Merge pull request #16396 from MicrosoftDocs/main

dougeby · web-flow · commit f4f557c50eae · 2024-10-17T14:21:15.000-07:00
Release Intune 2410
diff --git a/memdocs/intune/apps/app-configuration-policies-use-android.md b/memdocs/intune/apps/app-configuration-policies-use-android.md
@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 08/08/2024
+ms.date: 10/09/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -76,6 +76,7 @@ Android Enterprise has several enrollment methods. The enrollment type depends o
     > * Camera
     > * Record audio
     > * Allow body sensor data
+    > * Background location
 
 11. If the managed app supports configuration settings, the **Configuration settings format** dropdown box is visible. Select one of the following methods to add configuration information:
     - **Use configuration designer**
diff --git a/memdocs/intune/apps/apps-supported-intune-apps.md b/memdocs/intune/apps/apps-supported-intune-apps.md
@@ -90,7 +90,7 @@ The below apps support the Core Intune App Protection Policy settings and are al
 |Microsoft PowerPoint|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.powerpoint)|✔|No settings|✔|N/A|✖|✖|✔|✖|
 |Microsoft PowerPoint|[iOS](https://apps.apple.com/us/app/microsoft-powerpoint/id586449534)|✔|No settings|✔|N/A|✖|✖|✔|✖|
 |Microsoft Remote Desktop|[Android](https://play.google.com/store/apps/details?id=com.microsoft.rdc.androidx)|✔|✔|✖|N/A|N/A|N/A|N/A|✖|
-|Microsoft Remote Desktop|[iOS](https://apps.apple.com/us/app/remote-desktop-mobile/id714464092)|✔|✔|✖|N/A|N/A|N/A|N/A|✖|
+|Microsoft Windows App|[iOS](https://apps.apple.com/us/app/remote-desktop-mobile/id714464092)|✔|✔ see [Configure device redirection](/azure/virtual-desktop/client-device-redirection-intune).|✖|N/A|N/A|N/A|N/A|✖|
 |Microsoft SharePoint|[Android](https://play.google.com/store/apps/details?id=com.microsoft.sharepoint)|✔|No settings|✖|N/A|✖|✖|N/A|✖|
 |Microsoft SharePoint|[iOS](https://apps.apple.com/us/app/microsoft-sharepoint/id1091505266)|✔|No settings|✖|N/A|✖|✖|N/A|✖|
 |Microsoft Teams|[Android](https://play.google.com/store/apps/details?id=com.microsoft.teams)|✔|No settings|✔|N/A|✔|✔|✔|✔ Supported for v1416/1.0.0.2023226005 (2023226050) or later|
diff --git a/memdocs/intune/configuration/device-restrictions-ios.md b/memdocs/intune/configuration/device-restrictions-ios.md
@@ -801,6 +801,9 @@ You can also:
   - When set to **Yes**, be sure the device has a Wi-Fi profile. If you don't assign a Wi-Fi profile, then this setting can prevent devices from connecting to the internet. For example, if this device restrictions profile is assigned before a Wi-Fi profile, then the device might be blocked from connecting to the internet.
 
   - If the device can't connect, then unenroll the device, and re-enroll with a Wi-Fi profile. Then, set this setting to **Yes** in a device restrictions profile, and assign the profile to the device.
+ 
+  > [!NOTE]
+  > **Require devices to use Wi-Fi networks set up via configuration profiles** does not support Wi-Fi profiles deployed using [custom profiles](custom-settings-ios.md).
 
     This feature applies to:  
     - iOS/iPadOS 14.5 and newer
diff --git a/memdocs/intune/fundamentals/supported-devices-browsers.md b/memdocs/intune/fundamentals/supported-devices-browsers.md
@@ -7,7 +7,7 @@ keywords:
 author: Smritib17
 ms.author: smbhardwaj
 manager: dougeby
-ms.date: 09/09/2024
+ms.date: 10/10/2024
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md
@@ -105,7 +105,7 @@ For more information, see:
 
 - [What's new for the certificate connector](../protect/certificate-connector-overview.md#september-19-2024)
 
-- [Apply PFX changes to certificate](../protect/certificates-pfx-configure.md#update-certificate-connector-for-kb5014754-requirements)
+- [Apply PFX changes to certificate](../protect/certificates-pfx-configure.md)  
 
