Merge pull request #16460 from MicrosoftDocs/main

rjagiewich · web-flow · commit 824b9fabe7dc · 2024-10-25T15:40:56.000-07:00
publish main to live, 10/25/24, 3:30 pm
diff --git a/memdocs/intune/protect/encrypt-devices-filevault.md b/memdocs/intune/protect/encrypt-devices-filevault.md
@@ -1,18 +1,18 @@
 ---
 # required metadata
-title: Encrypt macOS devices with FileVault disk encryption with Intune 
+title: Encrypt macOS FileVault disk encryption with Intune policy
 titleSuffix: Microsoft Intune
-description: Use Microsoft Intune encryption policy to encrypt macOS devices with FileVault, and manage recovery keys for encrypted macOS devices from within the Microsoft Intune admin center.
+description: Use Microsoft Intune policy to configure FileVault on macOS devices, and use the admin center to manage their recovery keys.
 keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 06/21/2024
+ms.date: 10/25/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
 ms.localizationpriority: high
-ms.assetid:  
+ms.assetid:
 
 # optional metadata
 
@@ -30,7 +30,7 @@ ms.collection:
 
 ---
 
-# Use FileVault disk encryption for  macOS with Intune
+# Use FileVault disk encryption for macOS with Intune
 
 Use Microsoft Intune to configure and manage macOS FileVault disk encryption. FileVault is a whole-disk encryption program that is included with macOS. With Intune you can deploy policies that configure FileVault, and then manage recovery keys on devices that run **macOS 10.13 or later**.
 
@@ -66,62 +66,18 @@ You can add this permission and right to your own [custom RBAC roles](../fundame
 - Help Desk Operator
 - Endpoint Security Administrator
 
-## Create device configuration policy for FileVault
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-2. Select **Devices** > **Manage devices** > **Configuration** > On the *Policies* tab, select **+ Create**.
-
-3. On the **Create a profile** page, set the following options, and then select **Create**:
-   - **Platform**: macOS
-   - **Profile type**: Templates
-   - **Template name**: Endpoint protection
-
-   :::image type="content" source="./media/encrypt-devices-filevault/select-macos-filevault-dc.png" alt-text="Select the Endpoint protection profile.":::
-
-4. On the **Basics** page, enter the following properties:
-
-   - **Name**: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name might include the profile type and platform.
-
-   - **Description**: Enter a description for the policy. This setting is optional, but recommended.
-
-5. On the **Configuration settings** page, select **FileVault** to expand the available settings:
-
-   :::image type="content" source="./media/encrypt-devices-filevault/filevault-settings.png" alt-text="FileVault settings.":::
-
-6. Configure the following settings:
-  
-   - For *Enable FileVault*, select **Yes**.
-
-   - For *Recovery key type*, select **Personal key**.
-
-   - For *Escrow location description of personal recovery key*, add a message to help guide users on [how to retrieve the recovery key](#retrieve-a-personal-recovery-key) for their device. This information can be useful for your users when you use the setting for Personal recovery key rotation, which can automatically generate a new recovery key for a device periodically.
-
-     For example: To retrieve a lost or recently rotated recovery key, sign in to the Intune Company Portal website from any device. In the portal, go to *Devices* and select the device that has FileVault enabled, and then select *Get recovery key*. The current recovery key is displayed.
-
-   Configure the remaining [FileVault settings](endpoint-protection-macos.md#filevault) to meet your business needs, and then select **Next**.
-
-7. If applicable, on the **Scope (Tags)** page, choose **Select scope tags** to open the Select tags pane to assign scope tags to the profile.
-
-   Select **Next** to continue.
-
-8. On the **Assignments** page, select groups to receive this profile. For more information on assigning profiles, see Assign user and device profiles.
-Select **Next**.
-
-9. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.
-
 ## Create endpoint security policy for FileVault
 
 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Select **Endpoint security** > **Disk encryption** > **Create Policy**.
 
-1. On the **Basics** page, enter the following properties, and then choose **Next**.
-- **Platform**: macOS
-- **Profile**: FileVault
+3. On the **Basics** page, enter the following properties, and then choose **Next**.
+   - **Platform**: macOS
+   - **Profile**: FileVault
 
    ![Select the FileVault profile](./media/encrypt-devices-filevault/select-macos-filevault-es.png)
-  
+
 4. On the **Configuration settings** page:
    1. Set *Enable FileVault* to **Yes**.
    2. For *Recovery key type*, only **Personal Recovery Key** is supported.
@@ -172,7 +128,7 @@ Select **Next**.
 
 7. If applicable, on the **Scope (Tags)** page, choose **Select scope tags** to open the *Select tags* pane to assign scope tags to the profile. Select **Next** to continue.
 
-8. On the **Assignments** page, select the groups that will receive this profile. For more information on assigning profiles, see Assign user and device profiles. Select **Next**.
+8. On the **Assignments** page, select the groups that receive this profile. For more information on assigning profiles, see Assign user and device profiles. Select **Next**.
 
 9. On the **Review + create** page, when you're done, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.
 
@@ -187,16 +143,61 @@ For devices that run macOS 14 and later, your settings catalog policy can also e
 - When *Await final Configuration* set to *Yes* for a device, you can then add the following Full Disk Encryption setting for FileVault in your settings catalog profile
 
 - FileVault > **Force Enable in Setup Assistant** – Set to **Enabled**.
-  
+
    The following image shows the settings catalog profile configured with the core settings to enable FileVault and use the Setup Assistant to enforce encryption. In this example, the Location setting uses the simple name of our domain, *Contoso*:
 
-    
-  
   > [!IMPORTANT]
   > The **Defer** setting must be configured to **Enabled** to successfully enable FileVault in Setup Assistant for devices running macOS 14.4. 
-  
+
   :::image type="content" source="./media/encrypt-devices-filevault/filevault-setup-assistant-configuration.png" alt-text="Screenshot of the settings needed to enable File Vault in Setup Assistant.":::
 
+## Create device configuration policy for FileVault (Deprecated)
+
+> [!NOTE]
+> The macOS template for Endpoint Protection is deprecated and no longer supports creating new profiles. Instead, use the [Endpoint security](#create-endpoint-security-policy-for-filevault) or the [settings catalog](#create-settings-catalog-policy-for-filevault) to configure and manage new FileVault profiles.
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+2. Select **Devices** > **Manage devices** > **Configuration** > On the *Policies* tab, select **+ Create**.
+
+3. On the **Create a profile** page, set the following options, and then select **Create** > **New policy**:
+   - **Platform**: macOS
+   - **Profile type**: Templates
+   - **Template name**: Endpoint protection (Deprecated)
+
+   :::image type="content" source="./media/encrypt-devices-filevault/select-macos-filevault-dc.png" alt-text="Screen shot that displays the the Endpoint protection profile.":::
+
+4. On the **Basics** page, enter the following properties:
+
+   - **Name**: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name might include the profile type and platform.
+
+   - **Description**: Enter a description for the policy. This setting is optional, but recommended.
+
+5. On the **Configuration settings** page, select **FileVault** to expand the available settings:
+
+   :::image type="content" source="./media/encrypt-devices-filevault/filevault-settings.png" alt-text="Screen shot that displays FileVault settings.":::
+
+6. Configure the following settings:
+  
+   - For *Enable FileVault*, select **Yes**.
+
+   - For *Recovery key type*, select **Personal key**.
+
+   - For *Escrow location description of personal recovery key*, add a message to help guide users on [how to retrieve the recovery key](#retrieve-a-personal-recovery-key) for their device. This information can be useful for your users when you use the setting for Personal recovery key rotation, which can automatically generate a new recovery key for a device periodically.
+
+     For example: To retrieve a lost or recently rotated recovery key, sign in to the Intune Company Portal website from any device. In the portal, go to *Devices* and select the device that has FileVault enabled, and then select *Get recovery key*. The current recovery key is displayed.
+
+   Configure the remaining [FileVault settings](endpoint-protection-macos.md#filevault) to meet your business needs, and then select **Next**.
+
+7. If applicable, on the **Scope (Tags)** page, choose **Select scope tags** to open the Select tags pane to assign scope tags to the profile.
+
+   Select **Next** to continue.
+
+8. On the **Assignments** page, select groups to receive this profile. For more information on assigning profiles, see Assign user and device profiles.
+Select **Next**.
+
+9. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.
+
 ## Manage FileVault
 
 To view information about devices that receive FileVault policy, see [Monitor disk encryption](../protect/encryption-monitor.md).
@@ -224,7 +225,7 @@ Intune can’t manage FileVault disk encryption on a macOS device that is encryp
 - [Upload a personal recovery key to Intune](#upload-a-personal-recovery-key) – Use this method when the user knows their personal recovery key.
 - [The user generates a new recovery key on the device](#generate-a-new-recovery-key-on-the-device) – Use this method if the personal recovery key isn’t known by the user.
 
-Both methods require that the device has active policy from Intune that manages FileVault encryption. To deliver this policy, you can use an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault), or a [device configuration endpoint protection profile](#create-device-configuration-policy-for-filevault) to encrypt devices with FileVault.
+Both methods require that the device has active policy from Intune that manages FileVault encryption. To deliver this policy, use an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault).
 
 #### Upload a personal recovery key
 
@@ -238,7 +239,7 @@ Upon upload, Intune rotates the key to create a new personal recovery key. Intun
 
   Before Intune can assume management of encryption of a user-encrypted device, that device must receive an Intune FileVault policy for disk encryption.  
 
-  Use either an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault), or a [device configuration endpoint protection profile](#create-device-configuration-policy-for-filevault) to encrypt devices with FileVault.
+  Use an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault), to encrypt devices with FileVault.
 
 - **The user who encrypted the device must have access to their personal recovery key for the device and be directed to upload it to Intune.**
 
@@ -271,7 +272,7 @@ To enable Intune to manage FileVault on a previously encrypted device, the user
 
   Before Intune can assume management of encryption of a user-encrypted device, that device must receive an Intune FileVault policy for disk encryption.  
 
-  Use either an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault), or a [device configuration endpoint protection profile](#create-device-configuration-policy-for-filevault)  to encrypt devices with FileVault.
+  Use an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault) to encrypt devices with FileVault.
 
 - **The device user must have access to the Terminal app on the encrypted device.**
 
diff --git a/memdocs/intune/protect/endpoint-protection-macos.md b/memdocs/intune/protect/endpoint-protection-macos.md
@@ -7,7 +7,7 @@ keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 08/15/2022
+ms.date: 10/25/2024
 ms.topic: reference
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -32,7 +32,9 @@ ms.collection:
 # macOS endpoint protection settings in Intune
 
 > [!IMPORTANT]
-> The macOS endpoint protection template has been deprecated. Existing policies remain unchanged, but you can no longer create new policies using this template. We recommend using the settings catalog to create new configuration policies for FileVault, Firewall, and System Policy Control (Gatekeeper) payloads. For more information, see [macOS settings catalog](../configuration/settings-catalog.md).  
+> The macOS endpoint protection template has been deprecated. Existing policies remain unchanged, but you can no longer create new policies using this template. > Instead, use one of the following options:
+> - Use Endpoint security policies like [disk encryption](../protect/endpoint-security-disk-encryption-policy.md) for Filevault, or [Firewall](../protect/endpoint-security-firewall-policy.md) policy.
+> - Use the Settings catalog to create new configuration policies for FileVault, Firewall, and System Policy Control (Gatekeeper) payloads. For more information, see [macOS settings catalog](../configuration/settings-catalog.md).
 
 This article shows you the endpoint protection settings that you can configure for devices that run macOS. You configure these settings by using a macOS device configuration profile for [endpoint protection](endpoint-protection-configure.md) in Intune.
 
diff --git a/memdocs/intune/protect/media/encrypt-devices-filevault/select-macos-filevault-dc.png b/memdocs/intune/protect/media/encrypt-devices-filevault/select-macos-filevault-dc.png
diff --git a/windows-365/enterprise/report-cloud-pc-recommendations.md b/windows-365/enterprise/report-cloud-pc-recommendations.md
@@ -42,11 +42,9 @@ An evolving model analyzes this data to determine whether Cloud PCs are:
 - Under-used.
 - Sized appropriately.
 
-The Cloud PC recommendations report is in [public preview](..\public-preview.md).
-
 ## Use the Cloud PC recommendations report
 
-To get to the **Cloud PC recommendations** report, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Reports** > **Cloud PC Overview** > **Cloud PC recommendations (preview)**.
+To get to the **Cloud PC recommendations** report, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Reports** > **Cloud PC Overview** > **Cloud PC recommendations**.
 
 ![Screenshot of Cloud PC recommendation report.](media/report-cloud-pc-recommendations/report-cloud-pc-recommendations.png)
 
