Merge branch 'main' into patch-84

autopilot/device-preparation/known-issues.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 11/15/2024
+ms.date: 12/18/2024
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -40,7 +40,15 @@ This article describes known issues that can often be resolved with:
 
 ## Known issues
 
-## Deployments fail when Managed installer policy is enabled for the tenant
+## Apps and scripts tabs don't display properly when editing the Windows Autopilot device preparation profile
+
+Date added: *December 18, 2024*
+
+During the editing flow of the Windows Autopilot device preparation policy, there's a known issue when displaying the **Applications** and **Scripts** tabs where the tabs might display incorrect information. For example, under the **Scripts** tab, a list of applications might be shown instead of a list of scripts. The issue is impacting only the view in Microsoft Intune and not the configuration being applied to the device. The issue is being investigated.
+
+As a workaround, select the table header **Allowed Applications** or **Allowed Scripts** to reload the table's contents.
+
+## Win32 and WinGet applications are skipped when Managed installer policy is enabled for the tenant
 
 Date added: *October 10, 2024*<br>
 Date updated: *November 15, 2024*

memdocs/configmgr/compliance/TOC.yml

@@ -3,6 +3,8 @@ items:
   href: index.yml
 - name: Understand and explore
   items:
+  - name: Understand compliance
+    href: understand/fundamentals-of-compliance.md
   - name: Ensure device compliance
     href: understand/ensure-device-compliance.md
 - name: Get started

memdocs/configmgr/compliance/understand/fundamentals-of-compliance.md

@@ -0,0 +1,55 @@
+---
+title: Understand compliance in Configuration Manager
+author: dougeby
+ms.author: dougeby
+manager: dougeby
+audience: ITPro
+ms.topic: conceptual
+ms.service: configuration-manager
+ms.collection: 
+ - tier1
+ - essentials-compliance
+description: Learn about compliance certifications, dependencies, and features in Configuration Manager supporting data protection and regulatory requirements.
+ms.date: 12/3/2024
+---
+
+# Understand compliance in Configuration Manager
+
+Configuration Manager supports compliance features to help organizations meet national, regional, and industry-specific regulations. Configuration Manager aligns with Microsoft's commitment to data protection, privacy, and compliance, by offering tools to help secure and manage data effectively.
+
+## Shared responsibility model
+
+Microsoft ensures that Configuration Manager complies with various industry standards and regulatory frameworks. However, customers are responsible for implementing their data protection and compliance strategies to align with their specific organizational requirements.
+
+## Compliance dependencies
+
+Configuration Manager leverages other Microsoft services for compliance, including:
+
+- [Microsoft Entra ID](/entra/fundamentals/whatis): Identity and access management.
+- [Microsoft Intune](/mem/intune): Enforces device compliance and conditional access policies.
+
+## Microsoft Intune capabilities for compliance
+
+Microsoft Intune helps enforce compliance policies and protect organizational data specifically for Intune:
+
+- **Conditional Access**: Ensures only compliant devices and apps managed by Intune can access sensitive data. See [Conditional Access](/mem/intune/protect/conditional-access).
+- **Device Compliance Enforcement**: Enforces device compliance policies to meet organizational security requirements. See [Device Compliance Policies](/mem/intune/protect/device-compliance-get-started).
+
+For more information about Intune compliance capabilities, visit the [Microsoft Intune documentation](/mem/intune).
+> [!NOTE]
+> For more information about how to concurrently manage Windows 10 or later devices by using both Configuration Manager and Microsoft Intune, see [What is co-management?](/mem/configmgr/comanage/overview).
+
+## Data encryption
+
+Use Configuration Manager to manage BitLocker Drive Encryption (BDE) for on-premises Windows clients, which are joined to Active Directory. It provides full BitLocker lifecycle management that can replace the use of Microsoft BitLocker Administration and Monitoring. For more information, see [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management).
+
+## Compliance features
+
+Configuration Manager includes several compliance features that help organizations manage device compliance. For more information, see [Ensure device compliance with Configuration Manager](/mem/configmgr/compliance/understand/ensure-device-compliance).
+
+## Related articles
+
+- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
+- [Microsoft Trust Center](https://www.microsoft.com/trust-center)
+- [Additional privacy information](/mem/configmgr/core/plan-design/security/additional-privacy)
+- [Fundamentals of security](/mem/configmgr/core/understand/fundamentals-of-security)

memdocs/configmgr/core/plan-design/configs/supported-operating-systems-consoles.md