 ## Week of September 23, 2024 (Service release 2409)
 
diff --git a/memdocs/intune/includes/android-supported-os.md b/memdocs/intune/includes/android-supported-os.md
@@ -4,11 +4,11 @@ ms.author: erikje
 ms.service: microsoft-intune
 ms.subservice: fundamentals
 ms.topic: include
-ms.date: 02/01/2022
+ms.date: 10/10/2024
 ms.localizationpriority: high
 ---
 
 > [!NOTE]
-> Intune requires Android 8.x or higher for device enrollment scenarios and app configuration delivered through Managed devices app configuration policies. This requirement does not apply to [Microsoft Teams Android devices](https://www.microsoft.com/microsoft-teams/across-devices/devices?rtc=2) as these devices will continue to be supported.
+> This requirement does not apply to [Microsoft Teams Android devices](https://www.microsoft.com/microsoft-teams/across-devices/devices?rtc=2) as these devices will continue to be supported.
 >
 > For Intune app protection policies and app configuration delivered through Managed apps app configuration policies, Intune requires Android 9.0 or higher.
diff --git a/memdocs/intune/includes/mdm-supported-devices.md b/memdocs/intune/includes/mdm-supported-devices.md
@@ -4,7 +4,7 @@ ms.author: erikje
 ms.service: microsoft-intune
 ms.subservice: fundamentals
 ms.topic: include
-ms.date: 09/06/2024
+ms.date: 10/10/2024
 ms.localizationpriority: high
 ---
 
@@ -30,8 +30,9 @@ ms.localizationpriority: high
 
 ### Android
 
-- Android 8.0 and later (including Samsung KNOX Standard 3.0 and higher: [requirements](https://www.samsungknox.com/en/knox-platform/supported-devices/2.4+))
-- Android enterprise: [requirements](https://support.google.com/work/android/topic/9428066)
+- For user-based management methods: Android 10.0 and later
+- For userless management methods: Android 8.0 and later (including Samsung KNOX Standard 3.0 and higher: [requirements](https://www.samsungknox.com/en/knox-platform/supported-devices/2.4+))
+- Android enterprise
 - Android open source project device: [See here for the list of supported devices](../fundamentals/android-os-project-supported-devices.md)
 [!INCLUDE [android-supported-os](android-supported-os.md)]
 
diff --git a/memdocs/intune/protect/certificate-authority-add-scep-overview.md b/memdocs/intune/protect/certificate-authority-add-scep-overview.md
@@ -5,7 +5,7 @@ keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 07/24/2024
+ms.date: 10/15/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -27,9 +27,7 @@ ms.collection:
 - sub-certificates
 ---
 
-# Add partner certification authority in Intune using SCEP
-
-[!INCLUDE [azure_portal](../includes/strong-mapping-cert.md)]
+# Add partner certification authority in Intune using SCEP  
 
 Use third-party certification authorities (CA) with Intune. Third-party CAs can provision mobile devices with new or renewed certificates by using the Simple Certificate Enrollment Protocol (SCEP), and can support Windows, iOS/iPadOS, Android, and macOS devices.
 
diff --git a/memdocs/intune/protect/certificates-pfx-configure.md b/memdocs/intune/protect/certificates-pfx-configure.md
@@ -32,6 +32,13 @@ ms.collection:
 ---
 # Configure and use PKCS certificates with Intune
 
+**Applies to**L
+- Android
+- iOS/iPadOS
+- macOS
+- Windows 10/11  
+
+
 Microsoft Intune supports the use of private and public key pair (PKCS) certificates. This article reviews the requirements for PKCS certificates with Intune, including the export of a PKCS certificate then adding it to an Intune device configuration profile.
 
