. SQL Server Reporting Services on the reporting services point uses this account to connect to the Configuration Manager site database. This connection is to retrieve the data for a report. Select **Existing account** to specify a Windows user account that you previously configured as a Configuration Manager account. Select **New account** to specify a Windows user account that's not currently configured for use. Configuration Manager automatically grants the specified user access to the site database.  
-
-        The account that runs Reporting Services must belong to the domain local security group **Windows Authorization Access Group**. This grants the account **Allow Read** permissions on the **tokenGroupsGlobalAndUniversal** attribute for all user objects within the domain. Users in a different domain than the reporting services point account need a two-way trust between the domains to successfully run reports.
-
-        The specified Windows user account and password are encrypted and stored in the Reporting Services database. Reporting Services retrieves the data for reports from the site database by using this account and password.  
+    - **Reporting services point account**: Select **Set**, and then select an account to use. SQL Server Reporting Services on the reporting services point uses this account to connect to the Configuration Manager site database. This connection is to retrieve the data for a report. Select **Existing account** to specify a Windows user account that you previously configured as a Configuration Manager account. Select **New account** to specify a Windows user account that's not currently configured for use. Configuration Manager automatically grants the specified user access to the site database. The specified Windows user account and password are encrypted and stored in the Reporting Services database. Reporting Services retrieves the data for reports from the site database by using this account and password.  
 
         > [!IMPORTANT]  
         > The account that you specify must have the **Log on locally** permission on the server that hosts the Reporting Services database.  

memdocs/intune/apps/manage-microsoft-edge.md

@@ -542,15 +542,25 @@ Organizations can define which sites users can access within the work or school
 
 Organizations also define what happens when a user attempts to navigate to a restricted web site. By default, transitions are allowed. If the organization allows it, restricted web sites can be opened in the personal account context, the Microsoft Entra account’s InPrivate context, or whether the site is blocked entirely. For more information on the various scenarios that are supported, see [Restricted website transitions in Microsoft Edge mobile](https://techcommunity.microsoft.com/t5/intune-customer-success/restricted-website-transitions-in-microsoft-edge-mobile/ba-p/1381333). By allowing transitioning experiences, the organization's users stay protected, while keeping corporate resources safe.
 
+To enhance the profile-switching experience by reducing the need for users to manually switch to personal profiles or InPrivate mode to open blocked URLs, we’ve introduced two new policies:
+- `com.microsoft.intune.mam.managedbrowser.AutoTransitionModeOnBlock`
+- `com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork`
+
+Since these policies bring different results based on their configurations and combinations, we recommend trying our policy suggestions below for a quick evaluation to see if the profile-switching experience aligns well with your organization’s needs before exploring detailed documentation. Suggested profile-switching configuration settings include the following values:
+- `com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock=true`
+- `com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked=true`
+- `com.microsoft.intune.mam.managedbrowser.AutoTransitionModeOnBlock=1`
+- `com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork=2`
+
 > [!NOTE]
 > Edge for iOS and Android can block access to sites only when they're accessed directly. It doesn't block access when users use intermediate services (such as a translation service) to access the site. URLs that start with **Edge**, such as `Edge://*`, `Edge://flags`, and `Edge://net-export`, aren't supported in app configuration policy **AllowListURLs** or **BlockListURLs** for managed apps. You can disable these URLs with **com.microsoft.intune.mam.managedbrowser.InternalPagesBlockList**. <br><br> If your devices are managed, you can also use app configuration policy [URLAllowList](/deployedge/microsoft-edge-mobile-policies#urlallowlist) or [URLBlocklist](/deployedge/microsoft-edge-mobile-policies#urlblocklist) for managed devices. For related information, see [Microsoft Edge mobile policies](/deployedge/microsoft-edge-mobile-policies).
 
 Use the following key/value pairs to configure either an allowed or blocked site list for Edge for iOS and Android. 
 
 |Key |Value |
 |:--|:----|
-|com.microsoft.intune.mam.managedbrowser.AllowListURLs |The corresponding value for the key is a list of URLs. You enter all the URLs you want to allow as a single value, separated by a pipe `|` character. <br><br>**Examples:** <br>`URL1|URL2|URL3` <br>`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
-|com.microsoft.intune.mam.managedbrowser.BlockListURLs |The corresponding value for the key is a list of URLs. You enter all the URLs you want to block as a single value, separated by a pipe `|` character. <br><br> **Examples:** <br>`URL1|URL2|URL3` <br>`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
+|com.microsoft.intune.mam.managedbrowser.AllowListURLs <br><br> This policy name has been replaced by the UI of **Allowed URLs** under Edge Configuration settings|The corresponding value for the key is a list of URLs. You enter all the URLs you want to allow as a single value, separated by a pipe `|` character. <br><br>**Examples:** <br>`URL1|URL2|URL3` <br>`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
+|com.microsoft.intune.mam.managedbrowser.BlockListURLs <br><br> This policy name has been replaced by the UI of **Blocked URLs** under Edge Configuration settings|The corresponding value for the key is a list of URLs. You enter all the URLs you want to block as a single value, separated by a pipe `|` character. <br><br> **Examples:** <br>`URL1|URL2|URL3` <br>`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
 |com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock |**true** (default) allows Edge for iOS and Android to transition restricted sites. When personal accounts aren't disabled, users are prompted to either switch to the personal context to open the restricted site, or to add a personal account. If com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked is set to true, users have the capability of opening the restricted site in the InPrivate context. <br>**false** prevents Edge for iOS and Android from transitioning users. Users are simply shown a message stating that the site they are trying to access is blocked. |
 |com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked <br><br> This policy name has been replaced by the UI of **Redirect restricted sites to personal context** under Edge Configuration settings |**true** allows restricted sites to be opened in the Microsoft Entra account's InPrivate context. If the Microsoft Entra account is the only account configured in Edge for iOS and Android, the restricted site is opened automatically in the InPrivate context. If the user has a personal account configured, the user is prompted to choose between opening InPrivate or switch to the personal account. <br>**false** (default) requires the restricted site to be opened in the user's personal account. If personal accounts are disabled, then the site is blocked. <br>In order for this setting to take effect, com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock must be set to true. |
 |com.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBar | Enter the number of seconds that users will see the snack bar notification "Access to this site is blocked by your organization. We’ve opened it in InPrivate mode for you to access the site." By default, the snack bar notification is shown for 7 seconds.|
@@ -564,6 +574,22 @@ The following sites except copilot.microsoft.com are always allowed regardless o
 - `https://*.microsoftonline.com/*`
 - `https://*.microsoftonline-p.com/*`
 