@@ -2,12 +2,12 @@
 title: Console support
 titleSuffix: Configuration Manager
 description: Learn about which OS versions you can install the Configuration Manager console.
-ms.date: 12/01/2023
+ms.date: 12/19/2024
 ms.subservice: core-infra
 ms.service: configuration-manager
 ms.topic: reference
-author: Banreet
-ms.author: banreetkaur
+author: Baladelli  
+ms.author: Baladell
 manager: apoorvseth
 ms.localizationpriority: medium
 ms.collection: tier3
@@ -20,6 +20,8 @@ ms.reviewer: mstewart,aaroncz
 
 Configuration Manager supports the installation of the console on the following Windows OS versions:
 
+- **Windows Server 2025**: Standard, Datacenter (_starting in version 2409_)<!-- 10200029 -->
+
 - **Windows Server 2022**: Standard, Datacenter (_starting in version 2107_)<!-- 10200029 -->
 
 - **Windows Server 2019**: Standard, Datacenter

memdocs/configmgr/core/plan-design/configs/supported-operating-systems-for-clients-and-devices.md

@@ -2,7 +2,7 @@
 title: Supported clients and devices
 titleSuffix: Configuration Manager
 description: Learn which OS versions Configuration Manager supports for clients and devices.
-ms.date: 05/01/2024
+ms.date: 12/19/2024
 ms.subservice: core-infra
 ms.service: configuration-manager
 ms.topic: conceptual
@@ -18,7 +18,7 @@ ms.reviewer: mstewart,aaroncz
 
 *Applies to: Configuration Manager (current branch)*
 
-Configuration Manager supports installing client software on Windows and macOS computers.
+Configuration Manager supports installing client software on Windows computers.
 
 ## General requirements and limitations
 
@@ -66,6 +66,8 @@ For more information, see the following articles:
 
 ### Supported server OS versions
 
+- **Windows Server 2025**: IoT, Standard, Datacenter (_starting in Configuration Manager version 2409_)<!-- 10200029 -->
+
 - **Windows Server 2022**: IoT, Standard, Datacenter (_starting in Configuration Manager version 2107_)<!-- 10200029 -->
     - *Windows Server IoT 2022 for Storage* is not supported
 
@@ -90,6 +92,8 @@ The following versions specifically refer to the Server Core installation of the
 
 Windows Server semi-annual channel versions are Server Core installations, such as Windows Server, version 1809. As a Configuration Manager client, they're supported the same as the associated Windows 11 or Windows 10 semi-annual channel version. For more information, see [Support for Windows 11](support-for-windows-11.md) or [Support for Windows 10](support-for-windows-10.md).
 
+- **Windows Server 2025** (x64) <sup>[Note 1](#bkmk_note1)</sup> (_starting in version 2409_)<!-- 10200029 -->
+
 - **Windows Server 2022** (x64) <sup>[Note 1](#bkmk_note1)</sup> (_starting in version 2107_)<!-- 10200029 -->
 
 - **Windows Server 2019** (x64) <sup>[Note 1](#bkmk_note1)</sup>

memdocs/configmgr/core/plan-design/configs/supported-operating-systems-for-site-system-servers.md

@@ -2,12 +2,12 @@
 title: Supported site system servers
 titleSuffix: Configuration Manager
 description: Learn which Windows versions you can use to host a Configuration Manager site or site system role.
-ms.date: 12/01/2023
+ms.date: 12/19/2024
 ms.subservice: core-infra
 ms.service: configuration-manager
 ms.topic: conceptual
-author: Banreet
-ms.author: banreetkaur
+author: Baladelli
+ms.author: baladell
 manager: apoorvseth
 ms.localizationpriority: medium
 ms.collection: tier3
@@ -20,6 +20,32 @@ ms.reviewer: mstewart,aaroncz
 
 This article details the Windows versions that you can use to host a Configuration Manager site or site system role.
 
+## Windows Server 2025
+
+_Applies to Datacenter: Azure Edition, Standard and Datacenter editions_
+
+Site servers:
+
+- Central administration site
+- Primary site
+- Secondary site
+
+Site system servers:
+
+- Certificate registration point
+- Cloud management gateway connection point
+- Data warehouse service point
+- Distribution point <sup>[Note 1](#bkmk_note1)</sup>
+- Endpoint Protection point
+- Fallback status point
+- Management point
+- Reporting services point
+- Service connection point
+- Site database server <sup>[Note 2](#bkmk_note2)</sup>
+- SMS Provider
+- Software update point
+- State migration point
+
 ## Windows Server 2022
 
 _Applies to Datacenter: Azure Edition, Standard and Datacenter editions_
@@ -145,6 +171,7 @@ This support has the following limitation:
 
 The server core installation of the following server OS versions is supported for use as a **distribution point**:
 
+- Windows Server 2025
 - Windows Server 2022
 - Windows Server 2019
 - Windows Server, version 1809

memdocs/configmgr/core/servers/manage/checklist-for-installing-update-2409.md

@@ -97,7 +97,7 @@ As of December 16 , 2024, version 2409 is globally available for all customers t
 
 ### All sites run a supported version of Configuration Manager
 
-Each site server in the hierarchy must run the same version of Configuration Manager before you can start the installation. To update to version 2409, use version 2309 or later.
+Each site server in the hierarchy must run the same version of Configuration Manager before you can start the installation. To update to version 2409, use version 2303 or later.
 
 ### Review the status of your product licensing
 

memdocs/configmgr/core/servers/manage/upgrade-on-premises-infrastructure.md

@@ -2,7 +2,7 @@
 title: Upgrade on-premises infrastructure
 titleSuffix: Configuration Manager
 description: Learn how to upgrade infrastructure, such as SQL Server and the OS of site systems.
-ms.date: 04/04/2024
+ms.date: 12/19/2024
 ms.subservice: core-infra
 ms.service: configuration-manager
 ms.topic: conceptual
@@ -32,6 +32,8 @@ Configuration Manager supports the in-place upgrade of the server OS that hosts
 
 - In-place upgrade from:
 
+  - Windows Server 2022 to Windows Server 2025
+
   - Windows Server 2019 to Windows Server 2022<!-- 10200029 -->
 
   - Windows Server 2016 to Windows Server 2022
@@ -50,10 +52,12 @@ To upgrade a server, use the upgrade procedures provided by the OS you're upgrad
 
 - [Upgrade and conversion options for Windows Server 2016](/windows-server/get-started/supported-upgrade-paths)
 
-### Upgrade to Windows Server 2016, 2019, or 2022
+### Upgrade to Windows Server 2016, 2019, 2022 or 2025
 
 Use the steps in this section for any of the following upgrade scenarios:
 
+- Upgrade either Windows Server 2019 or Windows Server 2022 to Windows Server 2025
+
 - Upgrade either Windows Server 2016 or Windows Server 2019 to Windows Server 2022
 
 - Upgrade either Windows Server 2012 R2 or Windows Server 2016 to Windows Server 2019

memdocs/configmgr/core/understand/fundamentals-of-security.md

@@ -10,7 +10,9 @@ author: banreet
 ms.author: banreetkaur
 manager: apoorvseth
 ms.localizationpriority: medium
-ms.collection: tier3
+ms.collection: 
+- essentials-security
+- tier3
 ms.reviewer: mstewart,aaroncz 
 ---
 

memdocs/configmgr/osd/deploy-use/upgrade-windows-to-the-latest-version.md

@@ -2,7 +2,7 @@
 title: Windows in-place upgrade
 titleSuffix: Configuration Manager
 description: Learn how to use Configuration Manager to upgrade Windows to a later version.
-ms.date: 06/14/2024
+ms.date: 12/19/2024
 ms.service: configuration-manager
 ms.subservice: osd
 ms.topic: conceptual
@@ -44,6 +44,7 @@ Only create OS upgrade packages to upgrade to the following OS versions:
 - Windows Server 2016
 - Windows Server 2019
 - Windows Server 2022<!-- 10200029 -->
+- - Windows Server 2025
 
 ### Original version
 
@@ -67,6 +68,7 @@ For more information, see [Windows client upgrade paths](/windows/deployment/upg
 - An earlier version of Windows Server 2016
 - An earlier version of Windows Server 2019
 - An earlier version of Windows Server 2022
+- An earlier version of Windows Server 2025
 
 For more information about Windows Server supported upgrade paths, see [Windows Server 2016 supported upgrade paths](/windows-server/get-started/supported-upgrade-paths#upgrading-previous-retail-versions-of-windows-server-to-windows-server-2016) and [Windows Server Upgrade Center](/windows-server/upgrade/upgrade-overview).
 

memdocs/intune/apps/app-configuration-managed-home-screen-app.md

@@ -37,7 +37,9 @@ The Managed Home Screen is the application used for corporate-owned Android Ente
 
 ## When to configure the Microsoft Managed Home Screen app
 
-First, ensure that your devices are supported. Intune supports the enrollment of Android Enterprise dedicated devices and fully managed devices running OS version 8.0 and above that reliably connect to Google Mobile Services. Similarly, Managed Home Screen supports Android devices running OS version 8.0 and above. 
+ [!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
+
+First, ensure that your devices are supported. Intune supports the enrollment of Android Enterprise dedicated devices and fully managed devices running OS version 8.0 and above. Similarly, Managed Home Screen supports Android devices running OS version 8.0 and above. 
 
 Typically, if settings are available to you through device configuration profiles (**Devices** > **Manage devices** > **Configuration**), configure the settings there. Doing so will save you time, minimize errors, and will give you a better Intune-support experience. However, some of the Managed Home Screen settings are currently only available via the **App configuration policies** pane in the Intune admin center. Use this document to learn how to configure the different settings either using the configuration designer or a JSON script. Additionally, use this document to learn what Managed Home Screen settings are available using device configuration profiles. You may also see [Device settings](../configuration/device-restrictions-android-for-work.md#device-experience) for a full list of settings available in **Devices** > **Manage devices** > **Configuration** that impact the Managed Home Screen. 
 

memdocs/intune/apps/company-portal-app.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 06/07/2024
+ms.date: 12/20/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -43,7 +43,7 @@ The Company Portal apps, Company Portal website, and Intune app on Android are w
 
 ## Customizing the user experience
 
-By customizing the end-user experience, you will help to provide a familiar and helpful experience for your end users. To do this, sign in as an [Intune administrator](../fundamentals/users-add.md#types-of-administrators). Navigate to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Tenant Administration** > **Customization** where you can either edit the default policy or create up to 10 user group targeted policies. Note that targeting policies to device groups is not supported. These settings will apply to the Company Portal apps, Company Portal website, and Intune app on Android.
+By customizing the end-user experience, you will help to provide a familiar and helpful experience for your end users. To do this, sign in as an [Intune administrator](../fundamentals/users-add.md#types-of-administrators). Navigate to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Tenant Administration** > **Customization** where you can either edit the default policy or create up to 25 user group targeted policies. Note that targeting policies to device groups is not supported. These settings will apply to the Company Portal apps, Company Portal website, and Intune app on Android.
 
 ## Branding
 

memdocs/intune/apps/manage-without-gms.md

@@ -37,10 +37,8 @@ Microsoft Intune uses Google Mobile Services (GMS) to communicate with the Micro
 > [!NOTE]
 > These GMS related limitations also apply to Device Administrator management and Android (AOSP) Management.
 
-> [!NOTE]
-> Microsoft Intune is ending support for [Android device administrator management](../enrollment/android-enroll-device-administrator.md) on devices with access to Google Mobile Services (GMS) on December 31, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable.
-> For devices running Android 15 or earlier that don't have access GMS (excluding Microsoft Teams certified Android devices), Intune will continue allowing device administrator enrollment and will maintain limited support, since Android Enterprise management is unavailable to these devices. However, device administrator use on these devices is still not recommended, since Google's device administrator deprecation means there could be future functionality impact outside Intune's ability to mitigate.
-> For more information, and to learn about alternatives to device administrator, see [Ending support for Android device administrator on GMS devices](https://techcommunity.microsoft.com/t5/intune-customer-success/microsoft-intune-ending-support-for-android-device-administrator/ba-p/3915443).  
+[!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
+
 ## Install the Intune Company Portal app without access to the Google Play Store
 
 ### For users outside of People's Republic of China

memdocs/intune/configuration/administrative-templates-windows.md

@@ -34,6 +34,9 @@ ms.collection:
 
 > [!IMPORTANT]
 > Starting with the December 2412 release, you can't create new Administrative Templates policies from the **Templates** > **Administrative Templates** profile type in the Intune admin center. To create ADMX template profiles, use the **[settings catalog](settings-catalog.md)**. For more information on this change, see [Windows device configuration policies migrating to unified settings platform in Intune](https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-windows-device-configuration-policies-migrating-to/ba-p/4189665).
+> 
+> There will be no changes to the following UI experiences:
+> - ‘Imported Administrative templates (Preview)’ template which is used for Custom ADMX templates. 
 
 **Administrative Templates** in Microsoft Intune include thousands of settings that control features in Microsoft Edge version 77 and later, Internet Explorer, Google Chrome, Microsoft Office programs, remote desktop, OneDrive, passwords, PINs, and more. These settings enable administrators to create group policies using the cloud.
 

memdocs/intune/fundamentals/china-endpoints.md

@@ -8,7 +8,7 @@ keywords:
 author: Smritib17
 ms.author: smbhardwaj
 manager: dougeby
-ms.date: 03/24/2023
+ms.date: 12/19/2024
 ms.topic: reference
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -49,10 +49,10 @@ The following tables list the ports and services that the Intune client accesses
 
 |**Endpoint**|**IP address**|
 |---------------------|-----------|
-|*.manage.microsoftonline.cn | 40.73.38.143<br>139.217.97.81<br>52.130.80.24<br>40.73.41.162<br>40.73.58.153<br>139.217.95.85 |
-
+|*.manage.microsoftonline.cn | 40.73.38.143<br>139.217.97.81<br>52.130.80.24<br>40.73.41.162<br>40.73.58.153<br>139.217.95.85 <br> 143.64.196.128/25 <br> 40.162.2.128/25 <br> 139.219.250.128/25 <br> 163.228.221.128/25 <br>|
 
 ## Intune customer designated endpoints in China
+
 - Azure portal: https:\//portal.azure.cn/
 - Microsoft 365: https:\//portal.partner.microsoftonline.cn/
 - Intune Company Portal: https:\//portal.manage.microsoftonline.cn/
@@ -69,6 +69,7 @@ If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also n
 ## Partner service endpoints
 
 Intune operated by 21Vianet depends on the following partner service endpoints:
+
 - Azure AD Sync service: https:\//syncservice.partner.microsoftonline.cn/DirectoryService.svc
 - Evo STS: https:\//login.chinacloudapi.cn/
 - Azure AD Graph: https:\//graph.chinacloudapi.us
@@ -80,5 +81,6 @@ Intune operated by 21Vianet depends on the following partner service endpoints:
 [!INCLUDE [Intune notices](../includes/apple-device-network-information.md)]
 
 ## Next steps
+
 [Learn more about Intune operated by 21Vianet in China](china.md)