 Microsoft Intune includes built-in settings to use PKCS certificates for access and authentication to your organizations resources. Certificates authenticate and secure access to your corporate resources like a VPN or a WiFi network. You deploy these settings to devices using device configuration profiles in Intune.
@@ -66,6 +73,60 @@ To use PKCS certificates with Intune, you need the following infrastructure:
   - [Prerequisites](certificate-connector-prerequisites.md)  
   - [Installation and configuration](certificate-connector-install.md)  
 
+## Update certificate connector: Strong mapping requirements for KB5014754    
+
+The Key Distribution Center (KDC) requires a strong mapping format in PKCS certificates deployed by Microsoft Intune and used for certificate-based authentication. The mapping must have a security identifier (SID) extension that maps to the user or device SID. If a certificate doesn't meet the new strong mapping criteria set by the full enforcement mode date, authentication will be denied. For more information about the requirements, see [KB5014754: Certificate-based authentication changes on Windows domain controllers ](https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16).  
+
+In the Microsoft Intune Certificate Connector, version 6.2406.0.1001, we released an update that adds the object identifier attribute containing the user or device SID to the certificate, effectively satisfying the strong mapping requirements. This update applies to users and devices synced from an on-premises Active Directory to Microsoft Entra ID, and is available across all platforms, with some differences:  
+
+ * Strong mapping changes apply to *user certificates* for all OS platforms.  
+
+ * Strong mapping changes apply to *device certificates* for Microsoft Entra hybrid-joined Windows devices.  
+
+ To ensure that certficate-based authentication continues working, you must take the following actions:  
+
+- Update the Microsoft Intune Certificate Connector to version 6.2406.0.1001. For information about the latest version and how to update the certificate connector, see [Certificate connector for Microsoft Intune](certificate-connector-overview.md).  
+
+- Make changes to registry key information on the Windows server that hosts the certificate connector.  
+
+Complete the following procedure to modify the registry keys and apply the strong mapping changes to certificates. These changes apply to new PKCS certificates and PKCS certificates that are being renewed.     
+
+>[!TIP]
+> This procedure requires you to modify the registry in Windows. For more information, see the following resources on Microsoft Support:
+> - [How to back up and restore the registry in Windows - Microsoft Support](https://support.microsoft.com/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692)
+> - [How to add, modify, or delete registry subkeys and values by using a .reg file - Microsoft Support](https://support.microsoft.com/topic/how-to-add-modify-or-delete-registry-subkeys-and-values-by-using-a-reg-file-9c7f37cf-a5e9-e1cd-c4fa-2a26218a1a23)  
+
+1. In the Windows registry, change the value for `[HKLM\Software\Microsoft\MicrosoftIntune\PFXCertificateConnector](DWORD)EnableSidSecurityExtension` to **1**.   
+
+1. Restart the certificate connector service.  
+   1. Go to **Start** > **Run**.  
+   2. Open **services.msc**.  
+   3. Restart these services:  
+      - **PFX Create Legacy Connector for Microsoft Intune**
+       
+      - **PFX Create Certificate Connector for Microsoft Intune**  
+
+1. Changes begin applying to all new certificates, and to certificates being renewed. To verify that authentication works, we recommend testing all places where certificate-based authentication could be used, including:   
+   - Apps  
+   - Intune-integrated certification authorities  
+   - NAC solutions  
+   - Networking infrastructure  
+
+   To roll back changes:
+   
+     1. Restore the original registry settings.  
+        
+     1. Restart these services:  
+   
+        - **PFX Create Legacy Connector for Microsoft Intune**  
+          
+        - **PFX Create Certificate Connector for Microsoft Intune**  
+     
+     1. Create a new PKCS certificate profile for affected devices, to reissue certificates without the SID attribute.  
+
+        > [!TIP]
+        > If you use a Digicert CA, you must create a certificate template for users with an SID and another template for users without an SID. For more information, see the [DigiCert PKI Platform 8.24.1 release notes](https://knowledge.digicert.com/general-information/release-notes-pki).  
+
 ## Export the root certificate from the Enterprise CA
 
 To authenticate a device with VPN, WiFi, or other resources, a device needs a root or intermediate CA certificate. The following steps explain how to get the required certificate from your Enterprise CA.
@@ -357,59 +418,6 @@ Platforms:
   > - Device properties used in the *subject* or *SAN* of a device certificate, like **IMEI**, **SerialNumber**, and **FullyQualifiedDomainName**, are properties that could be spoofed by a person with access to the device.
   > - A device must support all variables specified in a certificate profile for that profile to install on that device.  For example, if **{{IMEI}}** is used in the subject name of a SCEP profile and is assigned to a device that doesn't have an IMEI number, the profile fails to install.  
 
-## Update certificate connector for KB5014754 requirements     
-
-The Windows Kerberos Key Distribution Center (KDC) requires a strong mapping format for certificates issued by Active Directory Certificate Services. This requirement is applicable to PKCS certificates deployed by Microsoft Intune and used for certificate-based authentication. The mapping must have a security identifier (SID) extension that maps to the user or device SID. If a certificate doesn't meet the new strong mapping criteria set by the full enforcement mode date, authentication will be denied. For more information about the requirements, see [KB5014754: Certificate-based authentication changes on Windows domain controllers ](https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16).
-
-In the Microsoft Intune Certificate Connector, version 6.2406.0.1001, we released an update that adds the object identifier attribute containing the user or device SID to the certificate, effectively satisfying the strong mapping requirements. This update applies to users and devices synced from an on-premises Active Directory to Microsoft Entra ID, and is available across all platforms, with some differences:  
-
- * Strong mapping changes apply to *user certificates* for all OS platforms.  
-
- * Strong mapping changes apply to *device certificates* for Microsoft Entra hybrid-joined Windows devices.  
-
- To ensure that certficate-based authentication continues working, you must take the following actions:  
-
-- Update the Microsoft Intune Certificate Connector to version 6.2406.0.1001. For information about the latest version and how to update the certificate connector, see [Certificate connector for Microsoft Intune](certificate-connector-overview.md).  
-- Make changes to registry key information on the Windows server that hosts the certificate connector.  
-
-Complete the following procedure to modify the registry keys and apply the strong mapping changes to certificates. These changes apply to new PKCS certificates and PKCS certificates that are being renewed.     
-
->[!TIP]
-> This procedure requires you to modify the registry in Windows. For more information, see the following resources on Microsoft Support:
-> - [How to back up and restore the registry in Windows - Microsoft Support](https://support.microsoft.com/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692)
-> - [How to add, modify, or delete registry subkeys and values by using a .reg file - Microsoft Support](https://support.microsoft.com/topic/how-to-add-modify-or-delete-registry-subkeys-and-values-by-using-a-reg-file-9c7f37cf-a5e9-e1cd-c4fa-2a26218a1a23)  
-
-1. In the Windows registry, change the value for `[HKLM\Software\Microsoft\MicrosoftIntune\PFXCertificateConnector](DWORD)EnableSidSecurityExtension` to **1**.   
-
-1. Restart the certificate connector service.  
-   1. Go to **Start** > **Run**.  
-   2. Open **services.msc**.  
-   3. Restart these services:  
-      - **PFX Create Legacy Connector for Microsoft Intune**
-       
-      - **PFX Create Certificate Connector for Microsoft Intune**  
-
-1. Changes begin applying to all new certificates, and to certificates being renewed. To verify that authentication works, we recommend testing all places where certificate-based authentication could be used, including:   
-   - Apps  
-   - Intune-integrated certification authorities  
-   - NAC solutions  
-   - Networking infrastructure  
-
-   To roll back changes:
-   
-     1. Restore the original registry settings.  
-        
-     1. Restart these services:  
-   
-        - **PFX Create Legacy Connector for Microsoft Intune**  
-          
-        - **PFX Create Certificate Connector for Microsoft Intune**  
-     
-     1. Create a new PKCS certificate profile for affected devices, to reissue certificates without the SID attribute.  
-
-        > [!TIP]
-        > If you use a Digicert CA, you must create a certificate template for users with an SID and another template for users without an SID. For more information, see the [DigiCert PKI Platform 8.24.1 release notes](https://knowledge.digicert.com/general-information/release-notes-pki).  
-
 ## Next steps
 
 - [Use SCEP for certificates](certificates-scep-configure.md)
diff --git a/memdocs/intune/protect/certificates-profile-scep.md b/memdocs/intune/protect/certificates-profile-scep.md
diff --git a/memdocs/intune/protect/media/certificates-profile-scep/scep-configuration-settings.png b/memdocs/intune/protect/media/certificates-profile-scep/scep-configuration-settings.png
diff --git a/memdocs/intune/protect/media/certificates-profile-scep/scep-san-add.png b/memdocs/intune/protect/media/certificates-profile-scep/scep-san-add.png
diff --git a/memdocs/intune/remote-actions/collect-diagnostics.md b/memdocs/intune/remote-actions/collect-diagnostics.md