+### Control the behavior of the Site Blocked popup
+When attempting to access blocked websites, users will be prompted to use either switch to InPrivate or personal account to open the blocked websites. You can choose preferences between InPrivate and personal account.
+
+|Key |Value |
+|:--|:----|
+|com.microsoft.intune.mam.managedbrowser.AutoTransitionModeOnBlock |**0**: (Default) Always show the popup window for user to choose.<br>**1**: Automatically switch to personal account when personal account is signed in.If personal account is not signed in, the behavior will be changed to value 2. <br>**2**:Automatically switch to InPrivate if InPrivate switch is allowed by com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked=true. |
+
+### Control the behavior of switching personal profile to work profile 
+When Edge is under the personal profile and users are attempting to open a link from Outlook or Microsoft Teams which are under the work profile, by default, Intune will use the Edge work profile to open the link because both Edge, Outlook, and Microsoft Teams are managed by Intune. However, when the link is blocked, the user will be switched to the the personal profile. This causes a friction experience for users
+
+You can configure a policy to enhance users' experience. This policy is recommended to be used together with AutoTransitionModeOnBlock as it may switch users to the personal profile according to the policy value you configured.
+
+|Key |Value |
+|:--|:----|
+|com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork |**1**: (Default) Switch to work profile even if the URL is blocked by Edge policy.<br> **2**: The blocked URLs will open under personal profile if personal profile is signed in. If personal profile is not signed in, the blocked URL will opened in InPrivate mode. |
+
 #### URL formats for allowed and blocked site list
 
 You can use various URL formats to build your allowed/blocked sites lists. These permitted patterns are detailed in the following table.
@@ -600,25 +626,6 @@ You can use various URL formats to build your allowed/blocked sites lists. These
   - `http://www.contoso.com:*`
   - `http://www.contoso.com: /*`
 
-### Control the behavior of the Site Blocked popup
-When attempting to access blocked websites, users will be prompted to use either switch to InPrivate or personal account to open the blocked websites. You can choose preferences between InPrivate and personal account.
-
-|Key |Value |
-|:--|:----|
-|com.microsoft.intune.mam.managedbrowser.AutoTransitionModeOnBlock |**0**: (Default) Always show the popup window for user to choose.<br>**1**: Automatically switch to personal account when personal account is signed in.If personal account is not signed in, the behavior will be changed to value 2. <br>**2**:Automatically switch to InPrivate if InPrivate switch is allowed by com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked=true. |
-
-### Control the behavior of switching personal profile to work profile 
-When Edge is under the personal profile and users are attempting to open a link from Outlook or Microsoft Teams which are under the work profile, by default, Intune will use the Edge work profile to open the link because both Edge, Outlook, and Microsoft Teams are managed by Intune. However, when the link is blocked, the user will be switched to the the personal profile. This causes a friction experience for users
-
-You can configure a policy to enhance users' experience. This policy is recommended to be used together with AutoTransitionModeOnBlock as it may switch users to the personal profile according to the policy value you configured.
-
-|Key |Value |
-|:--|:----|
-|com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork |**1**: (Default) Switch to work profile even if the URL is blocked by Edge policy.<br> **2**: URLs that are blocked by Edge policy will not be switched to work profile. |
-
-> [!NOTE]
-> This policy takes effect when Edge is in personal profile and is receiving URL from a managed apps such as Outlook and Microsoft Teams by Intune. Edge also needs to have both personal profile and work profile signed in.
-
 ### Disable Edge internal pages
 You can disable Edge internal pages such as `Edge://flags` and `Edge://net-export`. More pages can be found from `Edge://about`
 

memdocs/intune/protect/encrypt-devices-filevault.md

@@ -18,7 +18,7 @@ ms.assetid:
 
 #audience:
 
-ms.reviewer: annovich; aanavath
+ms.reviewer: beflamm; aanavath
 ms.suite: ems
 search.appverid: MET150
 #ms.tgt_pltfrm: