diff --git a/.openpublishing.redirection.intune.json b/.openpublishing.redirection.intune.json
index e1a36be71be..547af92431f 100644
--- a/.openpublishing.redirection.intune.json
+++ b/.openpublishing.redirection.intune.json
@@ -1,5 +1,35 @@
{
"redirections": [
+ {
+ "source_path_from_root": "/intune/fundamentals/manage-devices.md",
+ "redirect_url": "/intune/fundamentals/core-concepts#devices",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/manage-apps.md",
+ "redirect_url": "/intune/fundamentals/core-concepts#apps",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/tenant-administration/identities.md",
+ "redirect_url": "/intune/fundamentals/core-concepts#identity",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/licensing/index.md",
+ "redirect_url": "/intune/fundamentals/licensing",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/licensing/assign-licenses.md",
+ "redirect_url": "/intune/fundamentals/assign-licenses",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/add-ons.md",
+ "redirect_url": "/intune/fundamentals/advanced-capabilities",
+ "redirect_document_id": false
+ },
{
"source_path_from_root": "/intune/fundamentals/tenant-administration/classic-groups.md",
"redirect_url": "/intune/fundamentals/tenant-administration/add-groups",
@@ -7,7 +37,22 @@
},
{
"source_path_from_root": "/intune/fundamentals/device-lifecycle.md",
- "redirect_url": "/intune/fundamentals/what-is-device-management",
+ "redirect_url": "/intune/fundamentals/core-concepts",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/endpoint-management.md",
+ "redirect_url": "/intune/fundamentals/architecture",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/what-is-device-management.md",
+ "redirect_url": "/intune/fundamentals/what-is-intune",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/service-description.md",
+ "redirect_url": "/intune/fundamentals/advanced-capabilities",
"redirect_document_id": false
},
{
@@ -367,7 +412,7 @@
},
{
"source_path_from_root": "/intune/endpoint-manager-overview.md",
- "redirect_url": "/intune/fundamentals/endpoint-management",
+ "redirect_url": "/intune/fundamentals/architecture",
"redirect_document_id": false
},
{
@@ -444,6 +489,16 @@
"source_path_from_root": "/intune/governance/compliance-and-regulatory-alignment.md",
"redirect_url": "/intune/privacy/",
"redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/licensing/unlicensed-admins.md",
+ "redirect_url": "/intune/fundamentals/licensing#unlicensed-admin-access",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/device-security/conditional-access-integration/create-app-based-policy.md",
+ "redirect_url": "/intune/device-security/conditional-access-integration/app-based-policies",
+ "redirect_document_id": false
}
]
}
diff --git a/.openpublishing.redirection.legacy.json b/.openpublishing.redirection.legacy.json
index 4642d3ef2b8..f7becba7d15 100644
--- a/.openpublishing.redirection.legacy.json
+++ b/.openpublishing.redirection.legacy.json
@@ -5727,17 +5727,17 @@
},
{
"source_path_from_root": "/intune/intune/fundamentals/intune-add-ons.md",
- "redirect_url": "/intune/fundamentals/add-ons",
+ "redirect_url": "/intune/fundamentals/advanced-capabilities",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune/fundamentals/premium-add-ons.md",
- "redirect_url": "/intune/fundamentals/add-ons",
+ "redirect_url": "/intune/fundamentals/advanced-capabilities",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/intune-add-ons.md",
- "redirect_url": "/intune/fundamentals/add-ons",
+ "redirect_url": "/intune/fundamentals/advanced-capabilities",
"redirect_document_id": false
},
{
@@ -5922,12 +5922,12 @@
},
{
"source_path_from_root": "/intune/intune/fundamentals/device-lifecycle.md",
- "redirect_url": "/intune/fundamentals/what-is-device-management",
+ "redirect_url": "/intune/fundamentals/manage-devices",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/device-lifecycle.md",
- "redirect_url": "/intune/fundamentals/what-is-device-management",
+ "redirect_url": "/intune/fundamentals/manage-devices",
"redirect_document_id": false
},
{
@@ -6162,47 +6162,47 @@
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/licenses-assign.md",
- "redirect_url": "/intune/fundamentals/licensing/assign-licenses",
+ "redirect_url": "/intune/fundamentals/assign-licenses",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune/fundamentals/licenses-assign.md",
- "redirect_url": "/intune/fundamentals/licensing/assign-licenses",
+ "redirect_url": "/intune/fundamentals/assign-licenses",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune/fundamentals/licenses.md",
- "redirect_url": "/intune/fundamentals/licensing/index",
+ "redirect_url": "/intune/fundamentals/licensing",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune/fundamentals/unlicensed-admins.md",
- "redirect_url": "/intune/fundamentals/licensing/unlicensed-admins",
+ "redirect_url": "/intune/fundamentals/licensing#unlicensed-admin-access",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/unlicensed-admins.md",
- "redirect_url": "/intune/fundamentals/licensing/unlicensed-admins",
+ "redirect_url": "/intune/fundamentals/licensing#unlicensed-admin-access",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune/fundamentals/manage-apps.md",
- "redirect_url": "/intune/fundamentals/manage-apps",
+ "redirect_url": "/intune/fundamentals/core-concepts#apps",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/manage-apps.md",
- "redirect_url": "/intune/fundamentals/manage-apps",
+ "redirect_url": "/intune/fundamentals/core-concepts#apps",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/manage-devices.md",
- "redirect_url": "/intune/fundamentals/manage-devices",
+ "redirect_url": "/intune/fundamentals/core-concepts#devices",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune/fundamentals/manage-devices.md",
- "redirect_url": "/intune/fundamentals/manage-devices",
+ "redirect_url": "/intune/fundamentals/core-concepts#devices",
"redirect_document_id": false
},
{
@@ -6517,12 +6517,12 @@
},
{
"source_path_from_root": "/intune/intune/fundamentals/microsoft-intune-service-description.md",
- "redirect_url": "/intune/fundamentals/service-description",
+ "redirect_url": "/intune/fundamentals/advanced-capabilities",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/microsoft-intune-service-description.md",
- "redirect_url": "/intune/fundamentals/service-description",
+ "redirect_url": "/intune/fundamentals/advanced-capabilities",
"redirect_document_id": false
},
{
@@ -6602,12 +6602,12 @@
},
{
"source_path_from_root": "/intune/intune/fundamentals/manage-identities.md",
- "redirect_url": "/intune/fundamentals/tenant-administration/identities",
+ "redirect_url": "/intune/fundamentals/core-concepts#identity",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/manage-identities.md",
- "redirect_url": "/intune/fundamentals/tenant-administration/identities",
+ "redirect_url": "/intune/fundamentals/core-concepts#identity",
"redirect_document_id": false
},
{
@@ -6682,12 +6682,12 @@
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/what-is-device-management.md",
- "redirect_url": "/intune/fundamentals/what-is-device-management",
+ "redirect_url": "/intune/fundamentals/what-is-intune",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune/fundamentals/what-is-device-management.md",
- "redirect_url": "/intune/fundamentals/what-is-device-management",
+ "redirect_url": "/intune/fundamentals/what-is-intune",
"redirect_document_id": false
},
{
diff --git a/autopilot/add-devices.md b/autopilot/add-devices.md
index 9c729bf674b..c6ac44363ff 100644
--- a/autopilot/add-devices.md
+++ b/autopilot/add-devices.md
@@ -35,7 +35,7 @@ This article provides step-by-step guidance for manual registration. For more in
## Requirements
-- [Intune subscription](/intune/fundamentals/licensing/index).
+- [Intune subscription](/intune/fundamentals/licensing).
- [Windows automatic enrollment enabled](/intune/intune-service/enrollment/windows-enroll#enable-windows-automatic-enrollment).
- [Microsoft Entra ID P1 or P2 subscription](/azure/active-directory/active-directory-get-started-premium).
diff --git a/autopilot/device-preparation/requirements.md b/autopilot/device-preparation/requirements.md
index 7cec01fd228..edff036040e 100644
--- a/autopilot/device-preparation/requirements.md
+++ b/autopilot/device-preparation/requirements.md
@@ -196,7 +196,7 @@ To provide needed Microsoft Entra ID and MDM functionality, including automatic
> [!NOTE]
>
-> When a Microsoft 365 subscription is used, licenses still need to be assigned to users so they can enroll device in Intune. For more information, see [assign licenses to users so they can enroll devices in Intune](/intune/fundamentals/licensing/assign-licenses).
+> When a Microsoft 365 subscription is used, licenses still need to be assigned to users so they can enroll device in Intune. For more information, see [assign licenses to users so they can enroll devices in Intune](/intune/fundamentals/assign-licenses).
Additionally, the following are also recommended, but not required:
diff --git a/autopilot/requirements.md b/autopilot/requirements.md
index 0fa621ff769..4922c5b955f 100644
--- a/autopilot/requirements.md
+++ b/autopilot/requirements.md
@@ -110,7 +110,6 @@ Windows Autopilot relies on several different type of services to function prope
After a network connection is in place, each Windows device will contact the Windows Autopilot Deployment Service. The following URLs are used:
- `https://ztd.dds.microsoft.com`
-- `https://cs.dds.microsoft.com`
- `https://login.live.com`
##### Windows Activation
@@ -230,7 +229,7 @@ To provide needed Microsoft Entra ID and MDM functionality, including automatic
> [!NOTE]
>
-> When a Microsoft 365 subscription is used, licenses still need to be assigned to users so they can enroll device in Intune. For more information, see [assign licenses to users so they can enroll devices in Intune](/intune/fundamentals/licensing/assign-licenses).
+> When a Microsoft 365 subscription is used, licenses still need to be assigned to users so they can enroll device in Intune. For more information, see [assign licenses to users so they can enroll devices in Intune](/intune/fundamentals/assign-licenses).
Additionally, the following are also recommended (but not required):
diff --git a/intune/advanced-analytics/anomalies.md b/intune/advanced-analytics/anomalies.md
index 8e3693e48bd..c5b4e7c3b08 100644
--- a/intune/advanced-analytics/anomalies.md
+++ b/intune/advanced-analytics/anomalies.md
@@ -7,8 +7,6 @@ ms.topic: concept-article
# Anomalies report
-[!INCLUDE [intune-add-on-note](includes/intune-add-on-note.md)]
-
The anomalies report in Advanced Analytics helps IT admins proactively identify device health issues before they affect users. It monitors for application hangs, crashes, and Stop Error Restarts, providing visibility into problems before they reach support channels.
The feature correlates deployment objects and configuration changes to speed troubleshooting and suggest root causes. Device correlation groups reveal patterns among affected devices and flag others that are at risk.
diff --git a/intune/advanced-analytics/battery-health.md b/intune/advanced-analytics/battery-health.md
index 46c604e4851..9bdcd72f77a 100644
--- a/intune/advanced-analytics/battery-health.md
+++ b/intune/advanced-analytics/battery-health.md
@@ -7,8 +7,6 @@ ms.topic: concept-article
# Battery health report
-[!INCLUDE [intune-add-on-note](includes/intune-add-on-note.md)]
-
The battery health report provides visibility into the health of batteries in your organization's devices and its influence on user experience.
The score helps you identify emerging hardware issues that might be impacting user productivity so you can proactively make improvements before users generate support tickets.
diff --git a/intune/advanced-analytics/device-query-multiple-devices.md b/intune/advanced-analytics/device-query-multiple-devices.md
index 93623a1694f..1bdb7dee508 100644
--- a/intune/advanced-analytics/device-query-multiple-devices.md
+++ b/intune/advanced-analytics/device-query-multiple-devices.md
@@ -7,8 +7,6 @@ ms.topic: how-to
# Device query for multiple devices
-[!INCLUDE [intune-add-on-note](includes/intune-add-on-note.md)]
-
Use Device query for multiple devices in Microsoft Intune to run Kusto Query Language (KQL) queries across device inventory data and identify trends across your managed fleet. This article explains prerequisites, how to create and run queries in the Intune admin center, how to work with results, and which operators, functions, and properties are supported.
## Before you begin
diff --git a/intune/advanced-analytics/device-query.md b/intune/advanced-analytics/device-query.md
index 67db010a72e..ab7ece56c55 100644
--- a/intune/advanced-analytics/device-query.md
+++ b/intune/advanced-analytics/device-query.md
@@ -7,8 +7,6 @@ ms.topic: how-to
# Device query
-[!INCLUDE [intune-add-on-note](includes/intune-add-on-note.md)]
-
Device query allows you to quickly gain on-demand information about the state of your Windows devices. When you enter a query on a selected device, Device query runs a query in real time. The data returned can then be used to respond to security threats, troubleshoot the device, or make business decisions.
## Before you begin
diff --git a/intune/advanced-analytics/device-scopes.md b/intune/advanced-analytics/device-scopes.md
index 084e5224823..be87f942d4d 100644
--- a/intune/advanced-analytics/device-scopes.md
+++ b/intune/advanced-analytics/device-scopes.md
@@ -7,8 +7,6 @@ ms.topic: concept-article
# Device scopes
-[!INCLUDE [intune-add-on-note](includes/intune-add-on-note.md)]
-
Device scopes use scope tags to filter endpoint analytics reports to a subset of devices, allowing you to see scores, insights, and recommendations for a specific subset of devices.
Device scopes are supported on the following endpoint analytics reports:
diff --git a/intune/advanced-analytics/device-timeline.md b/intune/advanced-analytics/device-timeline.md
index e2d219f571f..09f23f80b63 100644
--- a/intune/advanced-analytics/device-timeline.md
+++ b/intune/advanced-analytics/device-timeline.md
@@ -7,8 +7,6 @@ ms.topic: concept-article
# Device timeline report
-[!INCLUDE [intune-add-on-note](includes/intune-add-on-note.md)]
-
The device timeline allows you to see a history of events that have occurred on a specific device.
## Before you begin
diff --git a/intune/advanced-analytics/includes/intune-add-on-note.md b/intune/advanced-analytics/includes/intune-add-on-note.md
deleted file mode 100644
index df9e22c451c..00000000000
--- a/intune/advanced-analytics/includes/intune-add-on-note.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-author: MandiOhlinger
-ms.topic: include
-ms.date: 02/22/2023
-ms.author: mandia
----
-> [!NOTE]
-> This capability is available as an Intune add-on. For more information, see [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md).
diff --git a/intune/advanced-analytics/index.md b/intune/advanced-analytics/index.md
index 173bdac34ea..ae9dc3d1322 100644
--- a/intune/advanced-analytics/index.md
+++ b/intune/advanced-analytics/index.md
@@ -14,71 +14,60 @@ Microsoft Intune Advanced Analytics delivers deep, actionable insights into the
Advanced Analytics enhances endpoint analytics with the following reports and capabilities:
:::row:::
-:::column:::
-#### :::image type="icon" source="../media/icons/24/report.svg"::: Resource performance report
+:::column:::
+
+> [!div class="nextstepaction"]
+> [Resource performance report](resource-performance.md)
> Identifies CPU and RAM performance issues by device, model, and manufacturer to guide purchasing decisions.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](resource-performance.md)
:::column-end:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/report.svg"::: Battery health report
+> [!div class="nextstepaction"]
+> [Battery health report](battery-health.md)
> Monitors battery health for Windows devices to ensure long battery life and a better user experience.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](battery-health.md)
+
:::column-end:::
:::row-end:::
:::row:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/report.svg"::: Anomalies report
+> [!div class="nextstepaction"]
+> [Anomalies report](anomalies.md)
> Tracks device health for regressions in user experience and productivity after configuration changes.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](anomalies.md)
:::column-end:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/report.svg"::: Device timeline report
+> [!div class="nextstepaction"]
+> [Device timeline report](device-timeline.md)
> Shows detailed events with low latency to help troubleshoot device issues quickly.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](device-timeline.md)
:::column-end:::
:::row-end:::
:::row:::
-:::column:::
-#### :::image type="icon" source="../media/icons/24/query.svg"::: Device query
+:::column:::
+> [!div class="nextstepaction"]
+> [Device query](device-query.md)
> Provides near real-time data about the state and configuration of Windows devices.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](device-query.md)
+
:::column-end:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/query.svg"::: Device query for multiple devices
+> [!div class="nextstepaction"]
+> [Device query for multiple devices](device-query-multiple-devices.md)
> Allows you to run queries directly in Intune to retrieve inventory data across multiple devices and platforms.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](device-query-multiple-devices.md)
:::column-end:::
:::row-end:::
:::row:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/devices.svg"::: Device scopes
+> [!div class="nextstepaction"]
+> [Device scopes](device-scopes.md)
> Allows you to use scope tags to filter reports for a subset of devices. See scores, insights, and recommendations specific to those devices.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](device-scopes.md)
:::column-end:::
:::column:::
@@ -128,17 +117,14 @@ This section details **additional prerequisites** specific to Advanced Analytics
:::row:::
:::column span="1":::
-[!INCLUDE [platform](../includes/requirements/licensing.md)]
-
+[!INCLUDE [licensing](../includes/requirements/licensing.md)]
:::column-end:::
:::column span="3":::
-
-> Advanced Analytics features are included in [Microsoft Intune Suite](../fundamentals/add-ons.md). The capabilities are also available as an individual add-on to Microsoft subscriptions that include Intune.
->
-> **Mixed licensing scenarios**: A mixed licensing scenario occurs when some users in your tenant have access to Advanced Analytics through an add-on subscription or trial, while others only have access to the *base* endpoint analytics product. In these cases, the subscription with the highest level of functionality determines the overall endpoint analytics experience for your tenant. For example, if any users have Advanced Analytics, all enrolled devices will benefit from the advanced features.
+> [!INCLUDE [additional-licensing](../includes/licensing/additional-licensing.md)]
:::column-end:::
:::row-end:::
+
## Get started with Advanced Analytics
Before deploying Advanced Analytics, complete these foundational tasks:
diff --git a/intune/advanced-analytics/resource-performance.md b/intune/advanced-analytics/resource-performance.md
index 6a7a7da1e43..878d53f4a28 100644
--- a/intune/advanced-analytics/resource-performance.md
+++ b/intune/advanced-analytics/resource-performance.md
@@ -7,8 +7,6 @@ ms.topic: concept-article
# Resource performance report
-[!INCLUDE [intune-add-on-note](includes/intune-add-on-note.md)]
-
The resource performance report gives you a clear view of processor and memory performance on Windows devices and how these factors affect user experience. By tracking the performance score, you can spot emerging hardware issues that may reduce productivity and take proactive steps before support tickets occur.
The report also provides actionable insights—showing how much your score could improve by upgrading CPU or RAM and helping you identify devices for replacement before warranties expire.
diff --git a/intune/advanced-analytics/toc.yml b/intune/advanced-analytics/toc.yml
index eec8eca8b3e..0e69711136a 100644
--- a/intune/advanced-analytics/toc.yml
+++ b/intune/advanced-analytics/toc.yml
@@ -1,33 +1,33 @@
items:
-- name: Advanced Analytics overview
+- name: Overview
href: index.md
displayName: Advanced Analytics
-- name: Advanced Analytics reports and capabilities
+- name: Reports
items:
- - name: Resource performance report
+ - name: Resource performance
href: resource-performance.md
- displayName: Advanced Analytics
- - name: Battery health report
+ displayName: Advanced Analytics, CPU, memory, slow devices, performance issues
+ - name: Battery health
href: battery-health.md
- displayName: Advanced Analytics
- - name: Anomalies report
+ displayName: Advanced Analytics, battery, power, charge
+ - name: Anomalies
href: anomalies.md
- displayName: Advanced Analytics
- - name: Device timeline report
+ displayName: Advanced Analytics, anomaly detection, outliers, unusual
+ - name: Device timeline
href: device-timeline.md
- displayName: Advanced Analytics
- - name: Device query
- href: device-query.md
- displayName: Advanced Analytics
- - name: Device query for multiple devices
- href: device-query-multiple-devices.md
- displayName: Advanced Analytics
- - name: Device scopes
- href: device-scopes.md
- displayName: Advanced Analytics
+ displayName: Advanced Analytics, history, events, audit, timeline
+- name: Device query
+ href: device-query.md
+ displayName: Advanced Analytics, KQL, Kusto, real-time
+- name: Multi-device query
+ href: device-query-multiple-devices.md
+ displayName: Advanced Analytics, KQL, fleet, bulk
+- name: Device scopes
+ href: device-scopes.md
+ displayName: Advanced Analytics, scope, RBAC, filter
- name: Data platform schema
href: ref-data-platform-schema.md
- displayName: Advanced Analytics schema
+ displayName: Advanced Analytics, schema, reference, tables, fields
- name: Frequently asked questions
href: faq.yml
- displayName: Advanced Analytics FAQs
\ No newline at end of file
+ displayName: Advanced Analytics, FAQs
diff --git a/intune/app-management/deployment/add-enterprise-catalog-app.md b/intune/app-management/deployment/add-enterprise-catalog-app.md
index 9fe85b59090..abe08104b06 100644
--- a/intune/app-management/deployment/add-enterprise-catalog-app.md
+++ b/intune/app-management/deployment/add-enterprise-catalog-app.md
@@ -16,7 +16,7 @@ ms.collection:
The Enterprise App Catalog is a collection of prepackaged [Win32 apps](./win32.md) that are designed and prepared by Microsoft to support Intune. The catalog contains both Microsoft apps and non-Microsoft apps. An Enterprise App Catalog app is a Windows app that you can add via the Enterprise App Catalog in Intune. This app type uses the Win32 platform and has support for customizable capabilities, including PowerShell script installers for enhanced deployment flexibility (introduced in 2025).
> [!IMPORTANT]
-> The Enterprise App Catalog is a feature of Enterprise App Management (EAM) which is an Intune add-on as part of the Intune suite that's available for trial and purchase. For more information, see [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md).
+> The Enterprise App Catalog is a feature of Enterprise App Management (EAM), which is part of Microsoft Intune Suite and available for trial and purchase. For more information, see [Microsoft Intune advanced capabilities](../../fundamentals/advanced-capabilities.md).
When you add an app to Intune, you want to use default installation, requirements, and detection settings. For apps within the Enterprise App Catalog, these default settings are configured and confirmed by Microsoft. You must be careful if you modify the application properties as unexpected or harmful commands could be passed via the **Install command** and **Uninstall command** fields. In addition, changing the install commands might cause installation to fail.
diff --git a/intune/app-management/deployment/assign-groups.md b/intune/app-management/deployment/assign-groups.md
index ec000317c72..5c1b08377ff 100644
--- a/intune/app-management/deployment/assign-groups.md
+++ b/intune/app-management/deployment/assign-groups.md
@@ -51,7 +51,7 @@ The following table lists the various options when *assigning* apps to users and
6. Select **Add Group** to open the **Add group** pane that relates to the app.
7. For the specific app, select an **assignment type**:
- **Available for enrolled devices**: Assign the app to groups of users who can install the app from the Company Portal app or website.
- - **Available with or without enrollment**: Assign this setting to groups of users whose devices aren't enrolled with Intune. Users must be assigned an Intune license, see [Intune Licenses](../../fundamentals/licensing/index.md).
+ - **Available with or without enrollment**: Assign this setting to groups of users whose devices aren't enrolled with Intune. Users must be assigned an Intune license, see [Intune Licenses](../../fundamentals/licensing.md).
- **Required**: The app is installed on devices in the selected groups. Some platforms might have more prompts for the end user to acknowledge before app installation begins.
- **Uninstall**: The app is uninstalled from devices in the selected groups if Intune previously installed the application. This applies only to apps installed via an "Available for enrolled devices" or "Required" assignment using the same deployment.
diff --git a/intune/app-management/deployment/enterprise-app-management.md b/intune/app-management/deployment/enterprise-app-management.md
index 0ec2a3efc80..e50f8ee3571 100644
--- a/intune/app-management/deployment/enterprise-app-management.md
+++ b/intune/app-management/deployment/enterprise-app-management.md
@@ -14,11 +14,6 @@ ms.collection:
Microsoft Intune Enterprise App Management enables you to easily discover and deploy applications and keep them up to date from the Enterprise App Catalog. The Enterprise App Catalog is a collection of prepared Microsoft and non-Microsoft applications. These apps are Win32 apps that are [prepared as Win32 apps](./create-win32-package.md) and hosted by Microsoft.
-> [!IMPORTANT]
-> Enterprise App Management is an Intune add-on as part of the Intune suite that's available for trial and purchase. For more information, see [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md).
-
-[!INCLUDE [windows-10-support](../../includes/windows-10-support.md)]
-
## Benefits of Enterprise App Management
The Enterprise App Management provides the following benefits:
@@ -59,6 +54,32 @@ The Enterprise App Catalog includes apps that self update. Intune ensures the ap
> [!IMPORTANT]
> Self-updating apps might require that your tenant has network rules configured to allow an update from the app vendor.
+## Prerequisites
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
+
+:::column-end:::
+:::column span="3":::
+
+>[!INCLUDE [additional-licensing](../../includes/licensing/additional-licensing.md)]
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
+
+:::column-end:::
+:::column span="3":::
+
+>The Enterprise App Catalog is available for Windows apps.
+>
+>[!INCLUDE [windows-10-support](../../includes/windows-10-support.md)]
+:::column-end:::
+:::row-end:::
+
## Frequently asked questions (FAQ)
### How can I request to add an application to the Enterprise App Catalog?
diff --git a/intune/app-management/protection/mam-faq.yml b/intune/app-management/protection/mam-faq.yml
index 0170f3c7d71..183cf4293bc 100644
--- a/intune/app-management/protection/mam-faq.yml
+++ b/intune/app-management/protection/mam-faq.yml
@@ -47,7 +47,7 @@ sections:
answer: |
- The end user must have a Microsoft Entra account. For more information on how to create Intune users in Microsoft Entra ID, see [Add users and give administrative permission to Intune](../../fundamentals/tenant-administration/add-users.md).
- - The end user must have a license for Microsoft Intune assigned to their Microsoft Entra account. For more information on how to assign Intune licenses to end users, see [Manage Intune licenses](../../fundamentals/licensing/assign-licenses.md).
+ - The end user must have a license for Microsoft Intune assigned to their Microsoft Entra account. For more information on how to assign Intune licenses to end users, see [Manage Intune licenses](../../fundamentals/assign-licenses.md).
- The end user must belong to a security group targeted by an app protection policy. The same app protection policy must target the specific app being used. App protection policies can be created and deployed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). Security groups can currently be created in the [Microsoft 365 admin center](https://admin.microsoft.com).
diff --git a/intune/app-management/protection/mam-without-enrollment.md b/intune/app-management/protection/mam-without-enrollment.md
index 7d646a1bb01..1b5b690f1d0 100644
--- a/intune/app-management/protection/mam-without-enrollment.md
+++ b/intune/app-management/protection/mam-without-enrollment.md
@@ -26,8 +26,6 @@ This article provides recommendations on when to use MAM. It also includes an ov
- [Microsoft Intune app management](../overview.md)
- [Data protection for Windows MAM](./enable-mam-windows.md)
-> [!TIP]
-> [!INCLUDE [tips-guidance-plan-deploy-guides](../../device-enrollment/includes/tips-guidance-plan-deploy-guides.md)]
## Before you begin
diff --git a/intune/app-management/protection/overview.md b/intune/app-management/protection/overview.md
index cd462efabbe..4cf21db4072 100644
--- a/intune/app-management/protection/overview.md
+++ b/intune/app-management/protection/overview.md
@@ -153,7 +153,7 @@ The following list provides the user requirements to use app protection policies
- The user must have a Microsoft Entra account. See [Add users and give administrative permission to Intune](../../fundamentals/tenant-administration/add-users.md) to learn how to create Intune users in Microsoft Entra ID.
-- The user must have a license for Microsoft Intune assigned to their Microsoft Entra account. See [Manage Intune licenses](../../fundamentals/licensing/assign-licenses.md) to learn how to assign Intune licenses to users.
+- The user must have a license for Microsoft Intune assigned to their Microsoft Entra account. See [Manage Intune licenses](../../fundamentals/assign-licenses.md) to learn how to assign Intune licenses to users.
- The user must belong to a security group that is targeted by an app protection policy. The same app protection policy must target the specific app being used. App protection policies can be created and deployed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). Security groups can currently be created in the [Microsoft 365 admin center](https://admin.microsoft.com).
diff --git a/intune/app-management/protection/policy-delivery-timing.md b/intune/app-management/protection/policy-delivery-timing.md
index feef77477ae..6da8da428d9 100644
--- a/intune/app-management/protection/policy-delivery-timing.md
+++ b/intune/app-management/protection/policy-delivery-timing.md
@@ -37,5 +37,5 @@ When user registration fails due to network connectivity issues an accelerated r
## Next steps
-[Assign licenses to users so they can enroll devices in Intune](../../fundamentals/licensing/assign-licenses.md)
+[Assign licenses to users so they can enroll devices in Intune](../../fundamentals/assign-licenses.md)
diff --git a/intune/app-management/protection/ref-settings-windows.md b/intune/app-management/protection/ref-settings-windows.md
index 90c375387d7..d937346c329 100644
--- a/intune/app-management/protection/ref-settings-windows.md
+++ b/intune/app-management/protection/ref-settings-windows.md
@@ -42,7 +42,7 @@ The **Data protection** settings affect the org data and context. As the admin,
## Health Checks
-Set the health check conditions for your app protection policy. Select a **Setting** and enter the **Value** that users must meet to access your org data. Then select the **Action** you want to take if users don't meet your conditionals. In some cases, multiple actions can be configured for a single setting. For more information, see [Health Check Actions]().
+Set the health check conditions for your app protection policy. Select a **Setting** and enter the **Value** that users must meet to access your org data. Then select the **Action** you want to take if users don't meet your conditionals. In some cases, multiple actions can be configured for a single setting.
### App conditions
diff --git a/intune/app-management/protection/validate-policy-setup.md b/intune/app-management/protection/validate-policy-setup.md
index d7ce3c89ef2..b1451dd6e63 100644
--- a/intune/app-management/protection/validate-policy-setup.md
+++ b/intune/app-management/protection/validate-policy-setup.md
@@ -32,16 +32,16 @@ If testing shows that your app protection policy behavior isn't functioning as e
## What to do
Here are the actions to take based on the user status:
-- If the user isn't licensed for app protection, assign an [Intune license](../../fundamentals/licensing/index.md) to the user.
-- If the user isn't licensed for Microsoft 365, get a [license](../../fundamentals/licensing/index.md) for the user.
+- If the user isn't licensed for app protection, assign an [Intune license](../../fundamentals/licensing.md) to the user.
+- If the user isn't licensed for Microsoft 365, get a [license](../../fundamentals/licensing.md) for the user.
- If a user's app is listed as **Not checked in**, check if you've correctly configured an [app protection policy](./validate-policy-setup.md) for that app.
- Ensure that these conditions apply across all users to which you want [app protection policies](./monitor-policies.md) to apply.
## See also
- [What is Intune app protection policy?](./create-policy.md)
-- [Licenses that include Intune](../../fundamentals/licensing/index.md)
-- [Assign licenses to users so they can enroll devices in Intune](../../fundamentals/licensing/assign-licenses.md)
+- [Licenses that include Intune](../../fundamentals/licensing.md)
+- [Assign licenses to users so they can enroll devices in Intune](../../fundamentals/assign-licenses.md)
- [How to validate your app protection policy setup](./validate-policy-setup.md)
- [How to monitor app protection policies](./monitor-policies.md)
diff --git a/intune/cloud-pki/index.md b/intune/cloud-pki/index.md
index 26c7f894e44..4610d539e1e 100644
--- a/intune/cloud-pki/index.md
+++ b/intune/cloud-pki/index.md
@@ -1,19 +1,12 @@
---
title: Microsoft Cloud PKI for Microsoft Intune
-description: An overview of the Microsoft Cloud PKI service, available with Microsoft Intune Suite or as an Intune add-on.
+description: An overview of the Microsoft Cloud PKI service, available with Microsoft Intune Suite or as a standalone capability.
ms.date: 12/06/2024
ms.topic: how-to
---
# Overview of Microsoft Cloud PKI for Microsoft Intune
-**Applies to**:
-
-* Windows
-* Android
-* iOS
-* macOS
-
Use Microsoft Cloud PKI to issue certificates for Intune-managed devices. Microsoft Cloud PKI is a cloud-based service that simplifies and automates certificate lifecycle management for Intune-managed devices. It provides a dedicated public key infrastructure (PKI) for your organization, without requiring any on-premises servers, connectors, or hardware. It handles the certificate issuance, renewal, and revocation for all Intune supported platforms.
This article provides an overview of Microsoft Cloud PKI for Intune, how it works, and its architecture.
@@ -22,6 +15,56 @@ This article provides an overview of Microsoft Cloud PKI for Intune, how it work
PKI is a system that uses digital certificates to authenticate and encrypt data between devices and services. PKI certificates are essential for securing various scenarios, such as VPN, Wi-Fi, email, web, and device identity. However, managing PKI certificates can be challenging, costly, and complex, especially for organizations that have a large number of devices and users. You can use Microsoft Cloud PKI to enhance the security and productivity of your devices and users, and to accelerate your digital transformation to a fully managed cloud PKI service. Additionally, you can utilize the Cloud PKI service in to reduce workloads for Active Directory Certificate Services (ADCS) or private on-premises certification authorities.
+## Prerequisites
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../includes/requirements/licensing.md)]
+
+:::column-end:::
+:::column span="3":::
+
+>[!INCLUDE [additional-licensing](../includes/licensing/additional-licensing.md)]
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../includes/requirements/platform.md)]
+
+:::column-end:::
+:::column span="3":::
+
+>You can use the Microsoft Cloud PKI service with these platforms:
+>
+>- Android
+>- iOS/iPadOS
+>- macOS
+>- Windows
+>
+>Devices must be enrolled in Intune, and the platform must support the Intune device configuration SCEP certificate profile.
+
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [rbac](../includes/requirements/rbac.md)]
+
+:::column-end:::
+:::column span="3":::
+
+>The following permissions are available to assign to custom Intune roles. These permissions enable users to view and manage CAs in the admin center.
+>
+>- Read CAs: Any user assigned this permission can read the properties of a CA.
+>- Create certificate authorities: Any user assigned this permission can create a root or issuing CA.
+>- Revoke issued leaf certificates: Any user assigned this permission has the ability to manually revoke a certificate issued by an issuing CA. This permission also requires the *read CA* permission.
+>
+>You can assign scope tags to the root and issuing CAs. For more information about how to create custom roles and scope tags, see [Role-based access control with Microsoft Intune](../fundamentals/role-based-access-control/scope-tags.md).
+
+:::column-end:::
+:::row-end:::
+
## Manage Cloud PKI in Microsoft Intune admin center
Microsoft Cloud PKI objects are created and managed in the Microsoft Intune admin center. From there, you can:
@@ -33,17 +76,6 @@ Microsoft Cloud PKI objects are created and managed in the Microsoft Intune admi
After you create a Cloud PKI issuing CA, you can start to issue certificates in minutes.
-## Supported device platforms
-
-You can use the Microsoft Cloud PKI service with these platforms:
-
-* Android
-* iOS/iPadOS
-* macOS
-* Windows
-
-Devices must be enrolled in Intune, and the platform must support the Intune device configuration SCEP certificate profile.
-
## Overview of features
The following table lists the features and scenarios supported with Microsoft Cloud PKI and Microsoft Intune.
@@ -54,8 +86,8 @@ The following table lists the features and scenarios supported with Microsoft Cl
| Bring your own CA (BYOCA) | Anchor an Intune Issuing CA to a private CA through Active Directory Certificate Services or a non-Microsoft certificate service. If you have an existing PKI infrastructure, you can maintain the same root CA and create an issuing CA that chains to your external root. This option includes support for external private CA N+ tier hierarchies. |
| Signing and Encryption algorithms| Intune supports RSA, key sizes 2048, 3072, and 4096. |
| Hash algorithms | Intune supports SHA-256, SHA-384, and SHA-512. |
-|HSM keys (signing and encryption)|Keys are provisioned using [Azure Managed Hardware Security Module (Azure Managed HSM)](/azure/key-vault/managed-hsm/overview).
CAs created with a licensed Intune Suite or Cloud PKI Standalone Add-on automatically use HSM signing and encryption keys. No Azure subscription is required for Azure HSM. |
-|Software Keys (signing and encryption) |CAs created during a trial period of Intune Suite or Cloud PKI standalone Add-on use software-backed signing and encryption keys using `System.Security.Cryptography.RSA`. |
+|HSM keys (signing and encryption)|Keys are provisioned using [Azure Managed Hardware Security Module (Azure Managed HSM)](/azure/key-vault/managed-hsm/overview).
Cloud PKI CAs use HSM signing and encryption keys. No Azure subscription is required for Azure HSM. |
+|Software Keys (signing and encryption) |CAs created during a trial period of Intune Suite or standalone Cloud PKI use software-backed signing and encryption keys using `System.Security.Cryptography.RSA`. |
| Certificate registration authority | Providing a Cloud Certificate Registration Authority supporting Simple Certificate Enrollment Protocol (SCEP) for each Cloud PKI Issuing CA.|
|Certificate Revocation List (CRL) distribution points | Intune hosts the CRL distribution point (CDP) for each CA.
The CRL validity period is seven days. Publishing and refresh happen every 3.5 days. The CRL is updated with every certificate revocation. |
|Authority Information Access (AIA) end points | Intune hosts the AIA endpoint for each Issuing CA. The AIA endpoint can be used by relying parties to retrieve parent certificates. |
@@ -114,31 +146,12 @@ A5. The signed certificate is delivered to the Intune MDM-enrolled device.
>[!NOTE]
> The SCEP challenge is encrypted and signed using the Intune SCEP registration authority keys.
-## Licensing requirements
-
-Microsoft Cloud PKI requires one of the following licenses:
-
-* Microsoft Intune Suite license
-* Microsoft Cloud PKI standalone Intune add-ons license
-
-For more information about licensing options, see [Microsoft Intune licensing](../fundamentals/licensing/index.md).
-
-## Role based access control
-
-The following permissions are available to assign to custom Intune roles. These permissions enable users to view and manage CAs in the admin center.
-
-* Read CAs: Any user assigned this permission can read the properties of a CA.
-* Create certificate authorities: Any user assigned this permission can create a root or issuing CA.
-* Revoke issued leaf certificates: Any user assigned this permission has the ability to manually revoke a certificate issued by an issuing CA. This permission also requires the *read CA* permission.
-
-You can assign scope tags to the root and issuing CAs. For more information about how to create custom roles and scope tags, see [Role-based access control with Microsoft Intune](../fundamentals/role-based-access-control/scope-tags.md).
-
## Try Microsoft Cloud PKI
You can try out the Microsoft Cloud PKI feature in the Intune admin center during a trial period. Available trials include:
-* [Microsoft Intune Suite trial](https://www.microsoft.com/security/business/microsoft-intune-pricing)
-* [Standalone add-on trial](../fundamentals/add-ons.md#try-or-buy-intune-add-ons)
+- [Microsoft Intune Suite trial](https://www.microsoft.com/security/business/microsoft-intune-pricing)
+- [Standalone Cloud PKI trial](../fundamentals/advanced-capabilities.md)
During the trial period, you can create up to six CAs in your tenant. Cloud PKI CAs created during the trial use software-backed keys, and use `System.Security.Cryptography.RSA` to generate and sign the keys. You can continue to use the CAs after purchasing a Cloud PKI license. However, the keys remain software-backed, and can't be converted to HSM backed keys. The Microsoft Intune service managed CA keys. No Azure subscription is required for Azure HSM capabilities.
@@ -157,7 +170,7 @@ For the latest changes and additions, see [What's new in Microsoft Intune](../wh
* You can create up to six CAs in an Intune tenant.
* Licensed Cloud PKI - A total of 6 CAs can be created using Azure mHSM keys.
- * Trial Cloud PKI - A total of 6 CAs can be created during a trial of Intune Suite or Cloud PKI standalone add-on.
+ * Trial Cloud PKI - A total of 6 CAs can be created during a trial of Intune Suite or standalone Cloud PKI.
* The following CA types count toward the CA capacity:
* Cloud PKI Root CA
* Cloud PKI Issuing CA
diff --git a/intune/configmgr/comanage/how-to-monitor.md b/intune/configmgr/comanage/how-to-monitor.md
index 9d9183f0963..2a590d8921c 100644
--- a/intune/configmgr/comanage/how-to-monitor.md
+++ b/intune/configmgr/comanage/how-to-monitor.md
@@ -87,7 +87,7 @@ There are hundreds of possible errors. The following table lists the most common
| Error | Description |
|---------|---------|
| 2147549183 (0x8000FFFF) | MDM enrollment hasn't been configured yet on Microsoft Entra ID, or the enrollment URL isn't expected.
[Enable automatic enrollment](../../device-enrollment/windows/enable-automatic-mdm.md) |
-| 2149056536 (0x80180018) MENROLL_E_USERLICENSE | License of user is in bad state blocking enrollment
[Assign licenses to users](/mem/fundamentals/licensing/assign-licenses) |
+| 2149056536 (0x80180018) MENROLL_E_USERLICENSE | License of user is in bad state blocking enrollment
[Assign licenses to users](../../fundamentals/assign-licenses.md) |
| 2149056555 (0x8018002B) MENROLL_E_MDM_NOT_CONFIGURED | When trying to automatically enroll to Intune, but the Microsoft Entra configuration isn't fully applied. This issue should be transient, as the device retries after a short time. |
| 2149056554 (0x8018002A) | The user canceled the operation
If MDM enrollment requires multi-factor authentication, and the user hasn't signed in with a supported second factor, Windows displays a toast notification to the user to enroll. If the user doesn't respond to toast notification, this error occurs. This issue should be transient, as Configuration Manager will retry and prompt the user. Users should use multi-factor authentication when they sign in to Windows. Also educate them to expect this behavior, and if prompted, take action. |
| 2149056532 (0x80180014) MENROLL_E_DEVICENOTSUPPORTED | Mobile device management isn't supported. Check device restrictions. |
diff --git a/intune/configmgr/mdm/index.yml b/intune/configmgr/mdm/index.yml
index 280f521ba34..572938e1574 100644
--- a/intune/configmgr/mdm/index.yml
+++ b/intune/configmgr/mdm/index.yml
@@ -45,8 +45,8 @@ landingContent:
links:
- text: What is Intune?
url: /intune/fundamentals/what-is-intune
- - text: Device management overview
- url: /intune/fundamentals/what-is-device-management
+ - text: Manage and secure devices
+ url: /intune/fundamentals/manage-devices
- linkListType: tutorial
links:
- text: Walkthrough the Microsoft Intune admin center
diff --git a/intune/configmgr/mdm/plan-design/plan-on-premises-mdm.md b/intune/configmgr/mdm/plan-design/plan-on-premises-mdm.md
index af76f0b65b1..228e7a8523a 100644
--- a/intune/configmgr/mdm/plan-design/plan-on-premises-mdm.md
+++ b/intune/configmgr/mdm/plan-design/plan-on-premises-mdm.md
@@ -19,7 +19,7 @@ There are several key areas to review when you're planning to implement on-premi
- Device enrollment
> [!IMPORTANT]
-> While the site or any mobile device doesn't connect to Microsoft Intune, your organization still requires Intune licenses to use this feature. For more information, see [Microsoft Intune licensing](/mem/fundamentals/licensing/index).
+> While the site or any mobile device doesn't connect to Microsoft Intune, your organization still requires Intune licenses to use this feature. For more information, see [Microsoft Intune licensing](/mem/fundamentals/licensing).
Consider the following requirements before preparing the Configuration Manager infrastructure to handle on-premises MDM.
diff --git a/intune/configmgr/sum/deploy-use/third-party-software-update-catalogs.md b/intune/configmgr/sum/deploy-use/third-party-software-update-catalogs.md
index 3ce273a1adb..90c2c8c236a 100644
--- a/intune/configmgr/sum/deploy-use/third-party-software-update-catalogs.md
+++ b/intune/configmgr/sum/deploy-use/third-party-software-update-catalogs.md
@@ -20,7 +20,7 @@ To make it easier to find custom catalogs, we're providing a list of links as a
|Custom catalog provider| URL|
|--|--|
|Adobe | Multiple catalogs are available from Adobe. https://www.adobe.com/devnet-docs/acrobatetk/tools/DesktopDeployment/sccm.html |
-|Centero Software Manager| https://centero.fi/centero-software-manager/product-editions/#csm-for-mecm |
+|Centero Software Manager| https://docs.software-manager.com/docs/csm-for-sccm |
|Dell| *Partner catalog* available in the **Third-Party Software Update Catalogs** node https://www.dell.com/support/article/sln311138/ https://downloads.dell.com/Catalog/DellSDPCatalogPC.cab https://downloads.dell.com/Catalog/DellSDPCatalog.cab |
|Fujitsu| https://support.ts.fujitsu.com/GFSMS/globalflash/FJSVUMCatalogForSCCM.cab |
|HP| *Partner catalog* available in the **Third-Party Software Update Catalogs** node https://hpia.hpcloud.hp.com/downloads/sccmcatalog/HpCatalogForSms.latest.cab `http://ftp.hp.com/pub/softlib/software/sms_catalog/HpCatalogForSms.latest.cab` |
diff --git a/intune/copilot/agents/change-review-agent.md b/intune/copilot/agents/change-review-agent.md
index 1bb804bfc03..f4006e07982 100644
--- a/intune/copilot/agents/change-review-agent.md
+++ b/intune/copilot/agents/change-review-agent.md
@@ -43,7 +43,7 @@ The agent analyzes these signals to assess the potential risk associated with ea
> To use Security Copilot agents in Microsoft Intune, your organization must meet specific licensing requirements.
>
> Required licenses:
-> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing/index.md)
+> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing.md)
> - [Microsoft Entra ID P2](/entra/fundamentals/licensing)
> - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/tvm-prerequisites)
> - [Microsoft Security Copilot](/copilot/security/get-started-security-copilot) with sufficient security compute units (SCUs)
diff --git a/intune/copilot/agents/device-offboarding-agent.md b/intune/copilot/agents/device-offboarding-agent.md
index a50a8c4e53f..76798896456 100644
--- a/intune/copilot/agents/device-offboarding-agent.md
+++ b/intune/copilot/agents/device-offboarding-agent.md
@@ -37,7 +37,7 @@ The *Device Offboarding Agent* identifies stale or misaligned devices across Int
>
>Required licenses:
>
-> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing/index.md)
+> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing.md)
> - [Microsoft Security Copilot](/copilot/security/get-started-security-copilot) with sufficient security compute units (SCUs)
:::column-end:::
:::row-end:::
diff --git a/intune/copilot/agents/policy-configuration-agent.md b/intune/copilot/agents/policy-configuration-agent.md
index 5daba6f0917..4443b1e7c24 100644
--- a/intune/copilot/agents/policy-configuration-agent.md
+++ b/intune/copilot/agents/policy-configuration-agent.md
@@ -56,7 +56,7 @@ To learn how to use the agent, see [Use the Policy Configuration Agent](manage-p
:::column span="3":::
> To use Security Copilot agents in Microsoft Intune, the following licenses are required:
>
-> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing/index.md)
+> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing.md)
> - [Microsoft Security Copilot](/copilot/security/get-started-security-copilot) with sufficient security compute units (SCUs)
:::column-end:::
:::row-end:::
diff --git a/intune/copilot/agents/vulnerability-remediation-agent.md b/intune/copilot/agents/vulnerability-remediation-agent.md
index 6ee11f2bae0..28fed8e8560 100644
--- a/intune/copilot/agents/vulnerability-remediation-agent.md
+++ b/intune/copilot/agents/vulnerability-remediation-agent.md
@@ -68,7 +68,7 @@ For information about other Security Copilot Agents in Intune and common feature
:::column span="3":::
> To use Security Copilot agents in Microsoft Intune, the following licenses are required:
>
-> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing/index.md)
+> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing.md)
> - [Microsoft Security Copilot](/copilot/security/get-started-security-copilot) with sufficient security compute units (SCUs)
> - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management) - This capability is provided by Microsoft Defender for Endpoint P2 or Defender Vulnerability Management Standalone.
diff --git a/intune/copilot/index.md b/intune/copilot/index.md
index 3e73efcbcf1..719d103d6ff 100644
--- a/intune/copilot/index.md
+++ b/intune/copilot/index.md
@@ -216,7 +216,7 @@ For more information about using Copilot with your devices, go to [Use Copilot i
You can use Copilot to help you create Kusto Query Language (KQL) queries to run when using device query in Intune.
> [!NOTE]
-> To use Device query in your tenant, you must have a license that includes Microsoft Intune Advanced Analytics. For more information, see [Intune add-ons](../fundamentals/add-ons.md#microsoft-intune-advanced-analytics).
+> To use Device query in your tenant, you must have a license that includes Advanced Analytics. For more information, see [Microsoft Intune advanced capabilities](../fundamentals/advanced-capabilities.md).
You can use this feature for an individual device or for many devices.
diff --git a/intune/developer/app-sdk/android-phase-1.md b/intune/developer/app-sdk/android-phase-1.md
index eed1563fefa..1ba64a0ed8a 100644
--- a/intune/developer/app-sdk/android-phase-1.md
+++ b/intune/developer/app-sdk/android-phase-1.md
@@ -257,7 +257,7 @@ After you've completed all the [Exit Criteria] above, continue to [Stage 2: The
[Set up Intune]:../../fundamentals/deploy-setup-step-1.md
[Create users]:../../fundamentals/tenant-administration/add-users.md
[Create groups]:../../fundamentals/tenant-administration/add-groups.md
-[Assign licenses]:../../fundamentals/licensing/assign-licenses.md
+[Assign licenses]:../../fundamentals/assign-licenses.md
[Create and assign app protection policies]:../../app-management/protection/create-policy.md
[app configuration policy]:../../app-management/configuration/overview.md
[Quickstart: Register an app in the Microsoft identity platform - Microsoft identity platform]:/azure/active-directory/active-directory-app-registration
diff --git a/intune/developer/app-sdk/ios-phase-1.md b/intune/developer/app-sdk/ios-phase-1.md
index feccd8dfa96..e2ca8e74c33 100644
--- a/intune/developer/app-sdk/ios-phase-1.md
+++ b/intune/developer/app-sdk/ios-phase-1.md
@@ -180,7 +180,7 @@ After you've completed all the [Exit Criteria] above, continue to [Stage 2: MSAL
[Set up Intune]:../../fundamentals/deploy-setup-step-1.md
[Create users]:../../fundamentals/tenant-administration/add-users.md
[Create groups]:../../fundamentals/tenant-administration/add-groups.md
-[Assign licenses]:../../fundamentals/licensing/assign-licenses.md
+[Assign licenses]:../../fundamentals/assign-licenses.md
[Create and assign app protection policies]:../../app-management/protection/create-policy.md
[app configuration policy]:../../app-management/configuration/overview.md
[Quickstart: Register an app in the Microsoft identity platform - Microsoft identity platform]:/azure/active-directory/develop/quickstart-register-app
diff --git a/intune/developer/app-sdk/quickstart-integration.md b/intune/developer/app-sdk/quickstart-integration.md
index b4483ae94c6..6804b68155b 100644
--- a/intune/developer/app-sdk/quickstart-integration.md
+++ b/intune/developer/app-sdk/quickstart-integration.md
@@ -158,7 +158,7 @@ After you finish the necessary steps to integrate your iOS or Android app with t
* If you're developing a line-of-business app that won't be shipped to the store, you're expected to have access to Microsoft Intune through your organization. You can also sign up for a one-month free trial in [Microsoft Intune](https://admin.microsoft.com/Signup/Signup.aspx?OfferId=40BE278A-DFD1-470a-9EF7-9F2596EA7FF9&dl=INTUNE_A&ali=1#0).
- * If you're testing your app on a mobile device using an end user account, ensure that you have given that account an Intune license by in the Microsoft 365 admin center website after logging in with an admin account, see [Assign Microsoft Intune license](../../fundamentals/licensing/assign-licenses.md).
+ * If you're testing your app on a mobile device using an end user account, ensure that you have given that account an Intune license by in the Microsoft 365 admin center website after logging in with an admin account, see [Assign Microsoft Intune license](../../fundamentals/assign-licenses.md).
* **Intune app protection policies**: To test your app against all the Intune app protection policies, you should know what the expected behavior is for each policy setting. See the descriptions for [iOS app protection policies](../../app-management/protection/ref-settings-ios.md) and [Android app protection policies](../../app-management/protection/ref-settings-android.md). If your app has integrated the Intune SDK, but isn't listed in the list of targetable apps, you can specify the app's bundle ID (iOS) or package name (Android) in the text box when selecting **Custom Apps**.
diff --git a/intune/developer/app-sdk/tunnel-mam-ios.md b/intune/developer/app-sdk/tunnel-mam-ios.md
index 5ab8fff3a62..5f24963c468 100644
--- a/intune/developer/app-sdk/tunnel-mam-ios.md
+++ b/intune/developer/app-sdk/tunnel-mam-ios.md
@@ -12,8 +12,6 @@ ms.collection:
# Microsoft Tunnel for MAM iOS SDK Developer Guide
-[!INCLUDE [intune-add-on-note](../../includes/intune-plan2-suite-note.md)]
-
The Microsoft Tunnel for MAM iOS SDK developer guide is a resource for developers. It helps developers integrate and configure the SDK into an iOS/iPadOS app. For an overview of the Microsoft Tunnel for MAM, see [Microsoft Tunnel for MAM for iOS/iPadOS - Intune admin guide](../../device-security/microsoft-tunnel/mam-ios.md).
This guide covers different parts of the integration process in your Xcode app project, including installing the frameworks, configuring the `info.plist` file, build settings, key sharing, and implementing the SDK's delegate methods.
diff --git a/intune/developer/data-warehouse/ref-data-model.md b/intune/developer/data-warehouse/ref-data-model.md
index 22ba74f4208..2465acf98b0 100644
--- a/intune/developer/data-warehouse/ref-data-model.md
+++ b/intune/developer/data-warehouse/ref-data-model.md
@@ -50,5 +50,5 @@ The warehouse is downstream from your Intune data. Intune takes a daily snapshot
## Next steps
- To learn more about how the data warehouse tracks a user's lifetime in Intune, see [User lifetime representation in the Intune Data Warehouse](ref-user-timeline.md).
-- To learn more about working with data warehouses in the [Create First Data WareHouse](https://www.codeproject.com/Articles/652108/Create-First-Data-WareHouse).
+- To learn more about working with data warehouses, see [Microsoft Fabric Data Warehouse introduction](/fabric/data-warehouse/tutorial-introduction).
- To learn more about working with Power BI and a data warehouse in [Create a new Power BI report by importing a dataset](https://powerbi.microsoft.com/documentation/powerbi-service-create-a-new-report/).
diff --git a/intune/developer/includes/reports-credential-reqs.md b/intune/developer/includes/reports-credential-reqs.md
index c5d93244356..c7d045b0e85 100644
--- a/intune/developer/includes/reports-credential-reqs.md
+++ b/intune/developer/includes/reports-credential-reqs.md
@@ -15,4 +15,4 @@ Requirements for accessing the Intune Data Warehouse (including the API) are:
- User-less authentication using [application-only authentication](../../developer/data-warehouse/configure-app-only-auth.md)
> [!IMPORTANT]
-> To be assigned an Intune role and access the Intune Data Warehouse, the user must have an Intune license. For more information, see [Role-based access control (RBAC) with Microsoft Intune](../../fundamentals/role-based-access-control/overview.md) and [Microsoft Intune licensing](../../fundamentals/licensing/index.md).
+> To be assigned an Intune role and access the Intune Data Warehouse, the user must have an Intune license. For more information, see [Role-based access control (RBAC) with Microsoft Intune](../../fundamentals/role-based-access-control/overview.md) and [Microsoft Intune licensing](../../fundamentals/licensing.md).
diff --git a/intune/device-configuration/assign-device-profile.md b/intune/device-configuration/assign-device-profile.md
index 3cf90d17386..15fcd2d9806 100644
--- a/intune/device-configuration/assign-device-profile.md
+++ b/intune/device-configuration/assign-device-profile.md
@@ -1,7 +1,7 @@
---
title: Assign device profiles in Microsoft Intune
description: Use the Microsoft Intune admin center to assign device configuration profiles and policies to users and devices. Learn how to exclude groups from a profile assignment in Microsoft Intune.
-ms.date: 02/10/2026
+ms.date: 05/19/2026
ms.update-cycle: 180-days
ms.topic: how-to
ms.reviewer: gokarthi
@@ -173,7 +173,10 @@ When you assign your policies and policies, apply the following general principl
- Excluded groups can be groups with users or groups with devices.
-- Dynamic Microsoft Entra device groups can be added to Included groups. But, there can be latency when populating the dynamic group membership. In latency-sensitive scenarios, use [assignment filters](../fundamentals/filters/overview.md) to target specific devices, and assign your policies to user groups.
+- Dynamic Microsoft Entra device groups can be added to Included groups. But, dynamic group membership requires processing time before devices appear in the group. In time-sensitive scenarios, use [assignment filters](../fundamentals/filters/overview.md) to target specific devices directly at check-in, and assign your policies to user groups or the *All devices* virtual group.
+
+ > [!TIP]
+ > If your dynamic device group rule targets properties like OS type, manufacturer, model, ownership, or device category, consider using an [assignment filter](../fundamentals/filters/overview.md) instead. Filters evaluate device properties directly at check-in without depending on group membership processing. For guidance, go to [Performance recommendations for grouping, targeting, and filtering](../fundamentals/filters/performance-recommendations.md).
For example, you want policies assigned to devices as soon as they enroll. In this latency-sensitive situation, create an [assignment filter](../fundamentals/filters/overview.md) to target the devices you want, and assign the policy with this assignment filter to user groups. Don't assign to device groups.
diff --git a/intune/device-configuration/endpoint-security/deploy-edr.md b/intune/device-configuration/endpoint-security/deploy-edr.md
index d3e77514d39..a1226ed891e 100644
--- a/intune/device-configuration/endpoint-security/deploy-edr.md
+++ b/intune/device-configuration/endpoint-security/deploy-edr.md
@@ -67,8 +67,8 @@ You need licenses for Microsoft Defender:
- Microsoft Defender XDR (standalone)
For detailed licensing information, see:
-- [Microsoft Intune licensing](../../fundamentals/licensing/index.md)
-- [Microsoft Defender for Endpoint licensing](/defender-endpoint/minimum-requirements#licensing-requirements)
+- [Microsoft Intune licensing](../../fundamentals/licensing.md)
+- [Microsoft Defender for Endpoint licensing](/microsoft-365/security/defender-endpoint/minimum-requirements#licensing-requirements)
### Role-based access control
diff --git a/intune/device-configuration/endpoint-security/ref-endpoint-protection-settings-windows.md b/intune/device-configuration/endpoint-security/ref-endpoint-protection-settings-windows.md
index 1b5cf1078de..d4e7ea6848f 100644
--- a/intune/device-configuration/endpoint-security/ref-endpoint-protection-settings-windows.md
+++ b/intune/device-configuration/endpoint-security/ref-endpoint-protection-settings-windows.md
@@ -1165,7 +1165,7 @@ Block end-user access to the various areas of the Microsoft Defender Security Ce
- **Tamper Protection**
**Default**: Not configured
- Turn Tamper Protection on or off on devices. To use Tamper Protection, you must [integrate Microsoft Defender for Endpoint with Intune](../../device-security/microsoft-defender/overview.md), and have [Enterprise Mobility + Security E5 Licenses](../../fundamentals/licensing/index.md).
+ Turn Tamper Protection on or off on devices. To use Tamper Protection, you must [integrate Microsoft Defender for Endpoint with Intune](../../device-security/microsoft-defender/overview.md), and have [Enterprise Mobility + Security E5 Licenses](../../fundamentals/licensing.md).
- **Not configured** - No change is made to device settings.
- **Enabled** - Tamper Protection is turned on and restrictions are enforced on devices.
- **Disabled** - Tamper Protection is turned off and restrictions aren't enforced.
diff --git a/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md b/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
index 474c076194d..a35190d0eeb 100644
--- a/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
+++ b/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
@@ -34,7 +34,7 @@ Some benefits of Platform SSO include:
- It helps minimize the number of times users need to enter their Microsoft Entra ID credentials.
- It helps reduce the number of passwords users need to remember.
- You get the benefits of Microsoft Entra join, which allows any organization user to sign into the device.
-- It's included with all [Microsoft Intune licensing plans](../../fundamentals/licensing/index.md).
+- It's included with all [Microsoft Intune licensing plans](../../fundamentals/licensing.md).
## How Platform SSO works
diff --git a/intune/device-configuration/settings-catalog/configure-universal-print.md b/intune/device-configuration/settings-catalog/configure-universal-print.md
index 8579f3cb918..b6cd8952366 100644
--- a/intune/device-configuration/settings-catalog/configure-universal-print.md
+++ b/intune/device-configuration/settings-catalog/configure-universal-print.md
@@ -34,7 +34,7 @@ This article shows you how to create a Universal Print policy in Microsoft Intun
:::column span="3":::
> To use this feature, you need the following subscriptions:
> - **Universal Print**: For more specific information, go to [License Universal Print](/universal-print/fundamentals/universal-print-license).
-> - **Microsoft Intune**: For more specific information, go to [Microsoft Intune licensing](../../fundamentals/licensing/index.md).
+> - **Microsoft Intune**: For more specific information, go to [Microsoft Intune licensing](../../fundamentals/licensing.md).
:::column-end:::
:::row-end:::
diff --git a/intune/device-configuration/settings-catalog/tutorial-group-policy-migration.md b/intune/device-configuration/settings-catalog/tutorial-group-policy-migration.md
index 79e08831654..8283121c19b 100644
--- a/intune/device-configuration/settings-catalog/tutorial-group-policy-migration.md
+++ b/intune/device-configuration/settings-catalog/tutorial-group-policy-migration.md
@@ -1,7 +1,7 @@
---
title: Walkthrough-Create a settings catalog policy
description: This tutorial or walkthrough steps through creating and comparing an on-premises Administrative Templates (ADMX) Group Policy and Microsoft Intune cloud-based settings catalog policy. It shows similar settings in on-premises and the Intune settings catalog to create and manage policies for Office, Windows, and Microsoft Edge on Windows 10/11 client devices.
-ms.date: 08/21/2025
+ms.date: 05/19/2026
ms.topic: tutorial
ms.reviewer: mayurjadhav
ms.collection:
@@ -174,6 +174,8 @@ In these next steps, you create security groups, and add users to these groups.
- [Understand and manage dynamic group processing in Microsoft Entra ID](/entra/identity/users/manage-dynamic-group)
- [Manage rules for dynamic membership groups in Microsoft Entra ID](/entra/identity/users/groups-dynamic-membership)
+- For Intune-only device targeting based on properties like OS type or manufacturer, consider using [assignment filters](../../fundamentals/filters/overview.md) instead of dynamic device groups. Filters evaluate at check-in without depending on group membership processing, and can simplify your targeting architecture. Dynamic groups remain necessary for cross-workload scenarios (Conditional Access, licensing) and user-based grouping. For more information, go to [Performance recommendations for grouping, targeting, and filtering in large Microsoft Intune environments](../../fundamentals/filters/performance-recommendations.md).
+
- Your Microsoft Entra ID license can include other services that are commonly used when managing apps and devices, including [multifactor authentication (MFA)](/entra/identity/authentication/concept-mfa-howitworks) and [Conditional Access](/entra/identity/conditional-access/overview).
- Many administrators ask when to use user groups and when to use device groups. For some guidance, go to [User groups vs. device groups](../../device-configuration/assign-device-profile.md#user-groups-vs-device-groups).
diff --git a/intune/device-configuration/settings-catalog/update-office.md b/intune/device-configuration/settings-catalog/update-office.md
index 3fd90058459..4169d66448b 100644
--- a/intune/device-configuration/settings-catalog/update-office.md
+++ b/intune/device-configuration/settings-catalog/update-office.md
@@ -28,7 +28,7 @@ This feature applies to:
[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
:::column-end:::
:::column span="3":::
-> Requires Microsoft Intune and a Microsoft 365 subscription. For more information on Intune licensing, see [Microsoft Intune licensing](../../fundamentals/licensing/index.md).
+> Requires Microsoft Intune and a Microsoft 365 subscription. For more information on Intune licensing, see [Microsoft Intune licensing](../../fundamentals/licensing.md).
:::column-end:::
:::row-end:::
diff --git a/intune/device-configuration/settings-insight.md b/intune/device-configuration/settings-insight.md
index a1f39fd7fc4..666de042443 100644
--- a/intune/device-configuration/settings-insight.md
+++ b/intune/device-configuration/settings-insight.md
@@ -36,7 +36,7 @@ Settings insight is informational. You remain responsible for evaluating each se
## Prerequisites
-- **Licensing/Subscriptions**: You must have a Microsoft Intune Plan 1 license to use Settings insight. For more information, see [Licenses available for Microsoft Intune](../fundamentals/licensing/index.md).
+- **Licensing/Subscriptions**: You must have a Microsoft Intune Plan 1 license to use Settings insight. For more information, see [Licenses available for Microsoft Intune](../fundamentals/licensing.md).
- **Permissions**: Endpoint Security Administrators can create a profile using Baselines.
To learn more about this Intune built-in role, see [Role-based access control (RBAC) with Intune](../fundamentals/role-based-access-control/overview.md) and [Built-in role permissions for Intune](../fundamentals/role-based-access-control/ref-built-in-roles.md).
diff --git a/intune/device-configuration/troubleshoot-device-profiles.md b/intune/device-configuration/troubleshoot-device-profiles.md
index 38f87f70d4a..b292720cba1 100644
--- a/intune/device-configuration/troubleshoot-device-profiles.md
+++ b/intune/device-configuration/troubleshoot-device-profiles.md
@@ -1,7 +1,7 @@
---
title: Questions with policies and profiles in Microsoft Intune
description: Common questions, answers, and scenarios with device policies and profiles in Microsoft Intune. Learn more about profile changes not applying to users or devices, how long it takes for new policies to deploy, which settings apply when there are conflicts, what happens when you delete or remove a profile, and more.
-ms.date: 03/26/2026
+ms.date: 05/19/2026
ms.update-cycle: 180-days
ms.topic: troubleshooting
ms.reviewer:
@@ -160,13 +160,17 @@ To learn more about the version and edition requirements for the different setti
## When devices enroll, there's a delay in applying apps and policies assigned to dynamic device groups
-During enrollment, you can use Microsoft Entra dynamic device groups. For example, you can create a dynamic device group based on a device's name or enrollment profile.
+During enrollment, you can use Microsoft Entra dynamic device groups to target apps and policies. For example, you can create a dynamic device group based on a device's name or enrollment profile.
-The enrollment profile is applied to the device record during initial device setup. Microsoft Entra dynamic grouping isn't instant. The device might not be in the dynamic group for some time, possibly minutes to hours depending on other changes being made in your tenant.
+Dynamic group membership requires additional processing after a device enrolls. Until the device is added to the group, apps and policies assigned to that group aren't delivered. The policies might not apply until the next scheduled check-in.
-If the device isn't added to the group, then your apps and policies aren't assigned to the device during the initial Intune check-in. The policies might not apply until the next scheduled check-in.
+If fast delivery of apps and policies is important to your enrollment scenario, consider these alternatives:
-If fast delivery of apps and policies is important to your setup/enrollment scenario, then assign your apps and policies to user groups, not dynamic device groups. User groups are pre-populated with members before device setup and don't have this delay.
+- **User groups** — Assign apps and policies to user groups instead of dynamic device groups. User groups are pre-populated with members before device setup and don't depend on post-enrollment group membership processing.
+
+- **Assignment filters** — Use [assignment filters](../fundamentals/filters/overview.md) to target devices based on properties like OS type, manufacturer, or enrollment profile. Filters evaluate directly at device check-in without depending on group membership processing. Apply filters to broad groups like *All devices* for fast, predictable policy delivery during enrollment.
+
+- **Enrollment time grouping** — If you need to keep using device groups for enrollment targeting, [enrollment time grouping](../device-enrollment/setup-time-grouping.md) adds devices to a security group during enrollment rather than after, so apps and policies assigned to that group are delivered on the first check-in.
For more information on dynamic groups, go to:
diff --git a/intune/device-enrollment/android/guide.md b/intune/device-enrollment/android/guide.md
index e956dc4f5e5..7a457e6b765 100644
--- a/intune/device-enrollment/android/guide.md
+++ b/intune/device-enrollment/android/guide.md
@@ -27,9 +27,6 @@ There's also a visual guide of the different enrollment options for each platfor
[](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) [Download PDF version](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) | [Download Visio version](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.vsdx)
-> [!TIP]
-> [!INCLUDE [tips-guidance-plan-deploy-guides](../includes/tips-guidance-plan-deploy-guides.md)]
-
## Before you begin
For a list of all the Intune-specific prerequisites and configurations needed to prepare your tenant for enrollment, go to [Enrollment guide: Microsoft Intune enrollment](../guide.md).
diff --git a/intune/device-enrollment/android/setup-aosp-corporate-user-associated.md b/intune/device-enrollment/android/setup-aosp-corporate-user-associated.md
index e1e40ffd1e2..5877abd12dd 100644
--- a/intune/device-enrollment/android/setup-aosp-corporate-user-associated.md
+++ b/intune/device-enrollment/android/setup-aosp-corporate-user-associated.md
@@ -44,7 +44,7 @@ This article describes how to set up Android (AOSP) device management and enroll
:::column-end:::
:::column span="3":::
-> Assign valid licenses to all specialized device users. For more information, see [Microsoft Intune licensing](../../fundamentals/licensing/index.md) and [Managing specialty devices with Microsoft Intune](../../device-management/specialty-devices.md).
+> Assign valid licenses to all specialized device users. For more information, see [Microsoft Intune licensing](../../fundamentals/licensing.md) and [Managing specialty devices with Microsoft Intune](../../device-management/specialty-devices.md).
:::column-end:::
:::row-end:::
diff --git a/intune/device-enrollment/android/setup-aosp-corporate-userless.md b/intune/device-enrollment/android/setup-aosp-corporate-userless.md
index ffa10eeb177..217acee4df6 100644
--- a/intune/device-enrollment/android/setup-aosp-corporate-userless.md
+++ b/intune/device-enrollment/android/setup-aosp-corporate-userless.md
@@ -50,7 +50,7 @@ Devices are configured in [Microsoft Entra shared device mode](/azure/active-dir
:::column-end:::
:::column span="3":::
-> Assign valid licenses to all specialized device users. For more information, see [Microsoft Intune licensing](../../fundamentals/licensing/index.md) and [Managing specialty devices with Microsoft Intune](../../device-management/specialty-devices.md).
+> Assign valid licenses to all specialized device users. For more information, see [Microsoft Intune licensing](../../fundamentals/licensing.md) and [Managing specialty devices with Microsoft Intune](../../device-management/specialty-devices.md).
:::column-end:::
:::row-end:::
diff --git a/intune/device-enrollment/android/setup-fully-managed.md b/intune/device-enrollment/android/setup-fully-managed.md
index e993827ad64..376fe747653 100644
--- a/intune/device-enrollment/android/setup-fully-managed.md
+++ b/intune/device-enrollment/android/setup-fully-managed.md
@@ -1,7 +1,7 @@
---
title: Set up enrollment for Android Enterprise fully managed devices
description: Set up enrollment in Intune for devices using the Android Enterprise fully managed device management solution.
-ms.date: 05/08/2025
+ms.date: 05/19/2026
ms.topic: how-to
ms.reviewer: grwilso
ms.collection:
@@ -151,6 +151,9 @@ To review, make changes, or delete the profile:
## Step 3: Create dynamic Microsoft Entra group
Optionally, create a dynamic Microsoft Entra group to automatically group devices based on a certain attribute or variable. In this case, we want to use the `enrollmentProfileName` property to group devices that are enrolling with the same profile.
+> [!NOTE]
+> Dynamic groups based on `enrollmentProfileName` are useful when you need group membership for cross-workload scenarios (like Conditional Access or group-based licensing). If your goal is only to target Intune policies and apps to devices with specific properties, consider using [assignment filters](../../fundamentals/filters/overview.md) instead. Filters evaluate at check-in without depending on group membership processing.
+
Add these configurations to your group:
* **Group type**: Security
diff --git a/intune/device-enrollment/apple/enable-supervised-mode.md b/intune/device-enrollment/apple/enable-supervised-mode.md
index 511213d5c65..f748c4613fb 100644
--- a/intune/device-enrollment/apple/enable-supervised-mode.md
+++ b/intune/device-enrollment/apple/enable-supervised-mode.md
@@ -30,4 +30,4 @@ Users are notified that their devices are supervised in the **Settings** app. In
## Next steps
-For other device management options, see [What is Microsoft Intune device management?](../../fundamentals/what-is-device-management.md)
+For other device management options, see [What is Microsoft Intune?](../../fundamentals/what-is-intune.md)
diff --git a/intune/device-enrollment/apple/guide-ios-ipados.md b/intune/device-enrollment/apple/guide-ios-ipados.md
index ff0eba09654..f101e14fe45 100644
--- a/intune/device-enrollment/apple/guide-ios-ipados.md
+++ b/intune/device-enrollment/apple/guide-ios-ipados.md
@@ -32,8 +32,7 @@ There's also a visual guide of the different enrollment options for each platfor
> [!TIP]
>
-> - [!INCLUDE [tips-guidance-plan-deploy-guides](../includes/tips-guidance-plan-deploy-guides.md)]
-> - For a customized experience based on your environment, you can access the [Manage and secure iOS and iPadOS devices guide](https://go.microsoft.com/fwlink/?linkid=2313884) in the [Microsoft 365 admin center](https://admin.microsoft.com).
+> For a customized experience based on your environment, you can access the [Manage and secure iOS and iPadOS devices guide](https://go.microsoft.com/fwlink/?linkid=2313884) in the [Microsoft 365 admin center](https://admin.microsoft.com).
## Before you begin
diff --git a/intune/device-enrollment/apple/guide-macos.md b/intune/device-enrollment/apple/guide-macos.md
index 5b2ab906529..21e4bf74fab 100644
--- a/intune/device-enrollment/apple/guide-macos.md
+++ b/intune/device-enrollment/apple/guide-macos.md
@@ -3,7 +3,7 @@ title: macOS device enrollment guide for Microsoft Intune
description: Enroll macOS devices using device enrollment, automated device enrollment (DEP), and Apple Configurator enrollment options in Microsoft Intune. Decide which enrollment method to use, and get an overview of the administrator and end user tasks to enroll devices.
author: MandiOhlinger
ms.author: mandia
-ms.date: 06/09/2025
+ms.date: 05/19/2026
ms.topic: article
ms.reviewer: auherrin, dregan, annovich
ms.collection:
@@ -30,9 +30,6 @@ There's also a visual guide of the different enrollment options for each platfor
[](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) [Download PDF version](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) | [Download Visio version](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.vsdx)
-> [!TIP]
-> [!INCLUDE [tips-guidance-plan-deploy-guides](../includes/tips-guidance-plan-deploy-guides.md)]
-
## Before you begin
For all Intune-specific prerequisites and configurations needed to prepare your tenant for enrollment, go to [Enrollment guide: Microsoft Intune enrollment](../guide.md).
@@ -79,6 +76,9 @@ Your users must do the following steps. For more specific information on the end
The Company Portal app detects the installation of the management profile and automatically registers the device, unless it is manually closed by the user. The user must reopen the app to complete device registration. If you're using dynamic groups, which rely on device registration, it's important for users to return to the app and register. Plan to communicate these steps to end users. If you're using Conditional Access (CA) policies, no action is required because any CA-protected app users try to sign into will prompt them to return to Company Portal to complete device registration.
+> [!TIP]
+> If you're using dynamic device groups only for Intune policy and app targeting (not Conditional Access or licensing), consider using [assignment filters](../../fundamentals/filters/overview.md) instead. Filters evaluate at check-in without depending on device registration or group membership processing, which can simplify enrollment workflows.
+
[!INCLUDE [users-dont-like-enroll](../includes/users-dont-like-enroll.md)]
## Automated Device Enrollment (ADE) (supervised)
diff --git a/intune/device-enrollment/apple/manage-devices-tokens-apple.md b/intune/device-enrollment/apple/manage-devices-tokens-apple.md
index 6d132404701..c6588357580 100644
--- a/intune/device-enrollment/apple/manage-devices-tokens-apple.md
+++ b/intune/device-enrollment/apple/manage-devices-tokens-apple.md
@@ -112,7 +112,7 @@ If you exceed 200,000 devices per token, you might experience sync problems. Spl
## Distribute devices
-Users on devices enrolled with user affinity must have an Intune license assigned. Devices enrolled without user affinity need an Intune device license, unless an Intune-licensed user is associated with the device. For more information, see [Microsoft Intune licensing](../../fundamentals/licensing/index.md) and the [Intune planning guide](../../intune-service/fundamentals/intune-planning-guide.md).
+Users on devices enrolled with user affinity must have an Intune license assigned. Devices enrolled without user affinity need an Intune device license, unless an Intune-licensed user is associated with the device. For more information, see [Microsoft Intune licensing](../../fundamentals/licensing.md) and the [Intune planning guide](../../intune-service/fundamentals/intune-planning-guide.md).
A device that is already activated needs to be wiped before it can enroll with automated device enrollment. After you wipe it but before activating it again, you can apply the enrollment policy. For more information, see [Set up an existing iPhone, iPad, or iPod touch](https://support.apple.com/en-us/HT207516) (opens Apple support site).
diff --git a/intune/device-enrollment/apple/overview-automated-enrollment-apple.md b/intune/device-enrollment/apple/overview-automated-enrollment-apple.md
index 57eb5bfc15d..1eeeab2ed4f 100644
--- a/intune/device-enrollment/apple/overview-automated-enrollment-apple.md
+++ b/intune/device-enrollment/apple/overview-automated-enrollment-apple.md
@@ -44,7 +44,7 @@ For macOS information, see [Overview of Apple Automated Device Enrollment for ma
| Userless devices (kiosk, shared-use) | ✅ Supported on all Apple mobile platforms. |
| Microsoft Entra shared device mode | ✅ Supported on iOS/iPadOS for frontline worker scenarios. |
| Apple Shared iPad | ✅ Supported on iPadOS. |
-| BYOD or personal devices | ❌ Not supported. Use [MAM](../../intune-service/fundamentals/deployment-guide-enrollment-mamwe.md) or [user and device enrollment](setup-user-company-portal.md) instead. |
+| BYOD or personal devices | ❌ Not supported. Use [MAM](../../app-management/protection/mam-without-enrollment.md) or [user and device enrollment](setup-user-company-portal.md) instead. |
| Device enrollment manager (DEM) accounts | ❌ Not supported. |
| Devices managed by another MDM provider | ❌ Users must unenroll from their current MDM provider before enrolling in Intune. For help migrating devices, see [Apple making device migration to Microsoft Intune easy with upcoming OS 26 release](https://techcommunity.microsoft.com/blog/IntuneCustomerSuccess/apple-making-device-migration-to-microsoft-intune-easy-with-upcoming-os-26-relea/4439895) on the Microsoft Community Hub. |
@@ -85,7 +85,7 @@ You can set up automated device enrollment for devices in [shared device mode](/
Before setting up ADE in Intune, make sure you have the following in place across all platforms:
-* [Microsoft Intune Suite licensing](../../fundamentals/licensing/index.md).
+* [Microsoft Intune Suite licensing](../../fundamentals/licensing.md).
- Microsoft Intune Plan 2 is required for tvOS and visionOS device management.
- Microsoft Intune Plan 1 is the minimum requirement for iOS/iPadOS device management.
* Access to [Apple Business](https://business.apple.com/) or [Apple School Manager](https://school.apple.com/).
diff --git a/intune/device-enrollment/apple/setup-direct-macos.md b/intune/device-enrollment/apple/setup-direct-macos.md
index 2f903abf846..031972ee023 100644
--- a/intune/device-enrollment/apple/setup-direct-macos.md
+++ b/intune/device-enrollment/apple/setup-direct-macos.md
@@ -129,5 +129,5 @@ Start managing enrolled devices in the Microsoft Intune admin center.
- [Tutorial - Walkthrough the Microsoft Intune admin center](../../fundamentals/tutorial-admin-center-walkthrough.md)
- [Remote Device Actions In Microsoft Intune](../../device-management/actions/index.md)
-- [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md)
+- [Microsoft Intune advanced capabilities](../../fundamentals/advanced-capabilities.md)
diff --git a/intune/device-enrollment/guide.md b/intune/device-enrollment/guide.md
index bd24318147e..a22fcf4f431 100644
--- a/intune/device-enrollment/guide.md
+++ b/intune/device-enrollment/guide.md
@@ -35,9 +35,6 @@ Enrollment is enabled for all platforms by default, but you can restrict specifi
This article describes the supported device scenarios and enrollment prerequisites, has information about using other MDM providers, and includes links to platform-specific enrollment guidance.
-> [!TIP]
-> [!INCLUDE [tips-guidance-plan-deploy-guides](includes/tips-guidance-plan-deploy-guides.md)]
-
## Supported device scenarios
Microsoft Intune enables mobile device management for:
@@ -67,7 +64,7 @@ Microsoft Intune automatically marks devices that meet certain criteria as corpo
- Intune is set up, and ready to enroll users and devices. Be sure:
- The [MDM Authority](../fundamentals/setup-mdm-authority.md) is set to Intune, even when using [co-management](../configmgr/comanage/overview.md) with Intune + Configuration Manager.
- - [Intune licenses are assigned](../fundamentals/licensing/assign-licenses.md).
+ - [Intune licenses are assigned](../fundamentals/assign-licenses.md).
For more information, go to the [Intune setup deployment guide](../fundamentals/setup-migration.md).
diff --git a/intune/device-enrollment/includes/tips-guidance-plan-deploy-guides.md b/intune/device-enrollment/includes/tips-guidance-plan-deploy-guides.md
deleted file mode 100644
index c605dce80bf..00000000000
--- a/intune/device-enrollment/includes/tips-guidance-plan-deploy-guides.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-author: MandiOhlinger
-ms.topic: include
-ms.date: 10/26/2020
-ms.author: mandia
----
-
-
-
-This guide is a living thing. So, be sure to add or update existing tips and guidance you've found helpful.
diff --git a/intune/device-enrollment/windows/enable-automatic-mdm.md b/intune/device-enrollment/windows/enable-automatic-mdm.md
index e9700716730..2ca5c3e9151 100644
--- a/intune/device-enrollment/windows/enable-automatic-mdm.md
+++ b/intune/device-enrollment/windows/enable-automatic-mdm.md
@@ -109,7 +109,7 @@ The Microsoft Intune user help docs provide conceptual information, tutorials, a
Users on personal devices running Windows can automatically enroll by adding their work or school account on their device, or by using the Intune Company Portal app. Devices running earlier versions of Windows must enroll using the Intune Company Portal app. For more information, see [Enroll Windows devices](../../user-help/enrollment/enroll-windows.md).
-Intune also supports unlicensed admin access, which lets administrators sign in to the Intune admin center without an Intune license. Tenants created after July 2021 have this enabled by default. For more information, see [Unlicensed admins](../../fundamentals/licensing/unlicensed-admins.md).
+Intune also supports unlicensed admin access, which lets administrators sign in to the Intune admin center without an Intune license. Tenants created after July 2021 have this enabled by default. For more information, see [Unlicensed admins](../../fundamentals/licensing.md#unlicensed-admin-access).
## Best practices and troubleshooting
diff --git a/intune/device-enrollment/windows/guide.md b/intune/device-enrollment/windows/guide.md
index 0a19c666e4a..73cc5c43fb3 100644
--- a/intune/device-enrollment/windows/guide.md
+++ b/intune/device-enrollment/windows/guide.md
@@ -27,9 +27,6 @@ There's also a visual guide of the different enrollment options for each platfor
[](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) [Download PDF version](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) | [Download Visio version](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.vsdx)
-> [!TIP]
-> [!INCLUDE [tips-guidance-plan-deploy-guides](../includes/tips-guidance-plan-deploy-guides.md)]
-
## Before you begin
- For all Intune-specific prerequisites and configurations needed to prepare your tenant for enrollment, go to [Enrollment guide: Microsoft Intune enrollment](../guide.md).
diff --git a/intune/device-management/create-device-categories.md b/intune/device-management/create-device-categories.md
index bec078b8e7b..623fc8951fd 100644
--- a/intune/device-management/create-device-categories.md
+++ b/intune/device-management/create-device-categories.md
@@ -1,11 +1,11 @@
---
title: Categorize devices into groups in Intune
description: Categorize Intune-managed devices into groups for easier management in the admin center.
-ms.date: 09/16/2025
+ms.date: 05/19/2026
ms.topic: how-to
author: paolomatarazzo
ms.author: paoloma
-ms.reviewer: scotduff
+ms.reviewer: mattcall
ms.collection:
- M365-identity-device-management
---
@@ -54,6 +54,9 @@ To enable automatic grouping, you must create a dynamic group using attribute-ba
For example, to create a rule that automatically groups devices belonging in the HR category, use the following rule syntax: `device.deviceCategory -eq "HR"`
+> [!TIP]
+> If you only use device category groups for Intune policy and app targeting, you can use [assignment filters](../fundamentals/filters/overview.md) with the `deviceCategory` property instead of creating dynamic groups. Filters evaluate at check-in without depending on group membership processing. Dynamic groups remain necessary if the category groups are also used for Conditional Access, licensing, or other cross-workload scenarios.
+
## View categories of all devices
To view the device category assigned to each device, go to **Devices** > **All devices**.
The category is listed in the **Device category** column. To add the column to your table, select **Columns**, and then choose **Category** > **Apply**.
diff --git a/intune/device-management/specialty-devices.md b/intune/device-management/specialty-devices.md
index e99650e8826..82694fef830 100644
--- a/intune/device-management/specialty-devices.md
+++ b/intune/device-management/specialty-devices.md
@@ -3,7 +3,7 @@ title: Manage Specialty devices with Microsoft Intune
description: This article provides information about specialty devices and how can you manage them with Microsoft Intune
author: lenewsad
ms.author: lanewsad
-ms.date: 08/01/2024
+ms.date: 05/12/2026
ms.topic: article
ms.reviewer: priyar
ms.subservice: suite
@@ -11,30 +11,46 @@ ms.collection:
- M365-identity-device-management
---
-# Managing specialty devices with Microsoft Intune
+# Specialty device management
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
+Specialty device management provides a range of management, configuration, and protection capabilities for specialized devices, such as AR/VR headsets, large smart-screen devices, and select conference room meeting devices.
-Specialty device management with Microsoft Intune provides a range of management, configuration, and protection capabilities for specialized devices, such as AR/VR headsets, large smart-screen devices, and select conference room meeting devices. To use these advanced endpoint management capabilities and remain compliant with the licensing terms of Microsoft agreements, organizations will need a new license or promotional offer in addition to their plan that includes Microsoft Intune, starting from March 1, 2023.
+## Prerequisites
-Either a Microsoft Intune Suite, Intune Plan 2 or an alternative Microsoft plan or promotion that covers device licenses is required for users of these devices. The new Intune plans are based on a per user per month subscription model and are required to cover all the users of these specialty devices.
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../includes/requirements/licensing.md)]
-For specialty devices such as headsets and AR/VR devices, for example **RealWear** and **HTC** devices, organizations need to purchase either the Microsoft Intune Suite or Intune Plan 2 for the users of these devices when they're considered generally available.
+:::column-end:::
+:::column span="3":::
-For **Microsoft Teams Rooms** devices including Microsoft Surface Hub, organizations need to have sufficient [Microsoft Teams Rooms Pro licenses](/microsoftteams/rooms/rooms-licensing), conference area phone [Teams Shared Device license](/microsoftteams/set-up-common-area-phones) or a Teams license plan that includes Microsoft Intune Plan 1, to cover the users of these devices.
+>[!INCLUDE [additional-licensing-plan2](../includes/licensing/additional-licensing-plan2.md)]
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [cloud](../includes/requirements/cloud.md)]
-For **Microsoft HoloLens**, subscribers of Microsoft Intune (Plan 1) aren't required to proactively add the Intune Plan 2 license. Microsoft is exploring ways to use their Microsoft 365 subscription that includes Intune to ensure licensing compliance. In the interim, there won't be any disruption to their ability to manage and protect HoloLens devices.
+:::column-end:::
+:::column span="3":::
+> Specialty device management is supported in the following cloud environments:
+> - Public cloud
+> - Sovereign cloud environments:
+> - U.S. Government Community Cloud (GCC) High
+> - U.S. Department of Defense (DoD)
+:::column-end:::
+:::row-end:::
-For specialty devices that run in Microsoft Entra shared device Mode (SDM), organizations need to have the same volume of Intune Suite or Intune Plan 2 licenses as their core Intune license (Intune Plan 1 for either Microsoft E or F plans) for those users. For example, if 10 frontline workers are sharing one device and they're all covered by Intune Plan 1 core licenses, the organization should also have 10 Intune Plan 2 licenses.
+### Licensing considerations
-## Government cloud support
+For specialty devices such as headsets and AR/VR devices, for example **Apple Vision Pro**, **RealWear**, and **HTC** devices, organizations must assign a required license to the users of these devices.
-Specialty device management is supported with the following sovereign cloud environments:
+For **Microsoft Teams Rooms** devices including Microsoft Surface Hub, organizations need to have sufficient [Microsoft Teams Rooms Pro licenses](/microsoftteams/rooms/rooms-licensing), conference area phone [Teams Shared Device license](/microsoftteams/set-up-common-area-phones) or a Teams license plan that includes Microsoft Intune Plan 1, to cover the users of these devices.
-- U.S. Government Community Cloud (GCC) High
-- U.S. Department of Defense (DoD)
+For **Microsoft HoloLens**, subscribers of Microsoft Intune (Plan 1) aren't required to add more licenses to manage HoloLens devices.
-For more information, see [Microsoft Intune for US Government GCC service description](../fundamentals/government-service.md).
+For specialty devices that run in Microsoft Entra shared device Mode (SDM), organizations need to have the same volume of required licenses as their core Intune license (Intune Plan 1 for either Microsoft E or F plans) for those users. For example, if 10 frontline workers are sharing one device and they're all covered by Intune Plan 1 core licenses, the organization should also have 10 of the required specialty device licenses to cover those users.
## Next Steps
diff --git a/intune/device-management/tools/setup-servicenow.md b/intune/device-management/tools/setup-servicenow.md
index 00080b362c6..84af7860abc 100644
--- a/intune/device-management/tools/setup-servicenow.md
+++ b/intune/device-management/tools/setup-servicenow.md
@@ -12,7 +12,7 @@ ms.collection:
---
# ServiceNow Integration with Microsoft Intune
-Remote Help, an add-on to Microsoft Intune, provides a secure cloud based remote assistance solution for Windows commercial users. The integration between Intune and ServiceNow makes it possible for helpdesk agents to use Intune to troubleshoot endpoint related issues.
+Remote Help provides a secure cloud based remote assistance solution for Windows commercial users. The integration between Intune and ServiceNow makes it possible for helpdesk agents to use Intune to troubleshoot endpoint related issues.
Support organizations need all the tools at their disposal to resolve workers' technology issues quickly and efficiently. With ServiceNow integration, helpdesk agents licensed to use Remote Help and who use ServiceNow can view incidents to see the details of the tech issue that an employee is facing. This integration allows helpdesk agents to view ServiceNow incidents directly from the Troubleshooting pane in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
@@ -28,7 +28,7 @@ The Intune ServiceNow Connector Integration focuses on creating a basic ticketin
To get started, review the following steps:
-- ServiceNow integration is now Generally Available. An active Intune Suite or Remote Help trial or add-on license is required. Go to [Remote Help trial or add-on license.](../../fundamentals/add-ons.md)
+- ServiceNow integration is now Generally Available. An active Remote Help license or trial is required. For more information, see [Microsoft Intune advanced capabilities](../../fundamentals/advanced-capabilities.md).
- You must have the Microsoft Entra Intune Admin role to make updates to the connector. To view the incidents, you must have the Microsoft Entra Intune Admin role or have an Intune Role with the Organization | Read permission. Admins that aren't assigned the Microsoft Entra role, need one of these two permissions to either modify the connector or view incidents respectively; **Update Connector** and **View Incidents**. These permissions are part of the ServiceNow permission category. For information on roles, see [Role-based administration control with Intune](../../fundamentals/role-based-access-control/overview.md)
diff --git a/intune/device-management/tools/setup-teamviewer.md b/intune/device-management/tools/setup-teamviewer.md
index da346579090..057fc55a3c8 100644
--- a/intune/device-management/tools/setup-teamviewer.md
+++ b/intune/device-management/tools/setup-teamviewer.md
@@ -47,7 +47,7 @@ Before you configure the TeamViewer connector in Intune, make sure these require
[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
:::column-end:::
:::column span="3":::
-> - The administrator configuring the TeamViewer connector must have a Microsoft Intune license. You can give administrators access to Intune without them requiring an Intune license. For more information, see [Unlicensed admins](../../fundamentals/licensing/unlicensed-admins.md).
+> - The administrator configuring the TeamViewer connector must have a Microsoft Intune license. You can give administrators access to Intune without them requiring an Intune license. For more information, see [Unlicensed admins](../../fundamentals/licensing.md#unlicensed-admin-access).
> - A TeamViewer account and license is required. Visit the [TeamViewer integration docs](https://www.teamviewer.com/en/integrations/microsoft-intune/) (opens the TeamViewer website) or contact the TeamViewer sales team for more information about account setup and required licenses.
:::column-end:::
:::row-end:::
diff --git a/intune/device-management/tools/teamviewer-legacy.md b/intune/device-management/tools/teamviewer-legacy.md
index a18dc1ea96d..acd5857c97a 100644
--- a/intune/device-management/tools/teamviewer-legacy.md
+++ b/intune/device-management/tools/teamviewer-legacy.md
@@ -31,7 +31,7 @@ This feature applies to:
## Prerequisites
-- The administrator configuring the TeamViewer connector must have an Intune license. You can give administrators access to Microsoft Intune without them requiring an Intune license. For more information, see [Unlicensed admins](../../fundamentals/licensing/unlicensed-admins.md).
+- The administrator configuring the TeamViewer connector must have an Intune license. You can give administrators access to Microsoft Intune without them requiring an Intune license. For more information, see [Unlicensed admins](../../fundamentals/licensing.md#unlicensed-admin-access).
- Users must be assigned the Remote assistance connectors/Read and Remote assistance connectors/Update permissions in the Intune admin center to onboard TeamViewer. For more information, see [Role-based access control (RBAC) with Microsoft Intune](../../fundamentals/role-based-access-control/overview.md).
diff --git a/intune/device-security/compliance/configure-noncompliance-actions.md b/intune/device-security/compliance/configure-noncompliance-actions.md
index 744f0069904..07c68e9ded2 100644
--- a/intune/device-security/compliance/configure-noncompliance-actions.md
+++ b/intune/device-security/compliance/configure-noncompliance-actions.md
@@ -13,28 +13,28 @@ ms.collection:
# Configure actions for noncompliant devices in Intune
-As part of a [compliance policy](./overview.md) that protects your organizations resources from devices that don't meet your security requirements, compliance policies also include **Actions for noncompliance**. Actions for noncompliance are one or more time-ordered actions that are taken by a policy to help protect devices and your organization. As an example, an action for noncompliance can remotely lock a device to ensure it's protected, or send a notification to devices or users to help them understand and resolve the noncompliant status.
+Compliance policies can include *actions for noncompliance*, which are steps the policy takes on a schedule when it detects a device isn't meeting your security requirements. For example, a policy can remotely lock a noncompliant device to help protect it, or send a notification to users so they can understand and resolve the issue.
[!INCLUDE [android_device_administrator_support](../../includes/android-device-administrator-support.md)]
## Overview
-By default, each compliance policy includes the action for noncompliance of **Mark device noncompliant** with a schedule of zero days (**0**). The result of this default is when Intune detects a device isn't compliant, Intune immediately marks the device as noncompliant. After a device is marked as noncompliant, Microsoft Entra [Conditional Access](/azure/active-directory/active-directory-conditional-access-azure-portal) can block the device.
+Each compliance policy includes **Mark device noncompliant** as a built-in default action, scheduled to trigger immediately at zero days. When Intune detects that a device isn't compliant, it marks the device noncompliant right away. Microsoft Entra [Conditional Access](/entra/identity/conditional-access/overview) can then block the device from accessing your organization's resources.
-By configuring **Actions for noncompliance** you gain flexibility to decide what to do about noncompliant devices, and when to do it. For example, you might choose to not block the device immediately, and give the user a grace period to become compliant.
+Adding more actions gives you control over what happens to noncompliant devices, and when. For example, you can give users a grace period to become compliant before blocking their access.
-For each action you set, you can configure a schedule that determines when that action takes effect. The schedule is a number of days after the device is marked as noncompliant. You can also configure multiple instances of an action. When you set multiple instances of an action in a policy, the action runs again at that later scheduled time if the device remains noncompliant.
+For each action you set, you can configure a schedule that determines when that action takes effect. The schedule is based on days after the device is marked noncompliant. You can also add the same action multiple times. If the device remains noncompliant, the action repeats at each scheduled time.
Not all actions are available for all platforms.
- > [!NOTE]
- > The Microsoft Intune admin center displays the _schedule (days after noncompliance)_ in days. However it is possible to specify a more granular interval (hours), using decimal fractions such as 0.25 (6 hours), 0.5 (12 hours), 1.5 (36 hours), and so on. While other values are possible, they can only be configured using [Microsoft Graph](/graph/overview) and not via the admin center. Attempting to use other values in the admin center, such as 0.33 (8 hours) will result in an error when attempting to save the policy.
+> [!NOTE]
+> The **Schedule (days after noncompliance)** field in the admin center accepts whole numbers and decimal values in 0.25 increments. For example, `0.25` equals 6 hours and `0.5` equals 12 hours. To use other decimal values, such as `0.33` (8 hours), configure the schedule using [Microsoft Graph](/graph/overview) instead.
## Available actions for noncompliance
-Following are the available actions for noncompliance:
+The following actions are available for noncompliance:
-- **Mark device non-compliant**: By default, this action is set for each compliance policy and has a schedule of zero (**0**) days, marking devices as noncompliant immediately.
+- **Mark device non-compliant**: This built-in default action is included in every compliance policy, set to zero (**0**) days, so devices are marked noncompliant immediately.
When you change the default schedule, you provide a grace period in which a user can remediate issues or become compliant without being marked as noncompliant.
@@ -42,19 +42,19 @@ Following are the available actions for noncompliance:
- **Send email to end user**: This action sends an email notification to the user. When you enable this action, your options are:
- - Select a *Notification message template* that this action sends. You [Create a notification message template](#create-a-notification-message-template) before you can assign one to this action. When you create the custom notification, you customize the message locale, subject, message body, and can include the company logo, company name, and other contact information.
+ - Select a *Notification message template* that this action sends. You [create a notification message template](#create-a-notification-message-template) before you can assign one to this action. When you create the custom notification, you customize the message locale, subject, message body, and can include the company logo, company name, and other contact information.
- Choose to send the message to more recipients by selecting one or more of your Microsoft Entra groups.
- Intune uses the email address defined in the end user's profile and not their user principal name (UPN). If there's no defined email address defined in the user's profile, then Intune doesn't send a notification email. When the email is sent, Intune includes details about the noncompliant device in the email notification.
+ Intune uses the email address in the end user's profile, not their user principal name (UPN). If no email address is on file, Intune doesn't send the notification. When the email is sent, Intune includes details about the noncompliant device in the email notification.
This action is supported on all platforms supported by Intune.
> [!NOTE]
> Notification emails are sent from microsoft-noreply@microsoft.com.
>
- > Ensure you do not have any mailbox policies that would prevent delivery of emails from these addresses, otherwise end users may not receive the email notification. Compliance notification emails are expected to be sent within 6 hours after a device is marked as non-compliant.
+ > Ensure you don't have any mailbox policies that prevent delivery of emails from these addresses. Otherwise, end users might not receive the email notification. Compliance notification emails are expected to be sent within 6 hours after a device is marked as noncompliant.
-- **Remotely lock the noncompliant device**: Use this action to issue a remote lock of a device. The user is then prompted for a PIN or password to unlock the device. More on the [Remote Lock](../../device-management/actions/remote-lock.md) feature.
+- **Remotely lock the noncompliant device**: Use this action to remotely lock a device. The user is then prompted for a PIN or password to unlock the device. For more information, see [Remote Lock](../../device-management/actions/remote-lock.md).
The following platforms support this action:
- Android device administrator
@@ -64,11 +64,10 @@ Following are the available actions for noncompliance:
- Dedicated
- Corporate-Owned Work Profile
- Personally Owned Work Profile
- - Android Enterprise dedicated devices
- iOS/iPadOS
- macOS
-- **Add device to retire list**: When this action is performed on a device, the device is added to a list of retired, noncompliant devices in the Intune admin center. You can go to **Devices** > **Compliance** and select the **Retire noncompliant devices** tab to view the list. However, the device isn't retired until an administrator explicitly initiates the retirement process. When an admin retires the device from that list, retirement removes all company data off the device and removes that device from Intune management.
+- **Add device to retire list**: When this action is performed on a device, the device is added to a list of retired, noncompliant devices in the Intune admin center. You can go to **Devices** > **Compliance** and select the **Retire noncompliant devices** tab to view the list. However, the device isn't retired until an administrator explicitly initiates the retirement process. When an admin retires the device from that list, retirement removes all company data from the device and removes that device from Intune management.
The following platforms support this action:
- Android device administrator
@@ -83,15 +82,15 @@ Following are the available actions for noncompliance:
- Windows
> [!NOTE]
- > Only devices to which the **Add device to retire list** action has been triggered appear in the **Retire selected devices** tab. To see a list of all devices that are not compliant, see the **Noncompliant devices** report mentioned in [Monitor device compliance policy](./monitor-policy.md#other-compliance-reports).
+ > Only devices to which the **Add device to retire list** action is triggered appear in the **Retire selected devices** tab. To see a list of all devices that aren't compliant, see the **Noncompliant devices** report mentioned in [Monitor device compliance policy](./monitor-policy.md#other-compliance-reports).
- To retire one or more devices from the list, select devices to retire and then select **Retire selected devices**. When you choose an action that retires devices, you're then presented with a dialog box to confirm the action. It's only after confirming the intent to retire the devices that they're cleared of company data and removed from Intune management.
+ To retire one or more devices from the list, select devices to retire and then select **Retire selected devices**. When you choose an action that retires devices, a confirmation dialog appears. It's only after confirming the intent to retire the devices that they're cleared of company data and removed from Intune management.
Other options include *Retire all devices*, *Clear all devices retire state*, and *Clear selected devices retire state*. Clearing the retire state for a device removes the device from the list of devices that can be retired until the action to *Add device to retire list* is applied to that device again.
Learn more about [retiring devices](../../device-management/actions/retire.md).
-- **Send push notification to end user**: Configure this action to send a push notification about noncompliance to a device through the Company Portal app or Intune App on the device.
+- **Send push notification to end user**: Set up this action to send a push notification about noncompliance to a device through the Company Portal app or Intune App on the device.
The following platforms support this action:
- Android device administrator
@@ -102,26 +101,24 @@ Following are the available actions for noncompliance:
- Personally Owned Work Profile
- iOS/iPadOS
- The push notification is sent the first time a device checks in with Intune and is found to be noncompliant to the compliance policy. When a user selects the notification, the Company Portal app or Intune app opens and displays information about why they're noncompliant. The user can then take action to resolve the issue. The message details about noncompliance are generated by Intune and can't be customized.
+ The push notification is sent the first time a device checks in with Intune and is found to be noncompliant with the policy. When a user selects the notification, the Company Portal app or Intune app opens and displays information about why they're noncompliant. The user can then take action to resolve the issue. The message details about noncompliance are generated by Intune and can't be customized.
> [!IMPORTANT]
- > Intune, the Company Portal app, and the Microsoft Intune app, can't guarantee delivery of a push notification. Notifications might show up after several hours of delay, if at all. This includes when users have turned off push notifications.
+ > Intune, the Company Portal app, and the Microsoft Intune app can't guarantee delivery of a push notification. Notifications might show up after several hours of delay, if at all. This limitation includes when users turn off push notifications.
>
- > Do not rely on this notification method for urgent messages.
+ > Don't rely on this notification method for urgent messages.
Each instance of the action sends a notification a single time. To send the same notification again from a policy, configure more instances of the action in that policy, each with a different schedule.
- For example, you might schedule the first action for zero days and then add a second instance of the action set to three days. This delay before the second notification gives the user a few days to resolve the issue, and avoid the second notification.
-
- To avoid spamming users with too many duplicate messages, review and streamline which compliance policies include a push notification for noncompliance, and review the schedules to avoid repeat notifications for the same too often.
+ For example, you might schedule the first action for zero days and then add a second instance of the action set to three days. This delay before the second notification gives the user a few days to resolve the issue and avoid the second notification.
- Consider:
- - For a single policy that includes multiple instances of a push notification set for the same day, only a single notification is sent for that day.
+ To avoid sending users too many duplicate notifications, keep the following points in mind:
- - When multiple compliance policies include the same compliance conditions, and include the push notification action with the same schedule, Intune sends multiple notifications to the same device on the same day.
+ - A single policy with multiple push notifications scheduled for the same day sends only one notification that day.
+ - Multiple policies with the same compliance conditions and the same schedule each send a separate notification, resulting in multiple notifications to the same device on the same day.
> [!NOTE]
-> The following actions for noncompliance are not supported for devices that are managed by a [device compliance management partner](./third-party-partners.md):
+> The following actions for noncompliance aren't supported for devices that are managed by a [device compliance management partner](./third-party-partners.md):
> - Send email to end user
> - Remotely lock the noncompliant device
> - Add device to retire list
@@ -129,11 +126,11 @@ Following are the available actions for noncompliance:
## Before you begin
-You can [add actions for noncompliance](#add-actions-for-noncompliance) when you configure device compliance policy, or later by editing the policy. You can add extra actions to each policy to meet your needs. Keep in mind that each compliance policy automatically includes the default action for noncompliance that marks devices as noncompliant, with a schedule set to zero days.
+You can [add actions for noncompliance](#add-actions-for-noncompliance) when you configure a device compliance policy, or later by editing the policy. Add extra actions to each policy to meet your needs. Keep in mind that each compliance policy automatically includes the default action for noncompliance that marks devices as noncompliant, with a schedule set to zero days.
-To use device compliance policies to block devices from corporate resources, Microsoft Entra Conditional Access must be set up. See [Conditional Access in Microsoft Entra ID](/azure/active-directory/active-directory-conditional-access-azure-portal) or [common ways to use Conditional Access with Intune](../conditional-access-integration/scenarios.md) for guidance.
+To use device compliance policies to block devices from corporate resources, set up Microsoft Entra Conditional Access. For guidance, see [Conditional Access in Microsoft Entra ID](/entra/identity/conditional-access/overview).
-To create a device compliance policy, see the following platform-specific guidance:
+For platform-specific guidance on creating a device compliance policy, see the following articles:
- [Android](./ref-android-administrator-settings.md)
- [Android (AOSP)](./ref-android-aosp-settings.md)
@@ -144,9 +141,9 @@ To create a device compliance policy, see the following platform-specific guidan
## Create a notification message template
-To send email to your users, create a notification message template and associate that to your compliance policy as an action for noncompliance. Then, when a device is noncompliant, the details you enter in the template is shown in the email sent to your users.
+To send email to your users, create a notification message template and associate that template to your compliance policy as an action for noncompliance. When a device is noncompliant, the details you enter in the template show in the email sent to your users.
-A *notification message template* can include multiple messages that are each for a different locale. When you specify multiple messages and locales, noncompliant end users receive the appropriate localized message based on their O365 preferred language.
+A *notification message template* can include multiple messages that are each for a different locale. When you specify multiple messages and locales, noncompliant end users receive the appropriate localized message based on their Microsoft 365 preferred language.
Add variables to the message to create a personalized email with dynamic content. The following table describes the variables you can use in the subject line and body of the message.
@@ -161,9 +158,9 @@ Add variables to the message to create a personalized email with dynamic content
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Endpoint security** > **Device compliance** > **Notifications** > **Create notification**.
-1. On the **Basics** page, give the template a friendly name to help you identify it. Then select **Next**.
+1. On **Basics**, enter a friendly name for the template to help you identify it. Then select **Next**.
-1. On the **Header and footer settings** page, add your company details and logo.
+1. On **Header and footer settings**, add your company details and logo.
> [!div class="mx-imgBorder"]
> 
@@ -176,7 +173,7 @@ Add variables to the message to create a personalized email with dynamic content
Select **Next** to continue.
-1. On the **Notification message templates** page, configure one or more messages. For each message, specify the following details:
+1. On **Notification message templates**, configure one or more messages. For each message, specify the following details:
- **Locale**: Select the language that correlates to the device user's locale.
- **Subject**: Add the subject line for the email. You can enter up to 78 characters.
@@ -186,54 +183,51 @@ Add variables to the message to create a personalized email with dynamic content
To create a template with dynamic content, insert the token of a supported variable in the subject line or message. For a list of supported variables, see the table under [Create a notification message template](#create-a-notification-message-template) in this article.
>[!IMPORTANT]
- > Be sure to only use Intune-supported HTML tags and attributes in the message body. Intune will send messages that contain other types of tags, elements, or styling as plaintext instead of HTML format. This includes messages that contain:
+ > Be sure to only use Intune-supported HTML tags and attributes in the message body. Intune sends messages that contain other types of tags, elements, or styling as plaintext instead of HTML format. This condition includes messages that contain:
> - CSS
> - Tags and attributes not listed in this article
>[!NOTE]
> Intune converts Windows-style new line characters to ` ` HTML tags but ignores all other types of new line characters, including those for macOS and Linux. To ensure line breaks render properly in templates, we recommend using the ` ` tag to indicate the end of a line.
-
1. Select the checkbox for **Is Default** for one of the messages. Intune sends your default message to users that haven't set a preferred language, or when the template doesn't include a specific message for their locale. Only one message can be set as default. To delete a message, select the ellipsis (...) and then **Delete**.
Select **Next** to continue.
-1. On the **Scope tags** page, select tags to limit visibility and management of this message to specific Intune admin groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](../../fundamentals/role-based-access-control/scope-tags.md).
+1. On **Scope tags**, select tags to limit visibility and management of this message to specific Intune admin groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](../../fundamentals/role-based-access-control/scope-tags.md).
Select **Next** to continue.
-1. On the **Review + create** page, review your configurations to ensure the notification message template is ready to use. Select **Create** to complete creation of the notification.
+1. On **Review + create**, review your configurations to ensure the notification message template is ready to use. Select **Create** to complete creation of the notification.
### View and edit notifications
-Notifications that have been created are available in the *Compliance policies* > *Notifications* page. From the page you can select a notification to view its configuration and:
+You can view notifications that you create in *Compliance policies* > *Notifications*. From this page, select a notification to view its configuration and:
-- Select **Send preview email** to send a preview of the notification email to the account you've used to sign in to Intune.
+- Select **Send preview email** to send a preview of the notification email to the account you used to sign in to Intune.
To successfully send the preview email, your account must have permissions equal to those of the following Microsoft Entra groups or Intune roles: *Intune Administrator* (also known as Intune Service Administrator) or *Policy and Profile Manager*.
- Select **Edit** for *Basics* or *Scope tags* to make a change.
> [!NOTE]
-> The preview email doesn't contain the device variables that are specified in the notification message template.
+> The preview email doesn't contain the device variables that you specify in the notification message template.
## Add actions for noncompliance
-When you create a device compliance policy, Intune automatically creates an action for noncompliance. If a device doesn't meet your compliance policy, this action marks the device as not compliant. You can customize how long the device is marked as not compliant. This action can't be removed.
-
-You can add optional actions when you create a compliance policy, or update an existing policy.
+You can add optional actions when you create a compliance policy, or update an existing policy. The default mark-as-noncompliant action is added automatically and can't be removed, but you can adjust its schedule.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Go to **Devices** > **Compliance**.
-3. Select a policy, and then select **Properties**.
+1. Go to **Devices** > **Compliance**.
+1. Select a policy, and then select **Properties**.
Don't have a policy yet? Create an [Android](./ref-android-administrator-settings.md), [iOS](./ref-ios-ipados-settings.md), [Windows](./ref-windows-settings.md), or other platform policy.
> [!NOTE]
- > Devices managed by third-party device compliance partners that are targeted with device groups cannot receive compliance actions at this time.
+ > Devices managed by third-party device compliance partners that are targeted with device groups can't receive compliance actions at this time.
-3. Select **Actions for noncompliance** > **Edit**.
+1. Select **Actions for noncompliance** > **Edit**.
-4. Select your **Action**:
+1. Select your **Action**:
- **Send email to end users**: When the device is noncompliant, choose to email the user. Also:
- Choose the **Message template** you previously created
@@ -241,19 +235,19 @@ You can add optional actions when you create a compliance policy, or update an e
- **Remotely lock the noncompliant device**: When the device is noncompliant, lock the device. This action forces the user to enter a PIN or passcode to unlock the device.
- - **Add device to retire list**: When the device is noncompliant, remove all company data off the device and remove the device from Intune management.
+ - **Add device to retire list**: When the device is noncompliant, it's added to a retire list in the admin center. An admin must explicitly retire the device from that list before company data is removed and the device is removed from Intune management.
- - **Send push notification to end user**: Configure this action to send a push notification about noncompliance to a device through the Company Portal app or Intune App on the device.
+ - **Send push notification to end user**: Set up this action to send a push notification about noncompliance to a device through the Company Portal app or Intune App on the device.
-5. Configure a **Schedule**: Enter the number of days (0 to 365) after noncompliance to trigger the action on users' devices. After this grace period, you can enforce a [Conditional Access](../conditional-access-integration/scenarios.md) policy. If you enter **0** (zero) number of days, then Conditional Access takes effect **immediately**. For example, if a device is noncompliant, use Conditional Access to block access to email, SharePoint, and other organization resources immediately.
+1. Configure a **Schedule**: Enter the number of days (0 to 365) after noncompliance to trigger the action. If you enter **0**, the action takes effect immediately. After this grace period, you can enforce a [Conditional Access](../conditional-access-integration/scenarios.md) policy to block access to resources like email and SharePoint.
- When you create a compliance policy, the **Mark device noncompliant** action is automatically created, and automatically set to **0** days (immediately). With this action, when the device checks in with Intune and evaluates the policy, if it isn't compliant to that policy Intune immediately marks that device as noncompliant. If the client checks in at a later time after remediating the issues that lead to noncompliance, its status will update to its new compliance status. If you use Conditional Access, those policies also apply as soon as a device is marked as noncompliant. To set a grace period to allow for a condition of noncompliance to be remediated before the device is marked as noncompliant, change the **Schedule** on the **Mark device noncompliant** action.
+ For details about the default **Mark device noncompliant** action and how the schedule affects grace periods, see [Available actions for noncompliance](#available-actions-for-noncompliance).
- In your compliance policy, for example, you also want to notify the user. You can add the **Send email to end user** action. On this **Send email** action, you set the **Schedule** to two days. If the device or end user is still evaluated as noncompliant on day two, then your email is sent on day two. If you want to email the user again on day five of noncompliance, then add another action, and set the **Schedule** to five days.
+ For example, add the **Send email to end user** action with a **Schedule** of two days. If the device is still noncompliant on day two, the email is sent. To send a follow-up email on day five, add a second instance of the action with a **Schedule** of five days.
For more information on compliance, and the built-in actions, see the [compliance overview](./overview.md).
-6. When finished, select **Add** > **OK** to save your changes.
+1. When finished, select **Add** > **OK** to save your changes.
## Next steps
diff --git a/intune/device-security/compliance/configure-wsl.md b/intune/device-security/compliance/configure-wsl.md
index 591982c4969..bb03fdccd77 100644
--- a/intune/device-security/compliance/configure-wsl.md
+++ b/intune/device-security/compliance/configure-wsl.md
@@ -12,21 +12,54 @@ ms.collection:
# Evaluate compliance for Windows Subsystem for Linux
-Create a Microsoft Intune policy that checks the compliance of devices running Windows Subsystem for Linux (WSL). Microsoft Intune incorporates the WSL compliance results into the overall compliance state of the host device so that you can see the whole health of the device.
+Create a Microsoft Intune policy that checks the compliance of devices running Windows Subsystem for Linux (WSL). Microsoft Intune incorporates the WSL compliance results into the overall compliance state of the host device so you can see the whole health of the device.
This article applies to Windows and describes how to set up compliance checks for WSL.
## Requirements
-To create your compliance policy with WSL settings, you must meet these requirements:
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
-- The [Intune WSL plugin](https://go.microsoft.com/fwlink/?linkid=2296896) must be installed for compliance evaluation.
+:::column-end:::
+:::column span="3":::
-- The Microsoft Intune management extension must be installed on the target device. Make sure devices meet one of the following conditions so that the management extension can install:
+> Windows
- - Assign a PowerShell script or a proactive remediation to the user or device.
- - Deploy a Win32 app or Microsoft Store app to the user or device.
- - Assign a custom compliance policy to the user or device.
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [plugins](../../includes/requirements/plugins.md)]
+
+:::column-end:::
+:::column span="3":::
+
+> You must install the [Intune WSL plugin](https://go.microsoft.com/fwlink/?linkid=2296896) for compliance evaluation.
+
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [rbac](../../includes/requirements/rbac.md)]
+
+:::column-end:::
+:::column span="3":::
+
+> Sign in to the Microsoft Intune admin center with the following role:
+> - Built-in [Intune Administrator](/entra/identity/role-based-access-control/permissions-reference#intune-administrator) Microsoft Entra role
+
+:::column-end:::
+:::row-end:::
+
+The Microsoft Intune management extension must be installed on the target device. Make sure devices meet one of the following conditions so that the management extension can install:
+
+- Assign a PowerShell script or a proactive remediation to the user or device.
+- Deploy a Win32 app or Microsoft Store app to the user or device.
+- Assign a custom compliance policy to the user or device.
## Before you begin
@@ -38,62 +71,62 @@ Create a Win32 app policy for the [Intune WSL plugin](https://github.com/microso
1. Use the [Microsoft Win32 Content Prep Tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) to convert the Intune WSL plugin to the *.intunewin* format. For more information, see [Convert the Win32 app content](../../app-management/deployment/create-win32-package.md#convert-the-win32-app-content).
-2. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as at least an Intune administrator.
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-3. Go to **Apps** > **All Apps** > **Add**.
+1. Go to **Apps** > **All Apps** > **Add**.
-4. For **App type**, scroll down to **Other**, and then select **Windows app (Win32)**.
+1. For **App type**, scroll down to **Other**, and then select **Windows app (Win32)**.
-5. Choose **Select**. The **Add app** steps appear.
+1. Choose **Select**. The **Add app** steps appear.
-6. Choose **Select app package file**.
+1. Choose **Select app package file**.
-7. Select the **Folder** button and browse your files for the app package file. Upload the Intune WSL plugin installation file with the *.intunewin* extension.
+1. Select the **Folder** button and browse your files for the app package file. Upload the Intune WSL plugin installation file with the *.intunewin* extension.
-8. Select **OK** to continue.
+1. Select **OK** to continue.
-9. Enter the following app information:
+1. Enter the following app information:
- **Select file**: The app package file you selected in the previous step appears here. Select the file to upload a different installation package file for the Intune WSL plugin.
- **Name**: Enter **Intune WSL Plugin**.
- **Description**: Select **Edit Description** to enter a description for the app. For example, you can describe its purpose or how your organization plans to use it. This setting is optional but recommended.
- **Publisher**: Enter **Microsoft Intune**.
-10. Select **Next** to go to **Program**.
+1. Select **Next** to go to **Program**.
-11. Review the settings that are prepopulated so that you're familiar with how the app behaves. Leave the settings as-is.
+1. Review the settings that are prepopulated so that you're familiar with how the app behaves. Leave the settings as-is.
-12. Select **Next** to go to **Requirements**.
+1. Select **Next** to go to **Requirements**.
-13. Enter the requirements devices must meet to install the app.
+1. Enter the requirements devices must meet to install the app.
-14. Select **Next** to go to **Detection rules**.
+1. Select **Next** to go to **Detection rules**.
-15. Review the detection rules that are prepopulated. These rules are app-specific and detect the presence of the app. Leave the settings as-is.
+1. Review the detection rules that are prepopulated. These rules are app-specific and detect the presence of the app. Leave the settings as-is.
-16. Select **Next** to go to **Dependencies**. Leave the settings as-is.
+1. Select **Next** to go to **Dependencies**. Leave the settings as-is.
-17. Select **Next** to go to **Supersedence**. Leave the settings as-is.
+1. Select **Next** to go to **Supersedence**. Leave the settings as-is.
-18. Select **Next** to go to **Assignments**.
+1. Select **Next** to go to **Assignments**.
-19. To assign the policy, add Microsoft Entra users under **Required**.
+1. To assign the policy, add Microsoft Entra users under **Required**.
-20. Select **Next** to go to **Review + create**.
+1. Select **Next** to go to **Review + create**.
-21. Review the summary, and then select **Create** to save the policy.
+1. Review the summary, and then select **Create** to save the policy.
> [!NOTE]
> When you create a compliance policy with WSL settings, it automatically generates a read-only custom script. Editing the compliance policy also edits the associated custom script. These scripts appear in the Microsoft Intune admin center in **Devices** > **Compliance** > **Scripts** and are called *Built-in WSL Compliance-< compliance policy id >*.
## Limitations
-This section describes the known limitations with using the Intune WSL plugin for compliance evaluation.
+This section describes the known limitations when using the Intune WSL plugin for compliance evaluation.
-- Compliance evaluation requires the installed Linux distributions in WSL to run at least one time before it works. If you install a Linux distribution with the `--no-launch` [command for WSL](/windows/wsl/basic-commands), the compliance evaluation won't work.
+- Compliance evaluation requires the installed Linux distributions in WSL to run at least once before it works. If you install a Linux distribution by using the `--no-launch` [command for WSL](/windows/wsl/basic-commands), the compliance evaluation doesn't work.
- Compliance evaluation might not function as expected on custom Linux images or Linux images without the `etc/os-release` directory.
-- Even with the Intune WSL plugin, it's possible for malicious software or user actions to compromise the compliance evaluation mechanism.
+- Even with the Intune WSL plugin, malicious software or user actions can compromise the compliance evaluation mechanism.
## Next steps
diff --git a/intune/device-security/compliance/create-custom-json.md b/intune/device-security/compliance/create-custom-json.md
index bee4dbbda16..4b7eb1a1a02 100644
--- a/intune/device-security/compliance/create-custom-json.md
+++ b/intune/device-security/compliance/create-custom-json.md
@@ -1,4 +1,4 @@
----
+---
title: Create a JSON file for custom compliance settings in Microsoft Intune
description: Create the JSON file that defines custom settings and values for use with device compliance policies in Intune.
ms.date: 08/15/2025
@@ -12,23 +12,35 @@ ms.collection:
# Custom compliance JSON files for Microsoft Intune
-To support [custom settings for compliance](./custom-settings.md) for Microsoft Intune, you create a JSON file that identifies the settings and value pairs that you want to use for custom compliance. The JSON defines what a discovery script evaluates for compliance on the device.
+To support [custom settings for compliance](./custom-settings.md) for Microsoft Intune, create a JSON file that identifies the settings and value pairs you want to use for custom compliance. The JSON defines what a discovery script evaluates for compliance on the device.
+
+Include the JSON file in a compliance policy when you configure a policy to assess custom compliance settings.
+
+## Requirements
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
-You include the JSON file in a compliance policy when you configure a policy to assess custom compliance settings.
+:::column-end:::
+:::column span="3":::
-This feature applies to:
+> - Linux:
+> - Ubuntu Desktop, version 24.04 LTS or 26.04 LTS
+> - RedHat Enterprise Linux 9 or 10
+> - Windows
-- Linux – Ubuntu Desktop, version 24.04 LTS and 26.04 LTS
-- Windows
+:::column-end:::
+:::row-end:::
A correctly formatted JSON file must include the following information:
- **SettingName** - The name of the custom setting to use for base compliance. This name is case-sensitive.
-- **Operator** - Represents a specific action that is used to build a compliance rule. For options, see the following list of *supported operators*.
+- **Operator** - Represents a specific action that's used to build a compliance rule. For options, see the list of supported operators in this article.
- **DataType** - The type of data that you can use to build your compliance rule. For options, see the following list of *supported DataTypes*.
-- **Operand** - Represent the values that the operator works on.
-- **MoreInfoURL** - A URL that device users can view and use to learn more about the compliance requirement should their device be noncompliant for a setting. You can also use this URL to link to instructions to help users bring their device into compliance for this setting.
-- **RemediationStrings** - Information that gets displayed in the Company Portal when a device is noncompliant to a setting. This information is intended to help users understand the remediation options to bring a device to a compliant state. There must be at least one string for the language `en_US`. Other remediation string languages can then be added as needed, as demonstrated in the [example](#example-json-file) provided later in this article.
+- **Operand** - Represents the values that the operator works on.
+- **MoreInfoURL** - A URL that device users can view and use to learn more about the compliance requirement if their device is noncompliant for a setting. You can also use this URL to link to instructions to help users bring their device into compliance for this setting.
+- **RemediationStrings** - Information that shows in the Company Portal when a device is noncompliant to a setting. This information helps users understand the remediation options to bring a device to a compliant state. There must be at least one string for the language `en_US`. You can add other remediation string languages as needed, as demonstrated in the [example](#example-json-file) provided later in this article.
Your policy can be up to 100 KB and include 100 rules.
diff --git a/intune/device-security/compliance/create-custom-script.md b/intune/device-security/compliance/create-custom-script.md
index d2e84f28971..ad2984e32d9 100644
--- a/intune/device-security/compliance/create-custom-script.md
+++ b/intune/device-security/compliance/create-custom-script.md
@@ -1,4 +1,4 @@
----
+---
title: Create discovery scripts for custom compliance policy in Microsoft Intune
description: Create scripts for Linux or Windows devices to discover the settings you define as custom compliance settings for Microsoft Intune.
ms.date: 09/04/2025
@@ -12,29 +12,33 @@ ms.collection:
# Custom compliance discovery scripts for Microsoft Intune
-Before you can use [custom settings for compliance](./custom-settings.md) with Microsoft Intune, you must define a script that can discover the custom compliance settings that are available on devices. The script you use depends on the platform:
+Before you can use [custom settings for compliance](./custom-settings.md) with Microsoft Intune, you must create a script that discovers custom compliance settings on devices. The script you use depends on the platform:
- Windows devices use a PowerShell script.
- Linux devices can run scripts in any language as long as the corresponding interpreter is installed and configured on the device.
-The discovery script deploys to devices as part of your custom compliance policies. When compliance runs on a device, the script discovers the settings that are defined by the JSON file that you also provide through custom compliance policy.
+The discovery script deploys to devices as part of your custom compliance policies. When compliance runs on a device, the script discovers the settings defined in the JSON file you provide when creating the compliance policy.
All discovery scripts:
-- Are added to Intune before you create a compliance policy. After being added, scripts are available to select when you create a compliance policy with custom settings.
+- Are added to Intune before you create a compliance policy. After you add a script, it's available to select when you create a compliance policy with custom settings.
- Each discovery script can only be used with one compliance policy, and each compliance policy can only include one discovery script.
- - Discovery scripts that are assigned to a compliance policy can't be deleted until the script is unassigned from the policy.
+ - You can't delete discovery scripts that are assigned to a compliance policy until you unassign the script from the policy.
- Run on a device that receives the compliance policy. The script evaluates the conditions of the JSON file you upload when creating a custom compliance policy.
-- Identify one or more settings, as defined in the JSON, and return a list of discovered values for those settings. A single script can be assigned to each policy, and supports discovery of multiple settings.
+- Identify one or more settings, as defined in the JSON, and return a list of discovered values for those settings.
In addition, the PowerShell script for Windows:
-- Must be compressed to output results in a single line.
-- For example: `$hash = @{ Manufacturer = $WMI_ComputerSystem.Manufacturer; BiosVersion = $WMI_BIOS.SMBIOSBIOSVersion; TPMChipPresent = $TPM.TPMPresent}` must include the following line at the end of the script: `return $hash | ConvertTo-Json -Compress`
+- Must be compressed to output results in a single line. For example, the following script must include `return $hash | ConvertTo-Json -Compress` as the last line:
+
+ ```powershell
+ $hash = @{ Manufacturer = $WMI_ComputerSystem.Manufacturer; BiosVersion = $WMI_BIOS.SMBIOSBIOSVersion; TPMChipPresent = $TPM.TPMPresent}
+ return $hash | ConvertTo-Json -Compress
+ ```
## Limits
-The scripts you write must be within the following limits in order to successfully return compliance data to Intune:
+To successfully return compliance data to Intune, your scripts must stay within the following limits:
- Scripts can be no larger than 1 megabyte (MB) each.
- Output generated by each script can be no larger than 1 MB.
@@ -44,7 +48,7 @@ The scripts you write must be within the following limits in order to successful
## Sample discovery script for Windows
-The following example is a sample PowerShell script that you could use for Windows devices:
+The following example is a sample PowerShell script that you can use for Windows devices:
```powershell
$WMI_ComputerSystem = Get-WMIObject -class Win32_ComputerSystem
@@ -55,7 +59,7 @@ $hash = @{ Manufacturer = $WMI_ComputerSystem.Manufacturer; BiosVersion = $WMI_B
return $hash | ConvertTo-Json -Compress
```
-Following is an example of the output of the sample script for Windows:
+The following example shows the output of the sample script for Windows:
```powershell
{"BiosVersion":"1.24","Manufacturer":"Microsoft Corporation","TPMChipPresent":true}
@@ -65,17 +69,18 @@ Following is an example of the output of the sample script for Windows:
> [!NOTE]
>
-> Discovery scripts in Linux are run in the User's context and as such they cannot check for System level settings that require elevation. An example of this is the `state/hash` of the `/etc/sudoers` file.
+> On Linux, discovery scripts run in the user's context. They can't check for system-level settings that require elevation. An example of this limitation is the `state/hash` of the `/etc/sudoers` file.
-Discovery scripts for Linux can call any interpreter that meets your requirements. Ensure that the chosen interpreter is properly installed and configured on the targeted device before the script is deployed. To specify the interpreter for a script, include a shebang line at the top of the script, indicating the path to the interpreter binary.
+Discovery scripts for Linux can call any interpreter that meets your requirements. Ensure that the chosen interpreter is properly installed and configured on the target device before deploying the script. To specify the interpreter for a script, include a shebang line at the top of the script, indicating the path to the interpreter binary.
For example, if your script should use the Bash shell as the interpreter, add the following line at the top of your script:
-`[ !/bin/bash ]`
+`#!/bin/bash`
-If you want to use Python for your script, indicate where the interpreter is installed. For example, add the following to the top of your script: `[ !/usr/bin/python3 ]` or `[ !/usr/bin/env python ]`
+To use Python, specify the interpreter path. For example, add the following line to the top of your script: `#!/usr/bin/python3` or `#!/usr/bin/env python3`
-**Recommended best practice**: To enable your scripts to handle scenarios like interrupts or cancellation signals, implement graceful termination mechanisms. When a script properly caches and handles these signals, the script can perform cleanup tasks and exit gracefully, ensuring resources are released correctly. For example, you can catch specific signals like SIGINT (interrupt signal) or SIGTERM (termination signal) and define custom actions to run when these signals are received. These actions can include closing open files, releasing acquired locks, or cleaning up temporary resources. Proper handling of signals helps to maintain script integrity and improve overall user experience.
+> [!TIP]
+> To handle interrupts or cancellation signals, implement graceful termination mechanisms in your scripts. When a script handles these signals, it can perform cleanup tasks and exit gracefully, ensuring resources are released correctly. For example, catch signals like SIGINT (interrupt signal) or SIGTERM (termination signal) and define custom actions to run when they're received. These actions can include closing open files, releasing acquired locks, or cleaning up temporary resources.
For more information, see the [Intune Linux Custom Compliance Samples](https://github.com/microsoft/shell-intune-samples/tree/master/Linux) guide.
@@ -83,18 +88,19 @@ For more information, see the [Intune Linux Custom Compliance Samples](https://g
Before deploying your script in production, test it in an isolated environment to ensure the syntax you use behaves as expected.
-1. Sign into [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Endpoint security** > **Device compliance** > **Scripts** > **Add** > *(choose your platform)*.
-2. On **Basics**, provide a **Name**.
-3. On **Settings**, add your script to **Detection script**. Review your script carefully. Intune doesn’t validate the script for syntax or programmatic errors.
-4. ***For Windows only*** - On **Settings**, configure the following behavior for the PowerShell script:
+> [!NOTE]
+> The script upload workflow doesn't support scope tags. You must be assigned the default scope tag to create, edit, or view custom compliance discovery scripts.
- - **Run this script using the logged on credentials** – By default, the script runs in the System context on the device. Set this value to **Yes** to have it run in the context of the logged-on user. If the user isn’t logged in, the script defaults back to the System context.
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Endpoint security** > **Device compliance** > **Scripts** > **Add**. Then choose your platform.
+1. On **Basics**, enter a descriptive **Name** for the script.
+1. On **Settings**, add your script to **Detection script**. Review your script carefully. Intune doesn't validate the script for syntax or programming errors.
+1. *For Windows only* - On **Settings**, configure the following behavior for the PowerShell script:
+
+ - **Run this script using the logged on credentials** – By default, the script runs in the System context on the device. Set this value to **Yes** to have it run in the context of the logged-on user. If the user isn't logged in, the script defaults back to the System context.
- **Enforce script signature check** – For more information, see [about_Signing](/powershell/module/microsoft.powershell.core/about/about_signing?view=powershell-7.1&preserve-view=true) in the PowerShell documentation.
- **Run script in 64 bit PowerShell Host** – By default, the script runs using the 32-bit PowerShell host. Set this value to **Yes** to force the script to run using the 64-bit host instead.
-5. Complete the script creation process. The script is now visible in the **Scripts** pane of the Microsoft Intune admin center and is available to select when configuring compliance policies.
-
-Because the workflow for uploading these scripts to the Microsoft Intune admin center doesn't support scope tags, you must be assigned the default scope tag to create, edit, or see custom compliance discovery scripts.
+1. Complete the script creation process. The script appears in the **Scripts** pane and is available to select when configuring compliance policies.
## Next steps
diff --git a/intune/device-security/compliance/create-policy.md b/intune/device-security/compliance/create-policy.md
index 439afc36855..cf4e348d1db 100644
--- a/intune/device-security/compliance/create-policy.md
+++ b/intune/device-security/compliance/create-policy.md
@@ -12,46 +12,72 @@ ms.collection:
# Create a compliance policy in Microsoft Intune
-Device compliance policies are a key feature when using Intune to protect your organization's resources. In Intune, you can create rules and settings that devices must meet to be considered compliant, such as a minimum OS version. If the device isn't compliant, you can then block access to data and resources using [Conditional Access](../conditional-access-integration/overview.md).
+Device compliance policies are a key feature when using Intune to protect your organization's resources. In Intune, you can create rules and settings that devices must meet to be considered compliant, such as a minimum OS version. If the device isn't compliant, you can block access to data and resources by using [Conditional Access](../conditional-access-integration/overview.md).
You can also take actions for noncompliance, such as sending a notification email to the user. For an overview of what compliance policies do, and how they're used, see [get started with device compliance](./overview.md).
This article:
-- Lists the prerequisites and steps to create a compliancy policy.
+- Lists the prerequisites and steps to create a compliance policy.
- Shows you how to assign the policy to your user and device groups.
- Describes other features, including scope tags to "filter" your policies, and steps you can take on devices that aren't compliant.
- Lists the check-in refresh cycle times when devices receive policy updates.
-## Before you begin
+## Requirements
-To use device compliance policies, be sure you:
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
-- Use the following subscriptions:
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
- - Intune
- - If you use Conditional Access, then you need Microsoft Entra ID P1 or P2 edition. [Microsoft Entra pricing](https://azure.microsoft.com/pricing/details/active-directory/) lists what you get with the different editions. Intune compliance doesn't require Microsoft Entra ID.
+:::column-end:::
+:::column span="3":::
-- Use a supported platform:
+> - Microsoft Intune subscription
+> - If you use Conditional Access, then you need Microsoft Entra ID P1 or P2 edition. [Microsoft Entra pricing](https://azure.microsoft.com/pricing/details/active-directory/) lists what you get with the different editions. Intune compliance doesn't require Microsoft Entra ID.
- - Android device administrator
- - Android AOSP
- - Android Enterprise
- - iOS
- - Linux - Ubuntu Desktop, version 24.04 LTS or 26.04 LTS
- - macOS
- - Windows
+:::column-end:::
+:::row-end:::
- [!INCLUDE [android_device_administrator_support](../../includes/android-device-administrator-support.md)]
+:::row:::
+:::column span="1":::
-- Enroll devices in Intune (required to see the compliance status)
+:::column-end:::
+:::column span="3":::
-- Enroll devices to one user, or enroll without a primary user. Single devices can't be enrolled to multiple users.
+> - Android device administrator
+> - Android AOSP
+> - Android Enterprise
+> - iOS
+> - Linux - Ubuntu Desktop, version 24.04 LTS or 26.04 LTS
+> - macOS
+> - Windows
+
+:::column-end:::
+:::row-end:::
+
+[!INCLUDE [android_device_administrator_support](../../includes/android-device-administrator-support.md)]
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [enrollment-methods](../../includes/requirements/enrollment-methods.md)]
+
+:::column-end:::
+:::column span="3":::
+
+> - Enroll devices in Intune (required to see the compliance status)
+> - Enroll devices to one user, or enroll without a primary user. Single devices can't be enrolled to multiple users.
+
+:::column-end:::
+:::row-end:::
In addition to compliance settings that are built in to Intune, the following platforms support adding custom compliance settings to compliance policies:
-- Ubuntu Desktop, version 24.04 LTS or 26.04 LTS
-- Windows
+- Linux
+ - Ubuntu Desktop, version 24.04 LTS or 26.04 LTS
+ - RedHat Enterprise Linux 9 or 10
+- Windows
Before you can add custom settings, you must prepare a custom JSON file that defines the settings you want to base your custom compliance on, and a script that runs on devices to detect the settings defined in the JSON.
@@ -61,31 +87,31 @@ For more information about using custom compliance settings, including supported
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Go to **Devices**.
-3. Under **Manage devices**, select **Compliance**. Then choose **Create policy**.
+1. Go to **Devices**.
+1. Under **Manage devices**, select **Compliance**. Then choose **Create policy**.
-4. Select a **Platform** for this policy from the following options:
+1. Select a **Platform** for this policy from the following options:
- **Android device administrator**
- **Android (AOSP)**
- **Android Enterprise**
- **iOS/iPadOS**
- - **Linux** - (Ubuntu Desktop, version 24.04 LTS or 26.04 LTS, RedHat Enterprise Linux 8, or RedHat Enterprise Linux 9)
+ - **Linux** - (Ubuntu Desktop, version 24.04 LTS or 26.04 LTS, RedHat Enterprise Linux 9, or RedHat Enterprise Linux 10)
- **macOS**
- **Windows 10 and later**
- **Windows 8.1 and later**
- For *Android Enterprise*, you also select a **Profile type**. Your options:
+ For *Android Enterprise*, also select a **Profile type**. Your options:
- **Fully managed, dedicated, and corporate-owned work profile**
- **Personally-owned work profile**
Then select **Create** to open the configuration page.
-5. On the **Basics** tab, enter a **Name** that helps you identify this policy later. For example, a good policy name is **Mark iOS/iPadOS jailbroken devices as not compliant**.
+1. On the **Basics** tab, enter a **Name** that helps you identify this policy later. For example, a good policy name is **Mark iOS/iPadOS jailbroken devices as not compliant**.
Optionally, enter a **Description** for the policy.
-6. On the **Compliance settings** tab, expand the available categories, and configure settings for your policy. The following articles describe the available compliance settings for each platform:
+1. On the **Compliance settings** tab, expand the available categories, and configure settings for your policy. The following articles describe the available compliance settings for each platform:
- [Android device administrator](./ref-android-administrator-settings.md)
- [Android (AOSP)](./ref-android-aosp-settings.md)
- [Android Enterprise](./ref-android-enterprise-settings.md)
@@ -95,32 +121,34 @@ For more information about using custom compliance settings, including supported
- [Windows 8.1 and later](./ref-windows-8-1-settings.md)
- [Windows](./ref-windows-settings.md)
-7. Optionally, you can add custom settings for supported platforms.
+1. Optionally, add custom settings for supported platforms.
> [!TIP]
- > This is an optional step that’s supported for the following platforms:
+ > This step is optional and supported for the following platforms:
>
- > - Linux - Ubuntu Desktop, version 24.04 LTS or 26.04 LTS
+ > - Linux
+ > - Ubuntu Desktop, version 24.04 LTS or 26.04 LTS
+ > - RedHat Enterprise Linux 9 or 10
> - Windows
- > Before you can add custom settings to a policy, you must have uploaded a detection script to Intune, and have ready a JSON file that defines the settings you want to use for compliance. See [Custom compliance settings](./custom-settings.md).
+ > Before you can add custom settings to a policy, upload a detection script to Intune, and have a JSON file that defines the settings you want to use for compliance. For more information, see [Custom compliance settings](./custom-settings.md).
On the **Compliance settings** page, expand the **Custom Compliance** category:
**For Windows**:
1. On the *Compliance settings* page, expand **Custom Compliance** and set *Custom compliance* to **Require**.
- 2. For *Select your discovery script*, select **Click to select**, and then enter the name of a script that you previously added to the Microsoft Intune admin center. This script must be uploaded before you begin to create the policy. Choose **Select** to continue to the next step.
- 3. For *Upload and validate the JSON file with your custom compliance settings*, select the folder icon, and then find and add the JSON file for Windows that you want to use with this policy. For assistance with the JSON, see [Create a JSON for custom compliance settings](./create-custom-json.md).
+ 1. For *Select your discovery script*, select **Click to select**, and then enter the name of a script that you previously added to the Microsoft Intune admin center. This script must be uploaded before you begin to create the policy. Choose **Select** to continue to the next step.
+ 1. For *Upload and validate the JSON file with your custom compliance settings*, select the folder icon, and then find and add the JSON file for Windows that you want to use with this policy. For assistance with the JSON, see [Create a JSON for custom compliance settings](./create-custom-json.md).
**For Linux**:
1. On the *Compliance settings* page, select **Add settings** to open the **Settings picker**.
- 2. Select **Custom Compliance**. Then close the settings picker.
- 3. Switch **Require Custom Compliance** to **True**.
- 4. For **Select your discovery script**, select **Select a script**. Then select a script that’s been previously added to the Microsoft Intune admin center. This script must be uploaded before you begin to create the policy.
- 6. For **Select your rules file**, select the folder icon and then locate and add the JSON file for Linux that you want to use with this policy. For assistance with the JSON, see [Create a JSON for custom compliance settings](./create-custom-json.md).
+ 1. Select **Custom Compliance**. Then close the settings picker.
+ 1. Switch **Require Custom Compliance** to **True**.
+ 1. For **Select your discovery script**, select **Select a script**. Then select a script that you previously added to the Microsoft Intune admin center. This script must be uploaded before you begin to create the policy.
+ 1. For **Select your rules file**, select the folder icon and then locate and add the JSON file for Linux that you want to use with this policy. For assistance with the JSON, see [Create a JSON for custom compliance settings](./create-custom-json.md).
Wait while Intune validates the JSON. Problems that need to be fixed appear onscreen. After validation of the JSON contents, the rules from the JSON appear in table format.
-8. On the **Actions for noncompliance** tab, select a sequence of actions to apply automatically to devices that don't meet this compliance policy.
+1. On the **Actions for noncompliance** tab, select a sequence of actions to apply automatically to devices that don't meet this compliance policy.
You can add multiple actions, and configure schedules and details for some actions. For example, you might change the schedule of the default action *Mark device noncompliant* to occur after one day. You can then add an action to send an email to the user when the device isn't compliant to warn them of that status. You can also add actions that lock or retire devices that remain noncompliant.
@@ -128,19 +156,19 @@ For more information about using custom compliance settings, including supported
Another example includes the use of Locations where you add at least one location to a compliance policy. In this case, the default action for noncompliance applies when you select at least one location. If the device isn't connected to any of the selected locations, it's considered not compliant. You can configure the schedule to give your users a grace period, such as one day.
-9. On the **Scope tags** tab, select tags to help filter policies to specific groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. After you add the settings, you can also add a scope tag to your compliance policies.
+1. On the **Scope tags** tab, select tags to help filter policies to specific groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. After you add the settings, you can also add a scope tag to your compliance policies.
For information on using scope tags, see [Use scope tags to filter policies](../../fundamentals/role-based-access-control/scope-tags.md).
-10. On the **Assignments** tab, assign the policy to your groups.
+1. On the **Assignments** tab, assign the policy to your groups.
- Select **Add groups**, and then assign the policy to one or more groups. The policy will apply to these groups when you save the policy after the next step.
+ Select **Add groups**, and then assign the policy to one or more groups. The policy applies to these groups when you save the policy after the next step.
Policies for Linux don't support user-based assignments and can only be assigned to device groups.
-11. On the **Review + create** tab, review the settings and select **Create** when ready to save the compliance policy.
+1. On the **Review + create** tab, review the settings and select **Create** when ready to save the compliance policy.
- The users or devices targeted by your policy are evaluated for compliance when they check in with Intune.
+ Intune evaluates the users or devices targeted by your policy for compliance when they check in with Intune.
## Refresh cycle times
@@ -181,9 +209,9 @@ If a device has multiple compliance policies, and the device has different compl
|NonCompliant|5|
|Error|6|
-When a device has multiple compliance policies, then the highest severity level of all the policies is assigned to that device.
+When a device has multiple compliance policies, Intune assigns the highest severity level of all the policies to that device.
-For example, a device has three compliance policies assigned to it: one Unknown status (severity = 1), one Compliant status (severity = 3), and one InGracePeriod status (severity = 4). The InGracePeriod status has the highest severity level. So, all three policies have the InGracePeriod compliance status.
+For example, a device has three compliance policies assigned to it: one Unknown status (severity = 1), one Compliant status (severity = 3), and one InGracePeriod status (severity = 4). The InGracePeriod status has the highest severity level, so the device is given the InGracePeriod compliance status.
> [!IMPORTANT]
> Discovery script output is limited to 2048 characters. If the output exceeds this limit, it may be truncated, resulting in invalid JSON and error 65009 during compliance evaluation. To avoid this, keep outputs concise or split large rule sets across multiple policies.
diff --git a/intune/device-security/compliance/custom-settings.md b/intune/device-security/compliance/custom-settings.md
index 511568fd2c3..38156695010 100644
--- a/intune/device-security/compliance/custom-settings.md
+++ b/intune/device-security/compliance/custom-settings.md
@@ -12,61 +12,89 @@ ms.collection:
# Use custom compliance policies and settings for Linux and Windows devices with Microsoft Intune
-To expand on Intune’s built-in device compliance options, you can use policies for custom compliance settings for managed Linux and Windows devices. Custom settings provide flexibility to base compliance on the settings that are available on a device without having to wait for Intune to add these settings to the built-in policy templates.
+To expand on Intune’s built-in device compliance options, use policies for custom compliance settings for managed Linux and Windows devices. Custom settings give you the flexibility to base compliance on the settings that are available on a device without waiting for Intune to add these settings to the built-in policy templates.
This feature applies to:
- Windows (excluding Windows Home)
- Linux
- Ubuntu Desktop, version 24.04 LTS or 26.04 LTS
- - RedHat Enterprise Linux 8
- RedHat Enterprise Linux 9
+ - RedHat Enterprise Linux 10
-Before you can add custom settings to a policy, you must prepare a JSON file, and a discovery script for use with each supported platform. Both the script and JSON become part of the compliance policy. Each compliance policy supports a single script, and each script can discover multiple settings:
+Before you can add custom settings to a policy, you must prepare a JSON file and a discovery script for use with each supported platform. Both the script and JSON become part of the compliance policy. Each compliance policy supports a single script, and each script can discover multiple settings:
-- The JSON file defines the custom settings and the values that you considered to be compliant. You can also configure messages for users to tell them how to restore compliance for each setting. You add your JSON file when you create a compliance policy, just after you select a discovery script for that policy.
+- The JSON file defines the custom settings and the values that you consider to be compliant. You can also configure messages for users to tell them how to restore compliance for each setting. Add your JSON file when you create a compliance policy, just after you select a discovery script for that policy.
- Discovery scripts are specific to the different platforms and are delivered to devices as part of the compliance policy. When a device evaluates its policy, the script detects (discovers) the settings from the JSON file, and then reports the results to Intune. Windows devices use a PowerShell script and Linux devices use a POSIX-compliant shell script.
- The scripts must be uploaded to the Microsoft Intune admin center before you create a compliance policy. You select the script when you’re configuring a policy to support custom settings.
+ You must upload the scripts to the Microsoft Intune admin center before you create a compliance policy. Select the script when you’re configuring a policy to support custom settings.
-After you deploy custom compliance settings and devices report back, you can view the results alongside the built-in compliance setting details in the Microsoft Intune admin center. Custom compliance settings can be used for Conditional Access decisions in the same way built-in compliance settings are. Together they form a compound rule set, equally affecting the device compliance state.
+After you deploy custom compliance settings and devices report back, you can view the results alongside the built-in compliance setting details in the Microsoft Intune admin center. You can use custom compliance settings for Conditional Access decisions in the same way built-in compliance settings are. Together they form a compound rule set, equally affecting the device compliance state.
-## Prerequisites
+## Requirements
-- **Microsoft Entra joined** devices, *including* Microsoft Entra hybrid joined devices.
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
- Microsoft Entra hybrid joined devices are devices that are joined to Microsoft Entra ID and also joined to on-premises Active Directory. For more information, see [Plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan).
+:::column-end:::
+:::column span="3":::
-- **Microsoft Entra registered/Workplace joined (WPJ)**
+> - Windows (excluding Windows Home)
+> - Linux
+> - Ubuntu Desktop, version 24.04 LTS or 26.04 LTS
+> - RedHat Enterprise Linux 9
+> - RedHat Enterprise Linux 10
- For information about devices [registered](/azure/active-directory/user-help/user-help-register-device-on-network) in Microsoft Entra ID, see [Workplace Join as a seamless second factor authentication](/windows-server/identity/ad-fs/operations/join-to-workplace-from-any-device-for-sso-and-seamless-second-factor-authentication-across-company-applications#workplace-join-as-a-seamless-second-factor-authentication). Typically these devices are Bring Your Own Device (BYOD) devices that have a work or school account added via Settings>Accounts>Access work or school.
+:::column-end:::
+:::row-end:::
- On WPJ devices, device context PowerShell scripts work, but user context PowerShell scripts are ignored.
+:::row:::
+:::column span="1":::
+[!INCLUDE [cloud](../../includes/requirements/cloud.md)]
-- **Discovery script** - A PowerShell for Windows or a POSIX-compliant shell script for Linux that you create. The script runs on a device to discover the custom settings defined in your JSON file. The script returns the configuration value of those settings to Intune. You need to upload your script to the Microsoft Intune admin center before you create a compliance policy and then select the script you want to use when creating a policy.
+:::column-end:::
+:::column span="3":::
+
+> - Microsoft Entra joined devices, including Microsoft Entra hybrid joined devices.
+>
+> Microsoft Entra hybrid joined devices are devices that are joined to Microsoft Entra ID and also joined to on-premises Active Directory. For more information, see [Plan your Microsoft Entra hybrid join implementation](/entra/identity/devices/hybrid-join-plan).
+>
+> - Microsoft Entra registered/Workplace joined (WPJ)
+>
+> For information about devices registered in Microsoft Entra ID, see [Workplace Join as a seamless second factor authentication](/windows-server/identity/ad-fs/operations/join-to-workplace-from-any-device-for-sso-and-seamless-second-factor-authentication-across-company-applications#workplace-join-as-a-seamless-second-factor-authentication). Typically these devices are bring-your-own-devices (BYOD) that have a work or school account added via **Settings** > **Accounts** > **Access work or school**.
+>
+> On WPJ devices, device context PowerShell scripts work, but user context PowerShell scripts are ignored.
+
+:::column-end:::
+:::row-end:::
+
+You also need to create a:
+
+- **Discovery script** - A PowerShell script for Windows or a POSIX-compliant shell script for Linux that you create. The script runs on a device to discover the custom settings defined in your JSON file. The script returns the configuration value of those settings to Intune. You need to upload your script to the Microsoft Intune admin center before you create a compliance policy and then select the script you want to use when creating a policy.
To create a custom compliance script, see [Custom compliance discovery scripts for Microsoft Intune](./create-custom-script.md).
-- **JSON file** - The JSON file defines the custom settings and the value that is to be considered as compliant and can contain messages for users on how to restore the device to compliance for the setting. For guidance on creating a JSON for custom compliance, see [Custom compliance JSON files](./create-custom-json.md).
+- **JSON file** - The JSON file defines the custom settings and the value that is to be considered as compliant. It can also contain messages for users on how to restore the device to compliance for the setting. For guidance on creating a JSON for custom compliance, see [Custom compliance JSON files](./create-custom-json.md).
## Create a policy with custom compliance settings
-Before you begin to create a policy that includes custom settings, review the [prerequisites](#prerequisites).
+Before you begin to create a policy that includes custom settings, review the [requirements](#requirements).
-You must first upload an applicable discovery script to Intune, and have a ready JSON to add while creating the policy.
+First, upload an applicable discovery script to Intune, and have a ready JSON to add while creating the policy.
-When ready, use the normal procedure to [create a compliance policy](./create-policy.md), which includes platform specific instructions for adding custom settings to the policy. Custom settings are added while on the Configuration settings page by configuring the option for *Custom Compliance*.
+When ready, use the normal procedure to [create a compliance policy](./create-policy.md), which includes platform specific instructions for adding custom settings to the policy. Add custom settings while on the Configuration settings page by configuring the option for *custom compliance*.
> [!NOTE]
>
-> When a Windows device receives a compliance policy with custom settings, it checks for the presence of [Intune Management Extensions](../../device-management/tools/management-extension-windows.md). If not found, the device runs an MSI that installs the extensions, enabling the client to download and run PowerShell scripts that are part of a compliance policy, and to upload compliance results. Actions managed by the services include:
+> When a Windows device receives a compliance policy with custom settings, it checks for the [Intune Management Extension](../../device-management/tools/management-extension-windows.md). If the extension isn't found, the device runs an MSI to install it. Once installed, the extension downloads and runs PowerShell scripts and uploads compliance results to Intune. Actions the extension performs with Intune include:
>
-> - Checking for new or updated PowerShell scripts every eight hours.
-> - Running the discovery scripts every eight hours.
-> - Running scripts that download when a user selects Check Compliance on the device. However, there is no check for new or updated scripts when Check Compliance is run.
+> - Checks for new or updated PowerShell scripts every eight hours.
+> - Runs discovery scripts every eight hours.
+> - Runs scripts when a user selects **Check Compliance** on the device, but doesn't check for new or updated scripts at that time.
>
-> It is not possible to push notifications to a device to enable custom compliance to run on demand.
+> Push notifications can't trigger custom compliance to run on demand.
## Monitor custom compliance policy
@@ -74,21 +102,23 @@ Use the following methods to view details about a device’s compliance status.
- For both Linux and Windows devices, you can view per-setting device compliance details for custom compliance settings in the Microsoft Intune admin center.
- In the admin center go to **Reports** > **Device compliance**, and then select the **Reports** tab. Select the tile for **Noncompliant devices and settings**, and then use the drop-down menus to configure the report. Be sure to select a platform for the OS, and then select **Generate** report.
+ In the admin center, go to **Reports** > **Device compliance**, and then select the **Reports** tab. Select the tile for **Noncompliant devices and settings**, and then use the drop-down menus to configure the report. Be sure to select a platform for the OS, and then select **Generate** report.
- For more information, see [Monitor Intune Device compliance policies](./monitor-policy.md).
+ For more information, see [Monitor Intune device compliance policies](./monitor-policy.md).
-- On a Linux device, you can open the Intune app to view the device’s status:
+- On a Linux device, open the Intune app to check the device's compliance status. The app displays one of the following states:
- **Compliant** – Your device is compliant with your organization’s policies and should be able to access organizational resources.
- - **Checking status** – Intune is currently evaluating the devices compliance to your organization’s policies.
- - **Not compliant** – The device doesn’t meet your organization’s device and security requirements and might not have access to your organization’s resources.
+ - **Checking status** – Intune is currently evaluating the device's compliance to your organization’s policies.
+ - **Not compliant** – The device doesn't meet your organization’s device and security requirements and might not have access to your organization’s resources.
- When the device status is *Not compliant*, select **View issues** to see details about issues that must be addressed to bring that device into compliance. For information on resolving common issues, see [Additional troubleshooting for Linux devices](#additional-troubleshooting-for-linux-devices) in this article.
+ If the device status is *Not compliant*, select **View issues** to see what needs to be fixed. For information on resolving common problems, see [Additional troubleshooting for Linux devices](#additional-troubleshooting-for-linux-devices) in this article.
-## Troubleshoot custom compliance for devices
+## Troubleshoot custom compliance for devices
-### Custom settings aren’t evaluated
+Use the following troubleshooting tips to resolve common problems with custom compliance settings on Windows and Linux devices.
+
+### Custom settings aren't evaluated
Check the device compliance reports for the following error codes and insight into the problem:
@@ -97,13 +127,17 @@ Check the device compliance reports for the following error codes and insight in
- 65009: Invalid json for the discovered setting
- 65010: Invalid datatype for the discovered setting
-On Windows you can add the following line at the end of the PowerShell script to return errors related to the PowerShell script, ensure the following line is at the end of the PowerShell script file: `return $hash | ConvertTo-Json -Compress`
+On Windows, add the following line at the end of the PowerShell script to return errors related to the PowerShell script.
+
+ `return $hash | ConvertTo-Json -Compress`
-### PowerShell or POSIX-compliant shell scripts aren’t visible to select, or remain visible after being deleted
+Ensure the line is at the end of the PowerShell script file.
+
+### PowerShell or POSIX-compliant shell scripts aren't visible to select, or remain visible after being deleted
Refresh the current view. If the issue persists, cancel the policy creation flow, and start again.
-### After an issue on a device is fixed, subsequent syncs don’t identify the issue as resolved and compliant
+### After an issue on a device is fixed, subsequent syncs don't identify the issue as resolved and compliant
It can take up to eight hours before a noncompliant status shows as compliant after a change to the device.
@@ -113,13 +147,13 @@ It can take up to eight hours before a noncompliant status shows as compliant af
- On Linux, a user can open the *Microsoft Intune app* and select **Refresh** on either the device details page or the compliance issues page to start a new check-in with Intune.
-### Why aren’t more operators and operands supported?
+### Why aren't more operators and operands supported?
Contact your account manager to request the addition of specific operators and operands. They can then be considered for a future update.
-### Why can’t I apply multiple discovery scripts to one custom compliance policy?
+### Why can't I apply multiple discovery scripts to one custom compliance policy?
-Policies support the use of a single script. However, each script supports checking for multiple compliance values.
+Policies support the use of a single script. However, each script can check multiple compliance values.
## Additional troubleshooting for Linux devices
@@ -127,21 +161,21 @@ To identify settings that aren't compliant for a device:
- [In the Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you can identify devices that aren't compliant with policy. Go to **Reports** > **Device compliance**, select the **Reports** tab, and then select the tile for **Noncompliant devices and settings**. Use the drop-downs to configure the report you want, and then select **Generate** report.
-The admin center displays a separate line for each setting that isn’t compliant on a device.
+The admin center displays a separate line for each setting that isn't compliant on a device.
-- **On the Linux device**, open the Microsoft Intune app and view the *Update device settings* page.
+- On the Linux device, open the Microsoft Intune app and view the **Update device settings** page.
-The following sections discuss common issues and resolutions for issues that users of Linux devices might encounter.
+The following sections discuss common issues and resolutions for problems that users of Linux devices might encounter.
### Operating system distro and version
-Users of a device that doesn't meet the compliance requirements for the Linux distribution or operating system version, might receive a message that indicates a need to upgrade or downgrade that devices operating system.
+If a device doesn't meet the compliance requirements for the Linux distribution or OS version, the user might see a message to upgrade or downgrade the operating system.
-To be compliant with the *Allowed Distros* setting, devices Linux distribution and version must meet minimum, maximum, and type requirements. If necessary, install a different version or distribution of Linux to bring the device into compliance.
+To comply with the *Allowed Distros* setting, the device's Linux distribution and version must meet the minimum, maximum, and type requirements. If necessary, install a supported version or distribution of Linux to bring the device into compliance.
### Password complexity
-Users of a device that doesn't meet the compliance requirements for password complexity requirements might receive a message that indicates they must use a strong password.
+If a device doesn't meet the password complexity requirements, the user might see a message asking them to use a stronger password.
To be compliant with *Password Policy* settings, configure the Linux system to use passwords that meet those requirements. Common organization requirements include:
@@ -150,27 +184,11 @@ To be compliant with *Password Policy* settings, configure the Linux system to u
### Device encryption
-Users of a device that doesn't meet the compliance requirements for disk and partition encryption might receive a message that they must encrypt the device drives.
-
-To be compliant with the *Require Device Encryption* setting, device-level encryption is required for writable fixed disks on the Linux device.
-
-There are several options for disk and partition encryption on Linux operating systems. Intune recognizes any encryption system that uses the underlying dm-crypt subsystem. This subsystem is a long-time standard on Linux systems. The preferred method of setting up dm-crypt is to use the LUKS format with the *cryptsetup* tool.
-
-The following list provides general guidance when encrypting disk and partitions:
-
-- Encrypting Linux system volumes after installation is possible, but potentially time consuming. We recommend setting up disk encryption while installing the operating system.
-- Not all filesystem partitions need to be encrypted for a device to meet organizational standards. The following aren't evaluated by the built-in device encryption settings:
- - Read-only partitions
- - Pseudo-filesystems, like `/proc` or `tmpfs`
- - The `/boot` or `/boot/efi` partitions
+For guidance on configuring device encryption for Linux compliance, see [Linux compliance settings](./ref-linux-settings.md#device-encryption).
### Refresh your compliance status on Linux devices
-After making changes to a device to bring it into compliance, refresh the device status with Intune:
-
-- If the Microsoft Intune app is still running, select **Refresh** on the device details page, or on the compliance issues page to start a new check-in with Intune.
-- If the Microsoft Intune app isn't running, sign into the app to start a new check-in.
-- After installation, the Microsoft Intune app periodically checks in with Intune on its own, so long as the device is on, and a user is signed in to it.
+To refresh compliance status after making changes on a Linux device, see [Refresh compliance status](./ref-linux-settings.md#refresh-compliance-status).
## Next steps
diff --git a/intune/device-security/compliance/monitor-policy.md b/intune/device-security/compliance/monitor-policy.md
index 901305be0dd..94ad44f755a 100644
--- a/intune/device-security/compliance/monitor-policy.md
+++ b/intune/device-security/compliance/monitor-policy.md
@@ -11,7 +11,7 @@ ms.collection:
---
# Monitor results of your Intune device compliance policies
-Compliance reports help you understand when devices fail to meet your [compliance policies](./overview.md) and can help you identify compliance-related issues in your organization. Using these reports, you can view information on:
+Compliance reports help you understand when devices fail to meet your [compliance policies](./overview.md) and can help you identify compliance-related issues in your organization. By using these reports, you can view information on:
- The overall compliance states of devices
- The compliance status for an individual setting
@@ -39,7 +39,7 @@ Intune includes the following options for reviewing device compliance details:
## Important concepts for device compliance policies and status results
-When viewing compliance status details and reports, be aware of the following important details that can affect how a device's compliance status is reported:
+When you view compliance status details and reports, keep in mind the following important details that can affect how a device's compliance status is reported:
- Devices must be enrolled into Intune to receive device compliance policies.
@@ -49,9 +49,9 @@ When viewing compliance status details and reports, be aware of the following im
## Known reporting behaviors
-Device compliance state in Microsoft Intune is continually evaluated as changes occur on the device. This ongoing evaluation process helps ensure that a device’s compliance posture remains up to date.
+Microsoft Intune continually evaluates device compliance state as changes occur on the device. This ongoing evaluation process helps ensure that a device’s compliance posture stays up to date.
-Changes that can affect a device’s compliance state include:
+Changes that affect a device’s compliance state include:
- Device configuration updates
- Operating system version changes
@@ -61,9 +61,9 @@ Changes that can affect a device’s compliance state include:
While compliance state is evaluated continuously, compliance policy reports in Microsoft Intune are updated when a device checks in with the service. As a result, reporting in the admin center reflects the most recently known compliance state recorded during the device’s last check-in. This reporting model helps ensure that the compliance information shown in reports aligns with the last confirmed device state used for access decisions, such as Conditional Access.
-When reviewing compliance policy reports in Microsoft Intune, be aware of the following reporting behaviors:
+When you review compliance policy reports in Microsoft Intune, be aware of the following reporting behaviors:
-- Compliance policy reporting depends on when a device checks in. Reporting data is refreshed during device check-in and policy refresh cycles and might not immediately reflect recent policy assignments or targeting changes if a device hasn’t checked in.
+- Compliance policy reporting depends on when a device checks in. Reporting data is refreshed during device check-in and policy refresh cycles. If a device doesn't check in, the report might not immediately reflect recent policy assignments or targeting changes.
- Compliance reports display the compliance state associated with the last user who checked in on the device. On shared or multi-user devices, this behavior can cause reports to reflect a previous user’s compliance state.
@@ -71,7 +71,7 @@ When reviewing compliance policy reports in Microsoft Intune, be aware of the fo
- Policy reports might show multiple entries for the same device, such as separate records associated with user and system contexts. This behavior can occur when different users sign in to the same device or when automatic device check-ins occur.
-- Summary report views and detailed device lists don’t always update at the same time. Differences in update cadence can temporarily cause aggregated values in summary views to differ from entries shown in detailed reports.
+- Summary report views and detailed device lists don't always update at the same time. Differences in update cadence can temporarily cause aggregated values in summary views to differ from entries shown in detailed reports.
## Device-reported values in compliance reports
@@ -89,7 +89,7 @@ Because setting values are generated by device-side logic, such as an applicatio
You can access the device compliance dashboard in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Go to **Devices** > **Compliance**, and then select the **Monitor** tab.
-2. Select from the following reporting options for more details about the state of device compliance in your tenant:
+1. Select from the following reporting options for more details about the state of device compliance in your tenant:
- [Device compliance status](#device-compliance-status)
- [Devices without compliance](#devices-without-compliance)
@@ -100,16 +100,14 @@ You can access the device compliance dashboard in the [Microsoft Intune admin ce
### Device compliance status
-The **Device compliance status** tile displays the compliance states for all Intune enrolled devices.
-If you select this tile, Intune displays the **Noncompliant devices** report that can also be found under the **Devices** > **Monitor** node of the admin center.
+The **Device compliance status** tile shows the compliance states for all Intune enrolled devices.
+If you select this tile, Intune shows the **Noncompliant devices** report. You can also find this report under the **Devices** > **Monitor** node of the admin center.
-The tile displays a count of devices for each of the following categories:
+The tile displays the number of devices for each of the following categories:
- **Compliant**: The device successfully applied one or more device compliance policy settings.
-- **In-grace period**: The device is targeted with one or more device compliance policy settings but isn't yet compliant to all of them. Often this is due to users not applying compliant configurations, like meeting password complexity requirements. Devices with this status are noncompliant, but in the grace period defined by the admin.
-
- Learn more about [Actions for noncompliant devices](./configure-noncompliance-actions.md).
+- **In-grace period**: The device is targeted with one or more device compliance policy settings but isn't yet compliant to all of them. Often, this status is due to users not applying compliant configurations, such as meeting password complexity requirements. Devices with this status are noncompliant, but in the grace period defined by the admin.
- **Not evaluated**: An initial state for newly enrolled devices. Other possible reasons for this state include:
- Devices that aren't assigned a compliance policy and don't have a trigger to check for compliance.
@@ -119,26 +117,29 @@ The tile displays a count of devices for each of the following categories:
- Android Enterprise dedicated devices.
- Devices enrolled with a device enrollment manager (DEM) account.
-- **Not compliant**: The device failed to apply one or more device compliance policy settings, or the user hasn't complied with the policies.
+- **Not compliant**: The device failed to apply one or more device compliance policy settings, or the user didn't comply with the policies.
+
+> [!TIP]
+> To configure what happens when a device is noncompliant, see [Actions for noncompliant devices](./configure-noncompliance-actions.md).
### Devices without compliance
-The **Devices without compliance policy** tile displays a count of devices that don't have any compliance policies assigned. The tile name is often truncated in the admin center view as this tile displays only a count of devices:
+The **Devices without compliance policy** tile shows the number of devices that don't have any compliance policies assigned. The tile name may be truncated in the admin center due to its length.
:::image type="content" source="./media/monitor-policy/devices-without-compliance-policy-tile.png" alt-text="Image of the Devices without compliance policy tile.":::
-If you select this tile, Intune displays a *Device status* view that lists each device that doesn’t have a compliance policy. This view includes the *Device* name, the *User Principal Name* associated with the device, the devices compliance *Status*, and the *Device model*.
+If you select this tile, Intune shows a *Device status* view that lists each device that doesn't have a compliance policy. This view includes the *Device* name, the *User Principal Name* associated with the device, the device's compliance *Status*, and the *Device model*.
> [!TIP]
-> Intune includes an organizational report that identifies all devices in your tenant that have not been assigned a compliance policy. See [Devices without compliance policy (Organizational)](../../device-management/reports/overview.md#devices-without-compliance-policy-organizational).
+> Intune includes an organizational report that identifies all devices in your tenant that aren't assigned a compliance policy. See [Devices without compliance policy (Organizational)](../../device-management/reports/overview.md#devices-without-compliance-policy-organizational).
## Policy-based device compliance reports
Each compliance policy you create directly supports compliance reporting. To view the reports for an individual policy, in the admin center go to **Devices** > **Compliance**. Then select the policy for which you want to view its report details.
-By default, when you select a policy Intune opens the Monitor tab for that policy, where Intune displays:
+By default, when you select a policy, Intune opens the Monitor tab for that policy. Intune shows:
-- **Device status** - A simple bar chart that identifies the basic compliance status for devices that receive this policy.
+- **Device status** - A simple bar chart that shows the basic compliance status for devices that receive this policy.
- **View report** - A button you can select that opens the device status report where you can view deeper details about device compliance to this policy.
- **Per-setting status** - A tile you can select that opens the per-setting status report for this policy.
@@ -149,22 +150,22 @@ By default, when you select a policy Intune opens the Monitor tab for that polic
### Device status
-The *Device status* summary is the default view that’s available when you select a compliance policy. This summary is a simple chart that presents a count of devices that report a specific device compliance status. The horizontal bar is divided into colors from the available categories in proportion to the count of devices in each category. In the preceding screen capture, all devices are compliant. As a result, the representational bar is entirely green.
+The *Device status* summary is the default view when you select a compliance policy. This summary is a simple chart that shows the device count for each specific compliance status. The horizontal bar is divided into colors that match the available categories, and each color represents the device count in that category. In the preceding screen capture, all devices are compliant. As a result, the bar is entirely green.
-Before a device is represented in this chart view, the device must check in with Intune to receive the policy, process it, and successfully report back its status. This process can take up to 24 hours when the device is online.
+Before a device appears in this chart, it must check in with Intune to receive the policy, process it, and successfully report its status. This process can take up to 24 hours when the device is online.
Details in the Device status chart include:
- **Compliant** - The device successfully applied one or more device compliance policy settings.
-- **Noncompliant** - The device configuration has failed to meet one or more device compliance policy settings.
-- **Others** - The device is in a state that is neither compliant or noncompliant with the settings in this policy, such as *Error* or *Not evaluated*.
-- **Total** - The total number of devices that have received this policy and reported in.
+- **Noncompliant** - The device configuration failed to meet one or more device compliance policy settings.
+- **Others** - The device is in a state that is neither compliant nor noncompliant with the settings in this policy, such as *Error* or *Not evaluated*.
+- **Total** - The total number of devices that received this policy and reported in.
-To view more details, you can select the **View report** button.
+To view more details, select the **View report** button.
### View report
-When you select the *View report* button on the device status view of a policy, Intune displays a more detailed view of the device status for that policy.
+When you select the *View report* button on the device status view of a policy, Intune shows a more detailed view of the device status for that policy.
:::image type="content" source="./media/monitor-policy/view-report-for-compliance-policy.png" alt-text="View of the detailed device status report, after selecting the View report button in the Intune admin center.":::
@@ -172,45 +173,45 @@ By default, the report view displays details for the following, though you can a
- **Device name** - The name of the device as it appears when viewing Devices and creating groups.
- **Logged in user**
-- **Policy compliance status** - This status identifies if the device is compliant to this policy, but doesn't represent a device's compliance for any other compliance policies. A device could still be considered noncompliant by Intune should it be noncompliant to a different policy.
+- **Policy compliance status** - This status identifies if the device is compliant to this policy, but it doesn't represent a device's compliance for any other compliance policies. Intune can still consider a device noncompliant if it doesn't comply with a different policy.
- **Device Id** - The device's Intune Device ID.
-- **OS** - The operating system of the device, like *Windows*, or *Android*.
+- **OS** - The operating system of the device, like *Windows* or *Android*.
- **Last contacted** - The last day and time that this device made contact with the Intune service.
In this report view:
-- Each column can be sorted alphabetically.
-- You can configure *Filters* and specify a *Search* string to refine the reports results. Search looks through all displayed columns.
+- You can sort each column alphabetically.
+- You can configure *Filters* and specify a *Search* string to refine the report results. Search looks through all displayed columns.
- For example, in the previous policy report view, when we enter a search string of **st1** which appears in both the *Device name* and *Logged in user* columns. The resulting view displays both devices that contain *st1* as well as each device associated with the user with *st1* in their user name:
+ For example, entering a search string of **st1** returns all devices with *st1* in the *Device name* column, and all devices associated with a user with *st1* in the *Logged in user* column:
:::image type="content" source="./media/monitor-policy/filtered-search-results.png" alt-text="A screen capture that shows filtered search results for the device status report view.":::
### Per-setting status
-After selecting a compliance policy, you can select the *Per-setting status* tile to review the device compliance status for policy settings. This view shows the settings that the policy configures with columns for the various status conditions that can be reported. For each setting, each status column displays a count of devices that report that status.
+After selecting a compliance policy, select the *Per-setting status* tile to review the device compliance status for policy settings. This view shows the settings that the policy configures with columns for the various status conditions that can be reported. For each setting, each status column displays the number of devices that report that status.
-The following image displays a per-setting view of a policy for Android devices. This policy includes one setting and was deployed to four devices, all of which are compliant to that setting. In this view, you can sort by selecting a column, or using search:
+The following image displays a per-setting view of a policy for Android devices. This policy includes one setting and was deployed to four devices, all of which are compliant to that setting. In this view, you can sort by selecting a column, or use search:
:::image type="content" source="./media/monitor-policy/view-report-for-per-setting-status.png" alt-text="Screen shot that shows the detailed per-setting status report, after selecting the View report button in the Intune admin center.":::
-From the per-setting view, you can select the device count from any status column to open a view with more details for that specific setting and status. The following image displays the results of having selected the number **4** from the **Compliant devices** column"
+From the per-setting view, select the device count from any status column to open a view with more details for that specific setting and status. The following image displays the results of selecting the number **4** from the **Compliant devices** column.
:::image type="content" source="./media/monitor-policy/per-status-drill-in.png" alt-text="Screen shot that displays the results of drilling into a per-setting status result to view details for devices that have reported that status.":::
-In the screenshot we see there are four entries for the selected setting, with each entry representing a distinct device. This count of devices matches the initial count on the initial per-status view.
+In the screenshot, there are four entries for the selected setting, with each entry representing a distinct device. This count matches the number shown in the per-setting status view.
-We can also see that one device, which has a name that starts with **st1**, has been flagged in the *Device compliance* column as being **Not compliant**. This result is worth examining more closely:
+You can also see that one device, which has a name that starts with **st1**, is flagged in the *Device compliance* column as being **Not compliant**. This result is worth examining more closely:
- The details in the Device compliance column represent a device's overall compliance status, and not necessarily a device's compliance with this policy or this setting from this policy.
- We can be assured that this device is compliant to how this setting is configured in this policy because we're viewing a list of devices that reported as being compliant to the settings for this policy.
- This result indicates that the device is failing compliance against some other policy.
-Because this drill-in view doesn’t support a deeper drill through, you must use the other compliance reports that are available to determine which policy and setting the device is reporting as noncompliant.
+Because this drill-in view doesn't support a deeper drill through, you must use the other compliance reports that are available to determine which policy and setting the device is reporting as noncompliant.
#### Device behavior with a compliance setting in Error state
-When a setting for a compliance policy returns a value of **Error**, the compliance state of the device remains unchanged for up to seven days to allow time for the compliance calculation to complete correctly for that setting. Within those seven days, the device's existing compliance status continues to apply until the compliance policy setting evaluates as **Compliant** or **Not compliant**. If a setting still has a status of **Error** after seven days, the device becomes **Not compliant**, or if a grace period has been set for the compliance policy, the device will be marked **In grace period**.
+When a setting for a compliance policy returns a value of **Error**, the compliance state of the device remains unchanged for up to seven days to allow time for the compliance calculation to complete correctly for that setting. Within those seven days, the device's existing compliance status continues to apply until the compliance policy setting evaluates as **Compliant** or **Not compliant**. If a setting still has a status of **Error** after seven days, the device becomes **Not compliant**, or if a grace period is set for the compliance policy, the device is marked **In grace period**.
**Examples**:
@@ -220,13 +221,13 @@ When a setting for a compliance policy returns a value of **Error**, the complia
- A device is initially marked **Compliant**, but then a setting in one of the compliance policies targeted to the device reports **Error**. The user is able to access Conditional Access protected resources for seven days, but after seven days, the compliance setting still returns **Error**. At this point, the device becomes **Not compliant** immediately and the user loses access to the protected resources until the device becomes **Compliant**.
-- A device is initially marked **Compliant**, but then a setting in one of the compliance policies targeted to the device reports **Error**. The compliance policy that includes the setting in *Error* state has a grace period set. The user is able to access Conditional Access protected resources for seven days, but after seven days, the compliance setting still returns **Error**. At this point, the device is marked **In grace period** and the user continues to have access to protected resources. If the setting doesn't become compliant within the admin-specified grace period, the device becomes **Not compliant** and the user loses access to the protected resources until the device becomes **Compliant**
+- A device is initially marked **Compliant**, but then a setting in one of the compliance policies targeted to the device reports **Error**. The compliance policy that includes the setting in *Error* state has a grace period set. The user is able to access Conditional Access protected resources for seven days, but after seven days, the compliance setting still returns **Error**. At this point, the device is marked **In grace period** and the user continues to have access to protected resources. If the setting doesn't become compliant within the admin-specified grace period, the device becomes **Not compliant** and the user loses access to the protected resources until the device becomes **Compliant**.
-- A device is initially marked **Not compliant**, but then a setting in one of the compliance policies targeted to the device reports Error. After three days, compliance evaluation completes successfully, the setting returns **Compliant**, and the device's compliance status becomes **Compliant**. The user is prevented from accessing Conditional Access protected resources for the first three days (while the setting returns **Error**). Once the setting returns **Compliant** and the device is marked **Compliant**, the user can begin to access protected resources on the device.
+- A device is initially marked **Not compliant**, but then a setting in one of the compliance policies targeted to the device reports **Error**. After three days, compliance evaluation completes successfully, the setting returns **Compliant**, and the device's compliance status becomes **Compliant**. The user is prevented from accessing Conditional Access protected resources for the first three days (while the setting returns **Error**). Once the setting returns **Compliant** and the device is marked **Compliant**, the user can begin to access protected resources on the device.
## Organizational and operational compliance reports
-In addition to reports that are available through individual compliance policies, you can view reports for device compliance that focus on the settings in your compliance policies that list all the devices that are noncompliant, and that provide insights to compliance trends.
+In addition to reports that individual compliance policies provide, you can view reports for device compliance that focus on the settings in your compliance policies. These reports list all the devices that are noncompliant and provide insights into compliance trends.
To view these reports, open the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Reports** > **Device compliance**, and select the **Reports** tab.
@@ -247,23 +248,23 @@ Policy conflicts can occur when multiple Intune policies are applied to a device
- If the conflict is between settings from an Intune configuration policy and a compliance policy, the settings in the compliance policy take precedence over the settings in the configuration policy. This result happens even if the settings in the configuration policy are more secure.
-- If you have deployed multiple compliance policies, Intune uses the most secure of these policies.
+- If you deploy multiple compliance policies, Intune uses the most secure of these policies.
To learn more about conflict resolution for policies, see [Compliance and device configuration policies that conflict](../../device-configuration/troubleshoot-device-profiles.md#compliance-and-device-configuration-policies-that-conflict).
## How Intune evaluates the default compliance policy
-In Intune, the default compliance policy is evaluated when a calculation is triggered. While not every [device sync](../../device-configuration/troubleshoot-device-profiles.md#policy-refresh-intervals) results in a compliance calculation, the following cases will:
+In Intune, the default compliance policy is evaluated when a calculation is triggered. While not every [device sync](../../device-configuration/troubleshoot-device-profiles.md#policy-refresh-intervals) results in a compliance calculation, the following cases trigger compliance calculations:
-- It happens frequently on new enrollments to ensure users are aware of blocking reasons. The actual frequency depends on the platform and the type of enrollment.
-- It happens periodically to enforce device contact requirements, like the initial user log-on after following the device being offline for a few days.
-- It happens when new compliance information, such as a change in device properties, is found during a device sync.
-- It happens when a compliance policy assignment is added, after the next device sync. If a compliance policy assignment is removed, such as with exclusion targeting, the compliance calculation will be triggered with the existing service data.
-- It happens when a user [checks compliance status](../../user-help/compliance/validate-status-company-portal-website.md) on the Company Portal website or app.
+- New enrollments: Evaluation happens frequently to ensure users are aware of blocking reasons. The actual frequency depends on the platform and the type of enrollment.
+- Periodic evaluation: Evaluation happens periodically to enforce device contact requirements, such as requiring a user sign-in after the device has been offline for a few days.
+- New compliance information: Evaluation happens when new compliance information, such as a change in device properties, is found during a device sync.
+- Compliance policy assignment changes: Evaluation happens when a compliance policy assignment is added, after the next device sync. If a compliance policy assignment is removed, such as with exclusion targeting, the compliance calculation triggers with the existing service data.
+- User compliance status checks: Evaluation happens when a user [checks compliance status](../../user-help/compliance/validate-status-company-portal-website.md) on the Company Portal website or app.
-The evaluation process identifies the device as noncompliant if any of the following statements are false.
+The evaluation process identifies the device as noncompliant if any of the following statements are false:
- The device has a compliance policy assigned: At least one applicable compliance policy must be assigned to the device with an applicable setting.
-- The device is active: The device should remain in contact with Intune. This requires it to be turned on with an internet connection. The default grace period is 30 days.
+- The device is active: The device should remain in contact with Intune. This requirement means the device is turned on with an internet connection. The default grace period is 30 days.
- The enrolled user exists: The user that is actively using the device exists and has a valid Intune license.
## Next steps
diff --git a/intune/device-security/compliance/overview.md b/intune/device-security/compliance/overview.md
index 05aa3978f8f..391a188719c 100644
--- a/intune/device-security/compliance/overview.md
+++ b/intune/device-security/compliance/overview.md
@@ -12,9 +12,9 @@ ms.collection:
# Use compliance policies to set rules for devices you manage with Intune
-Microsoft Intune compliance policies are sets of rules and conditions that you use to evaluate the configuration of your managed devices. These policies can help you secure organizational data and resources from devices that don't meet those configuration requirements. Managed devices must satisfy the conditions you set in your policies to be considered compliant by Intune.
+Microsoft Intune compliance policies are sets of rules and conditions that you use to evaluate the configuration of your managed devices. These policies help you secure organizational data and resources from devices that don't meet those configuration requirements. Managed devices must satisfy the conditions you set in your policies to be considered compliant by Intune.
-If you also integrate the compliance results from your policies with Microsoft Entra Conditional Access, you can benefit from an extra layer of security. Conditional Access can enforce Microsoft Entra access controls based on a devices current compliance status to help ensure that only devices that are compliant are permitted to access corporate resources.
+If you integrate the compliance results from your policies with Microsoft Entra Conditional Access, you can benefit from an extra layer of security. Conditional Access enforces Microsoft Entra access controls based on a device's current compliance status, helping ensure only compliant devices can access corporate resources.
Intune compliance policies are divided into two areas:
@@ -28,7 +28,7 @@ Intune compliance policies are divided into two areas:
To manage the compliance policy settings, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Endpoint security** > **Device compliance** > **Compliance policy settings**.
-Compliance policy settings include the following settings:
+Compliance policy settings include:
- **Mark devices with no compliance policy assigned as**
@@ -39,7 +39,7 @@ Compliance policy settings include the following settings:
If you use Conditional Access with your device compliance policies, change this setting to **Not compliant** to ensure that only devices that are confirmed as compliant can access your resources.
- If an end user isn't compliant because a policy isn't assigned to them, then the [Company Portal app](../../app-management/configuration/configure-company-portal.md) shows No compliance policies have been assigned.
+ If an end user isn't compliant because a policy isn't assigned to them, the [Company Portal app](../../app-management/configuration/configure-company-portal.md) shows No compliance policies have been assigned.
- **Compliance status validity period (days)**
@@ -47,21 +47,21 @@ Compliance policy settings include the following settings:
By default, the period is set to 30 days. You can configure a period from 1 to 120 days.
- You can view details about a devices compliance to the validity period setting. Sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Devices** > **Monitor** > **Setting compliance**. This setting has a name of **Is active** in the *Setting* column. For more information about this and related compliance status views, see [Monitor device compliance](./monitor-policy.md).
+ You can view details about a device's compliance with the validity period setting. Sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Devices** > **Monitor** > **Setting compliance**. This setting has a name of **Is active** in the *Setting* column. For more information about this setting and related compliance status views, see [Monitor device compliance](./monitor-policy.md).
## Device compliance policies
-Intune device compliance policies are discrete sets of platform-specific rules and settings you deploy to groups of users or devices. Use compliance policies to:
+Intune device compliance policies are discrete sets of platform-specific rules and settings that you deploy to groups of users or devices. Use compliance policies to:
-- Define the rules and settings that users and managed devices must meet to be compliant. Examples of rules include requiring devices run a minimum OS version, not being jail-broken or rooted, and being at or under a *threat level* as specified by threat management software that integrates with Intune.
+- Define the rules and settings that users and managed devices must meet to be compliant. Examples of rules include requiring devices run a minimum OS version, not being jailbroken or rooted, and being at or under a *threat level* as specified by threat management software that integrates with Intune.
-- Support [actions for noncompliance](./configure-noncompliance-actions.md) that apply to devices that don’t meet that policies compliance rules. Examples of actions for noncompliance include marking the device as noncompliant, being remotely locked, and sending a device user email about the device status so they can fix it.
+- Support [actions for noncompliance](./configure-noncompliance-actions.md) that apply to devices that don't meet the policy's compliance rules. Examples of actions for noncompliance include marking the device as noncompliant, being remotely locked, and sending a device user email about the device status so they can fix it.
When using device compliance policies:
- Some compliance policy configurations can override the configuration of settings that you also manage through device configuration policies. To learn more about conflict resolution for policies, see [Compliance and device configuration policies that conflict](../../device-configuration/troubleshoot-device-profiles.md#compliance-and-device-configuration-policies-that-conflict).
-- Policies can deploy to users in user groups or devices in device groups. When a compliance policy is deployed to a user, all the user's devices are checked for compliance. Using device groups in this scenario helps with compliance reporting.
+- You can deploy policies to users in user groups or devices in device groups. When you deploy a compliance policy to a user, Intune checks all the user's devices for compliance. Using device groups in this scenario helps with compliance reporting.
- If you use Microsoft Entra Conditional Access, your Conditional Access policies can use the device compliance results to block access to resources from noncompliant devices.
@@ -70,15 +70,15 @@ When using device compliance policies:
The available settings you can specify in a device compliance policy depend on the platform type you select when you create a policy. Different device platforms support different settings, and each platform type requires a separate policy.
-The following subjects link to dedicated articles for different aspects of device configuration policy.
+The following topics link to dedicated articles for different aspects of device compliance policy.
- [**Actions for noncompliance**](./configure-noncompliance-actions.md) - By default, each device compliance policy includes the action to mark a device as noncompliant if it fails to meet a policy rule. Each policy can support more actions based on the device platform. Examples of extra action include:
- **Sending email alerts** to users and groups with details about the noncompliant device. You might configure the policy to send an email immediately upon being marked as noncompliant, and then again, periodically, until the device becomes compliant.
- - **Remotely lock devices** that have been noncompliant for some time.
- - **Retire devices** after they’ve been noncompliant for some time. This action marks a qualifying device as ready to be retired. An admin can then view a list of devices marked for retirement and must take an explicit action to retire one or more devices. Retiring a device removes the device from Intune management and removes all company data from the device. For more information about this action, see [Available actions for noncompliance](./configure-noncompliance-actions.md#available-actions-for-noncompliance).
+ - **Remotely lock devices** that are noncompliant for some time.
+ - **Retire devices** after they're noncompliant for some time. This action marks a qualifying device as ready to be retired. An admin can then view a list of devices marked for retirement and must take an explicit action to retire one or more devices. Retiring a device removes the device from Intune management and removes all company data from the device. For more information about this action, see [Available actions for noncompliance](./configure-noncompliance-actions.md#available-actions-for-noncompliance).
-- [**Create a compliance policy**](./create-policy.md) – With the information in the linked article, you can review prerequisites, work through the options to configure rules, specify actions for noncompliance, and assign the policy to groups. This article also includes information about policy refresh times.
+- [**Create a compliance policy**](./create-policy.md) - With the information in the linked article, you can review prerequisites, work through the options to configure rules, specify actions for noncompliance, and assign the policy to groups. This article also includes information about policy refresh times.
View the device compliance settings for the different device platforms:
@@ -93,21 +93,21 @@ The following subjects link to dedicated articles for different aspects of devic
- [Windows 8.1 and later](./ref-windows-8-1-settings.md)
[!INCLUDE [windows-phone-81-windows-10-mobile-support](../../includes/windows-phone-81-windows-10-mobile-support.md)]
-- [**Custom compliance settings**](./custom-settings.md) – With custom compliance settings you can expand on Intune’s built-in device compliance options. Custom settings provide flexibility to base compliance on the settings that are available on a device without having to wait for Intune to add those settings.
+- [**Custom compliance settings**](./custom-settings.md) - By using custom compliance settings, you can expand on Intune's built-in device compliance options. Custom settings provide flexibility to base compliance on the settings that are available on a device without having to wait for Intune to add those settings.
You can use custom compliance settings with the following platforms:
- - Linux – Ubuntu Desktop, version 24.04 LTS or 26.04 LTS
- - Windows
+ - Linux – Ubuntu Desktop, version 24.04 LTS or 26.04 LTS; RedHat Enterprise Linux 9 or 10
+ - Windows
## Monitor compliance status
-Intune includes a device compliance dashboard that you use to monitor the compliance status of devices, and to drill-in to policies and devices for more information. To learn more about this dashboard, see [Monitor device compliance](./monitor-policy.md).
+Intune includes a device compliance dashboard that you use to monitor the compliance status of devices, and to drill into policies and devices for more information. To learn more about this dashboard, see [Monitor device compliance](./monitor-policy.md).
## Integrate with Conditional Access
When you use Conditional Access, you can configure your Conditional Access policies to use the results of your device compliance policies to determine which devices can access your organizational resources. This access control is in addition to and separate from the actions for noncompliance that you include in your device compliance policies.
-When a device enrolls in Intune it registers in Microsoft Entra ID. The compliance status for devices is reported to Microsoft Entra ID. If your Conditional Access policies have Access controls set to *Require device to be marked as compliant*, Conditional Access uses that compliance status to determine whether to grant or block access to email and other organization resources.
+When a device enrolls in Intune, it registers in Microsoft Entra ID. The compliance status for devices is reported to Microsoft Entra ID. If your Conditional Access policies have Access controls set to *Require device to be marked as compliant*, Conditional Access uses that compliance status to determine whether to grant or block access to email and other organization resources.
If you use device compliance status with Conditional Access policies, review how your tenant configures the *Mark devices with no compliance policy assigned as* option, which you manage under [Compliance policy settings](#compliance-policy-settings).
@@ -115,12 +115,12 @@ For more information about using Conditional Access with your device compliance
Learn more about Conditional Access in the Microsoft Entra documentation:
-- [What is Conditional Access](/azure/active-directory/conditional-access/overview)
-- [What is a device identity](/azure/active-directory/device-management-introduction)
+- [What is Conditional Access](/entra/identity/conditional-access/overview)
+- [What is a device identity](/entra/identity/devices/overview)
### Reference for noncompliance and Conditional Access on the different platforms
-The following table describes how noncompliant settings are managed when a compliance policy is used with a Conditional Access policy.
+The following table describes how noncompliant settings are managed when you use a compliance policy with a Conditional Access policy.
- **Remediated**: The device operating system enforces compliance. For example, the user is forced to set a PIN.
@@ -144,7 +144,7 @@ The following table describes how noncompliant settings are managed when a compl
> [!NOTE]
-> The Company Portal app enters the enrollment remediation flow when the user signs into the app and the device has not successfully checked in with Intune for 30 days or more (or the device is non-compliant due to a _Lost contact_ compliance reason). In this flow, we attempt to initiate a check-in one more time. If that still does not succeed, we issue a retire command to allow the user to re-enroll the device manually.
+> The Company Portal app enters the enrollment remediation flow when the user signs into the app and the device doesn't successfully check in with Intune for 30 days or more (or the device is noncompliant due to a _Lost contact_ compliance reason). In this flow, Intune attempts to initiate a check-in one more time. If that check-in doesn't succeed, Intune issues a retire command to allow the user to re-enroll the device manually.
---------------------------
@@ -152,5 +152,6 @@ The following table describes how noncompliant settings are managed when a compl
- [Create and deploy policy](./create-policy.md) and review prerequisites
- [Monitor device compliance](./monitor-policy.md)
+- [Third-party device compliance partners](./third-party-partners.md)
- [Common questions, issues, and resolutions with device policies and profiles in Microsoft Intune](../../device-configuration/troubleshoot-device-profiles.md)
- [Reference for policy entities](../../developer/data-warehouse/ref-policy.md) has information about the Intune Data Warehouse policy entities
diff --git a/intune/device-security/compliance/quickstart-noncompliance-notification.md b/intune/device-security/compliance/quickstart-noncompliance-notification.md
index a5128da5175..fcce2569e51 100644
--- a/intune/device-security/compliance/quickstart-noncompliance-notification.md
+++ b/intune/device-security/compliance/quickstart-noncompliance-notification.md
@@ -123,7 +123,7 @@ You can assign the compliance policy to a specific group of users or to all user
4. In the **Assign to** drop-down box, select **All Users**. Any user that has a **Windows 10 and later** device that doesn't meet this compliance policy is notified.
> [!NOTE]
- > You can include and exclude groups when assigning compliancy policies.
+ > You can include and exclude groups when assigning compliance policies.
5. Select **Review + save** > **Save**.
diff --git a/intune/device-security/compliance/ref-android-administrator-settings.md b/intune/device-security/compliance/ref-android-administrator-settings.md
index d59c951577b..a48272b4044 100644
--- a/intune/device-security/compliance/ref-android-administrator-settings.md
+++ b/intune/device-security/compliance/ref-android-administrator-settings.md
@@ -10,20 +10,18 @@ ms.collection:
- sub-device-compliance
---
-# Device Compliance settings for Android device administrator in Intune
+# Device compliance settings for Android device administrator in Intune
-This article lists the compliance settings you can configure on Android device administrator devices in Intune. As part of your mobile device management (MDM) solution, use these settings to mark rooted devices as not compliant, set an allowed threat level, enable Google Play Protect, and more.
-
-For assistance in configuring compliance policy, see [Use compliance policies to set rules for devices you manage with Intune](./overview.md).
+This article lists the compliance settings you can configure on Android device administrator devices in Intune. As part of your mobile device management (MDM) solution, use these settings to mark rooted devices as noncompliant, set an allowed threat level, enable Google Play Protect, and more.
This feature applies to:
- Android device administrator
-As an Intune administrator, use these compliance settings to help protect your organizational resources. To learn more about compliance policies, and what they do, see [get started with device compliance](./overview.md).
-
[!INCLUDE [android_device_administrator_support](../../includes/android-device-administrator-support.md)]
+Settings in this article are organized by the sections that appear in the admin center when you create a compliance policy.
+
## Before you begin
[Create a compliance policy](./create-policy.md#create-the-policy). For **Platform**, select **Android device administrator**.
@@ -32,14 +30,14 @@ As an Intune administrator, use these compliance settings to help protect your o
- **Require the device to be at or under the machine risk score**
- Select the maximum allowed machine risk score for devices evaluated by Microsoft Defender for Endpoint. Devices that exceed this score get marked as noncompliant.
+ Select the maximum allowed machine risk score for devices evaluated by Microsoft Defender for Endpoint. Devices that exceed this score are marked as noncompliant.
- **Not configured** (*default*)
- **Clear**
- **Low**
- **Medium**
- **High**
-## Device Health
+## Device health
- **Devices managed with device administrator**
*Device administrator* capabilities are superseded by Android Enterprise.
@@ -48,13 +46,13 @@ As an Intune administrator, use these compliance settings to help protect your o
- **Block** - Blocking device administrator guides users to move to Android Enterprise Personally Owned and Corporate Owned Work Profile management to regain access.
- **Rooted devices**
- Prevent rooted devices from having corporate access. (This compliance check is supported for Android 4.0 and above.)
+ Prevent rooted devices from having corporate access. (This compliance check is supported for Android 4.0 and later.)
- **Not configured** (*default*) - This setting isn't evaluated for compliance or noncompliance.
- - **Block** - Mark rooted devices as not compliant.
+ - **Block** - Mark rooted devices as noncompliant.
- **Require the device to be at or under the Device Threat Level**
- Use this setting to take the risk assessment from a connected Mobile Threat Defense service as a condition for compliance.
+ Use this setting to take the risk assessment from a connected mobile threat defense service as a condition for compliance.
- **Not configured** (*default*) - This setting isn't evaluated for compliance or noncompliance.
- **Secured** - This option is the most secure, as the device can't have any threats. If the device is detected with any level of threats, the device is evaluated as noncompliant.
@@ -65,10 +63,10 @@ As an Intune administrator, use these compliance settings to help protect your o
### Google Play Protect
> [!IMPORTANT]
-> Devices operating in countries/regions where Google Mobile Services are not available will fail Google Play Protect compliance policy setting evaluations. For more information, see [Managing Android devices where Google Mobile Services are not available](https://techcommunity.microsoft.com/t5/intune-customer-success/intune-customer-success-managing-android-devices-where-google/ba-p/1628793).
+> Devices operating in countries or regions where Google Mobile Services aren't available fail Google Play Protect compliance policy setting evaluations. For more information, see [Managing Android devices where Google Mobile Services are not available](https://techcommunity.microsoft.com/t5/intune-customer-success/intune-customer-success-managing-android-devices-where-google/ba-p/1628793).
- **Google Play Services is configured**
- Google Play services allows security updates, and is a base-level dependency for many security features on certified-Google devices.
+ Google Play services enables security updates and is a base-level dependency for many security features on certified-Google devices.
- **Not configured** (*default*) - This setting isn't evaluated for compliance or noncompliance.
- **Require** - Require that the Google Play services app is installed and enabled.
@@ -76,7 +74,7 @@ As an Intune administrator, use these compliance settings to help protect your o
- **Up-to-date security provider**
- **Not configured** (*default*) - This setting isn't evaluated for compliance or noncompliance.
- - **Require** - Require that an up-to-date security provider can protect a device from known vulnerabilities.
+ - **Require** - Require that an up-to-date security provider protects a device from known vulnerabilities.
- **Threat scan on apps**
@@ -94,23 +92,23 @@ As an Intune administrator, use these compliance settings to help protect your o
- **Check basic integrity & device integrity**
> [!NOTE]
-> To configure Google Play Protect settings using app protection policies, see [Intune app protection policy settings](../../app-management/protection/ref-settings-android.md#conditional-launch) on Android.
+> To configure Google Play Protect settings by using app protection policies, see [Intune app protection policy settings](../../app-management/protection/ref-settings-android.md#conditional-launch) on Android.
-## Device Properties
+## Device properties
-### Operating System Version
+### Operating system version
- **Minimum OS version**
- When a device doesn't meet the minimum OS version requirement, the devices is reported as noncompliant. A link with information about how to upgrade is shown. The end user can choose to upgrade their device, and then get access to company resources.
+ When a device doesn't meet the minimum OS version requirement, the device is reported as noncompliant. A link with information about how to upgrade is shown. The end user can choose to upgrade their device, and then get access to company resources.
*By default, no version is configured*.
- **Maximum OS version**
- When a device is using an OS version later than the version specified in the rule, access to company resources is blocked. The user is asked to contact their IT admin. Until a rule is changed to allow the OS version, this device can't access company resources.
+ When a device uses an OS version later than the version specified in the rule, access to company resources is blocked. The user is asked to contact their IT admin. Until a rule is changed to allow the OS version, this device can't access company resources.
*By default, no version is configured*.
-## System Security
+## System security
### Encryption
@@ -120,18 +118,18 @@ As an Intune administrator, use these compliance settings to help protect your o
- **Not configured** (*default*) - This setting isn't evaluated for compliance or noncompliance.
- **Require** - Encrypt data storage on your devices. Devices are encrypted when you choose the **Require a password to unlock mobile devices** setting.
-### Device Security
+### Device security
- **Block apps from unknown sources**
- *Supported on Android 4.0 to Android 7.x. Not supported by Android 8.0 and later*
+ *Supported on Android 4.0 to Android 7.x. Not supported by Android 8.0 and later.*
- - **Not configured** (*default*) - this setting isn't evaluated for compliance or noncompliance.
+ - **Not configured** (*default*) - This setting isn't evaluated for compliance or noncompliance.
- **Block** - Block devices with **Security > Unknown Sources** enabled sources (*supported on Android 4.0 through Android 7.x. Not supported on Android 8.0 and later.*).
- To side-load apps, unknown sources must be allowed. If you're not side-loading Android apps, then set this feature to **Block** to enable this compliance policy.
+ To sideload apps, unknown sources must be allowed. If you're not sideloading Android apps, set this feature to **Block** to enable this compliance policy.
> [!IMPORTANT]
- > Side-loading applications require that the **Block apps from unknown sources** setting is enabled. Enforce this compliance policy only if you're not side-loading Android apps on devices.
+ > Sideloading applications requires that the **Block apps from unknown sources** setting is enabled. Enforce this compliance policy only if you're not sideloading Android apps on devices.
- **Company portal app runtime integrity**
- **Not configured** (*default*) - This setting isn't evaluated for compliance or noncompliance.
@@ -150,7 +148,7 @@ As an Intune administrator, use these compliance settings to help protect your o
- **Minimum security patch level**
*(Supported on Android 8.0 or later)*
- Select the oldest security patch level a device can have. Devices that aren't at least at this patch level are noncompliant. The date must be entered in the `YYYY-MM-DD` format.
+ Select the oldest security patch level a device can have. Devices that aren't at least at this patch level are noncompliant. Enter the date in the `YYYY-MM-DD` format.
*By default, no date is configured*.
@@ -162,13 +160,13 @@ As an Intune administrator, use these compliance settings to help protect your o
- **Maximum minutes of inactivity before password is required (Samsung KNOX Android 12 and earlier)**
This setting specifies the length of time without user input after which the mobile device screen is locked. Options range from *1 Minute* to *8 Hours*. The recommended value is *15 Minutes*.
- - **Not configured** *(default)*
+ - **Not configured** (*default*)
- **Require a password to unlock mobile devices**
This setting specifies whether to require users to enter a password before access is granted to information on their mobile devices. Recommended value: *Require* (This compliance check is supported for devices with OS versions Android 4.0 and above, or KNOX 4.0 and above.)
- - **Not configured** *(default)* - This setting isn't evaluated for compliance or noncompliance.
+ - **Not configured** (*default*) - This setting isn't evaluated for compliance or noncompliance.
- **Require** - Users must enter a password before they can access their device. When set to **require**, also configure:
- **Password complexity**
diff --git a/intune/device-security/compliance/ref-android-aosp-settings.md b/intune/device-security/compliance/ref-android-aosp-settings.md
index adf42872ba6..d92ebf962c5 100644
--- a/intune/device-security/compliance/ref-android-aosp-settings.md
+++ b/intune/device-security/compliance/ref-android-aosp-settings.md
@@ -18,27 +18,27 @@ This article lists the compliance settings you can configure for Android (AOSP)
* Device properties
* System security
- Devices are also governed by tenant-wide [compliance policy settings](./overview.md#compliance-policy-settings). To manage the tenant-wide compliance policy settings in your tenant, sign in to Microsoft Intune admin center and go to **Endpoint security** > **Device compliance** > **Compliance policy settings**.
-
-To learn more about compliance policies, and what they do, see [get started with device compliance](./overview.md).
+Devices are also governed by tenant-wide [compliance policy settings](./overview.md#compliance-policy-settings).
This feature applies to:
* Android (AOSP)
+Settings in this article are organized by the sections that appear in the admin center when you create a compliance policy.
+
## Before you begin
To access these settings, [create an Android (AOSP) compliance policy](./create-policy.md#create-the-policy). When prompted to select a **Platform**, choose **Android (AOSP)**.
-## Device Health
+## Device health
* **Rooted devices**
Prevent rooted devices from having corporate access.
* **Not configured** (*default*) - This setting isn't evaluated for compliance or noncompliance.
- * **Block** - Mark rooted devices as not compliant.
+ * **Block** - Mark rooted devices as noncompliant.
-## Device Properties
+## Device properties
* **Minimum OS version**
When a device doesn't meet the minimum OS version requirement, it's reported as noncompliant. A link with information about how to upgrade is shown. The end user can choose to upgrade their device, and then get access to company resources.
@@ -97,7 +97,7 @@ If you don't configure password requirements, the use of a device password is op
Your options are:
* **Not configured** (*default*) - This setting isn't evaluated for compliance or noncompliance.
- * **Yes** - Encrypt data storage on your devices. Devices are encrypted when you set the **Require a password to unlock mobile devices** setting equal to **Yes**
+ * **Yes** - Encrypt data storage on your devices. Devices are encrypted when you set the **Require a password to unlock mobile devices** setting equal to **Yes**.
## Device compliance reporting
@@ -105,5 +105,6 @@ Compliance reports are currently not available for Android (AOSP) devices. This
## Next steps
-* [Add actions for noncompliant devices](./configure-noncompliance-actions.md)
-* [Set device restrictions for AOSP devices](../../device-configuration/templates/ref-device-restrictions-android-enterprise.md)
+- [Add actions for noncompliant devices](./configure-noncompliance-actions.md) and [use scope tags to filter policies](../../fundamentals/role-based-access-control/scope-tags.md).
+- [Monitor your compliance policies](./monitor-policy.md).
+- [Set device restrictions for AOSP devices](../../device-configuration/templates/ref-device-restrictions-android-enterprise.md).
diff --git a/intune/device-security/compliance/ref-android-enterprise-settings.md b/intune/device-security/compliance/ref-android-enterprise-settings.md
index 80cfdfb7c95..b60f95c3604 100644
--- a/intune/device-security/compliance/ref-android-enterprise-settings.md
+++ b/intune/device-security/compliance/ref-android-enterprise-settings.md
@@ -18,12 +18,12 @@ This feature applies to:
- Android Enterprise
-As an Intune administrator, use these compliance settings to help protect your organizational resources. To learn more about compliance policies, and what they do, see [get started with device compliance](./overview.md).
+Settings in this article are organized by the sections that appear in the admin center when you create a compliance policy.
> [!IMPORTANT]
> It's important to target compliance policies for dedicated devices at groups of devices, not users. Compliance policies will be evaluated against the device and will appropriately reflect the compliance state in Intune. To allow users on dedicated devices to sign in to resources protected by Conditional Access policies, consider using Android Enterprise dedicated devices with [*Microsoft Entra shared device mode*](../../device-enrollment/android/setup-dedicated.md). In scenarios with fully managed devices, or personal and corporate-owned work profiles, you can target compliance policies at groups of users or devices.
>
-> Users on dedicated devices enrolled without Microsoft Entra shared device mode can't sign into resources protected by Conditional Access policies, even if the device is compliant in Intune. To learn more about shared device mode, see [*Overview of shared device mode*](/azure/active-directory/develop/msal-shared-devices) in the Microsoft Entra documentation.
+> Users on dedicated devices enrolled without Microsoft Entra shared device mode can't sign into resources protected by Conditional Access policies, even if the device is compliant in Intune. To learn more about shared device mode, see [Overview of shared device mode](/entra/identity-platform/msal-shared-devices) in the Microsoft Entra documentation.
@@ -65,12 +65,12 @@ This section describes the compliance profile settings available for fully manag
- **Not configured** (*default*) - This setting isn't evaluated for compliance or noncompliance.
- **Secured** - This option is the most secure, and means that the device can't have any threats. If the device is detected with any level of threats, it's evaluated as noncompliant.
- - **Low**: - The device is evaluated as compliant if only low-level threats are present. Anything higher puts the device in a noncompliant status.
+ - **Low** - The device is evaluated as compliant if only low-level threats are present. Anything higher puts the device in a noncompliant status.
- **Medium** - The device is evaluated as compliant if the threats that are present on the device are low or medium level. If the device is detected to have high-level threats, it's determined to be noncompliant.
- **High** - This option is the least secure, as it allows all threat levels. It may be useful if you're using this solution only for reporting purposes.
> [!NOTE]
-> All the Mobile Threat Defense (MTD) providers are supported on Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile deployments using app configuration. Check with your MTD provider for the exact configuration needed to support Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile platforms on Intune.
+> All the mobile threat defense (MTD) providers are supported on Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile deployments using app configuration. Check with your MTD provider for the exact configuration needed to support Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile platforms on Intune.
#### Google Play Protect
@@ -87,8 +87,8 @@ This section describes the compliance profile settings available for fully manag
- **Check strong integrity using hardware-backed security features**
Optionally, you can require devices to pass a *strong integrity check*. This setting is only available if you require basic integrity checks or device integrity checks. Your options:
- - **Not configured** (*default*) – This setting isn't evaluated for compliance or noncompliance. Intune assesses the verdict from the basic integrity check by default.
- - **Check strong integrity** – Require devices to pass Play's strong integrity check. Not all devices support this type of check. Intune marks such devices as noncompliant.
+ - **Not configured** (*default*) - This setting isn't evaluated for compliance or noncompliance. Intune assesses the verdict from the basic integrity check by default.
+ - **Check strong integrity** - Require devices to pass Play's strong integrity check. Not all devices support this type of check. Intune marks such devices as noncompliant.
For more information about Google Play's integrity services, see these Android developer docs:
@@ -254,13 +254,13 @@ This section describes the compliance profile settings available for personal de
#### Operating system version - *for personally owned work profile*
Configure the requirements for operating system version.
-- **Minimum OS version**
-When a device doesn't meet the minimum OS version requirement, it's reported as noncompliant. Device users see a link with information about how to upgrade their OS. They can upgrade their device, and then access organization resources.
+- **Minimum OS version**
+ When a device doesn't meet the minimum OS version requirement, it's reported as noncompliant. Device users see a link with information about how to upgrade their OS. They can upgrade their device, and then access organization resources.
*By default, no version is configured*.
-- **Maximum OS version**
-When a device is using an OS version later than the version in the rule, access to organization resources is blocked. The user is asked to contact their IT administrator. Until a rule is changed to allow the OS version, this device can't access organization resources.
+- **Maximum OS version**
+ When a device is using an OS version later than the version in the rule, access to organization resources is blocked. The user is asked to contact their IT administrator. Until a rule is changed to allow the OS version, this device can't access organization resources.
*By default, no version is configured*.
diff --git a/intune/device-security/compliance/ref-ios-ipados-settings.md b/intune/device-security/compliance/ref-ios-ipados-settings.md
index 25ecb1427d1..1adb365ed3a 100644
--- a/intune/device-security/compliance/ref-ios-ipados-settings.md
+++ b/intune/device-security/compliance/ref-ios-ipados-settings.md
@@ -10,7 +10,7 @@ ms.collection:
- sub-device-compliance
---
-# Device Compliance settings for iOS/iPadOS in Intune
+# Device compliance settings for iOS/iPadOS in Intune
This article lists and describes the different compliance settings you can configure on iOS/iPadOS devices in Intune. As part of your mobile device management (MDM) solution, use these settings to require an email, mark rooted (jailbroken) devices as not compliant, set an allowed threat level, set passwords to expire, and more.
@@ -18,7 +18,7 @@ This feature applies to:
- iOS/iPadOS
-As an Intune administrator, use these compliance settings to help protect your organizational resources.
+Settings in this article are organized by the sections that appear in the admin center when you create a compliance policy.
## Before you begin
@@ -50,46 +50,46 @@ For details about the settings for each level:
For details about email profiles, see [configure access to organization email using email profiles with Intune](../../device-configuration/templates/configure-email.md).
-## Device Health
+## Device health
- **Jailbroken devices**
- *Supported for iOS 8.0 and later*
+ *Supported for iOS 17.0 and later*
- **Not configured** (*default*) - This setting isn't evaluated for compliance or noncompliance.
- **Block** - Mark rooted (jailbroken) devices as not compliant.
- **Require the device to be at or under the Device Threat Level**
- *Supported for iOS 8.0 and later*
+ *Supported for iOS 17.0 and later*
Select the maximum allowed device threat level evaluated by your mobile threat defense service.
Use this setting to take the risk assessment as a condition for compliance. Choose the allowed threat level:
- **Not configured** (*default*) - This setting isn't evaluated for compliance or noncompliance.
- - **Secured** - This option is the most secure, and means that the device can't have any threats. a device with any level of threats is evaluated as noncompliant.
+ - **Secured** - This option is the most secure, and means that the device can't have any threats. A device with any level of threats is evaluated as noncompliant.
- **Low** - The device is evaluated as compliant if only low-level threats are present. Anything higher puts the device in a noncompliant status.
- **Medium** - The device is evaluated as compliant if the threats that are present on the device are low or medium level. A device that has a high-level threat is considered to be noncompliant.
- **High** - This option is the least secure, as it allows all threat levels. It can be useful when using this solution only for reporting purposes.
-## Device Properties
+## Device properties
-### Operating System Version
+### Operating system version
- **Minimum OS version**
- *Supported for iOS 8.0 and later*
+ *Supported for iOS 17.0 and later*
A device that doesn't meet the minimum OS version requirement is considered to be noncompliant. The user can view a link with information on how to upgrade and can choose to upgrade their device. After that, they can access organization resources.
- **Maximum OS version**
- *Supported for iOS 8.0 and later*
+ *Supported for iOS 17.0 and later*
When a device uses an OS version later than the version in the rule, access to organization resources is blocked. The end user is asked to contact their IT administrator. The device can't access organization resources until a rule changes to allow the OS version.
- **Minimum OS build version**
- *Supported for iOS 8.0 and later*
+ *Supported for iOS 17.0 and later*
When Apple publishes security updates, the build number is typically updated, not the OS version. Use this feature to specify a minimum allowed build number on the device. For Apple Rapid Security Response updates, enter the supplemental build version, such as `20E772520a`.
- **Maximum OS build version**
- *Supported for iOS 8.0 and later*
+ *Supported for iOS 17.0 and later*
When Apple publishes security updates, the build number is typically updated, not the OS version. Use this feature to enter a maximum allowed build number on the device. For Apple Rapid Security Response updates, enter the supplemental build version, such as `20E772520a`.
@@ -104,7 +104,7 @@ For details about email profiles, see [configure access to organization email us
- **Medium**
- **High**
-## System Security
+## System security
### Password
@@ -117,18 +117,18 @@ For details about email profiles, see [configure access to organization email us
- **Require** - Users must enter a password before they can access their device. iOS/iPadOS devices that use a password are encrypted.
- **Simple passwords**
- *Supported for iOS 8.0 and later*
+ *Supported for iOS 17.0 and later*
- **Not configured** (*default*) - Users can create simple passwords like **1234** or **1111**.
- **Block** - Users can't create simple passwords, such as **1234** or **1111**.
- **Minimum password length**
- *Supported for iOS 8.0 and later*
+ *Supported for iOS 17.0 and later*
Enter the minimum number of digits or characters that the password must have.
- **Required password type**
- *Supported for iOS 8.0 and later*
+ *Supported for iOS 17.0 and later*
Choose the password type required on the device. When set to **Not configured**, which is the default choice, Intune doesn't change or update this setting. Your options:
@@ -142,7 +142,7 @@ For details about email profiles, see [configure access to organization email us
Setting a higher number requires the user to create a password that is more complex.
- **Maximum minutes after screen lock before password is required**
- *Supported for iOS 8.0 and later*
+ *Supported for iOS 17.0 and later*
Select how much time is allowed to pass after the screen locks before users have to enter a password to access their device. Options include the default of **Not configured**, **Immediately**, and from **1 minute** to **4 hours**.
@@ -150,16 +150,16 @@ For details about email profiles, see [configure access to organization email us
Select the amount of idle time allowed before the device locks its screen. Options include the default of **Not configured**, **Immediately**, and from **1 minute** to **15 minutes**.
- **Password expiration (days)**
- *Supported for iOS 8.0 and later*
+ *Supported for iOS 17.0 and later*
Enter how long, in days, a password is valid before the user must create a new one.
- **Number of previous passwords to prevent reuse**
- *Supported for iOS 8.0 and later*
+ *Supported for iOS 17.0 and later*
Enter the number of previously used passwords that can't be used. For example, if you enter 5, users can't reuse their 5 most recent passwords.
-### Device Security
+### Device security
- **Restricted apps**
You can restrict apps by adding their bundle IDs to the policy. If a device has the app installed, the device is marked as noncompliant.
@@ -179,6 +179,6 @@ For details about email profiles, see [configure access to organization email us
## Next steps
-- [Add actions for noncompliant devices](./configure-noncompliance-actions.md).and [use scope tags to filter policies](../../fundamentals/role-based-access-control/scope-tags.md).
+- [Add actions for noncompliant devices](./configure-noncompliance-actions.md) and [use scope tags to filter policies](../../fundamentals/role-based-access-control/scope-tags.md).
- [Monitor your compliance policies](./monitor-policy.md).
- See the [compliance policy settings for macOS](./ref-macos-settings.md) devices.
diff --git a/intune/device-security/compliance/ref-linux-settings.md b/intune/device-security/compliance/ref-linux-settings.md
index 8a3513c9ff9..f2e27632de4 100644
--- a/intune/device-security/compliance/ref-linux-settings.md
+++ b/intune/device-security/compliance/ref-linux-settings.md
@@ -18,33 +18,31 @@ This article lists and describes the different compliance settings you can confi
For Linux, compliance settings are available from the [settings catalog](../../device-configuration/settings-catalog/index.md) instead of from a predetermined template as seen for other platforms. Therefore, when configuring a compliance policy for Linux you choose the settings you want to include in your policy by browsing the catalog and selecting them.
-In addition to the platform-specific compliance policy, devices are also governed by tenant-wide compliance policy settings. To manage the tenant-wide compliance policy settings in your tenant, sign in to Microsoft Intune admin center and go to **Endpoint security** > **Device compliance** > **Compliance policy settings**.
-
-To learn more about compliance policies, and what they do, see [get started with device compliance](./overview.md).
+Devices are also governed by tenant-wide [compliance policy settings](./overview.md#compliance-policy-settings).
This feature applies to:
* Ubuntu Desktop 24.04 LTS or 26.04 LTS (physical or Hyper-V machine with x86/64 CPUs)
-* RedHat Enterprise Linux 8
* RedHat Enterprise Linux 9
+* RedHat Enterprise Linux 10
## Linux settings categories
Compliance policies for Linux can include settings from the following categories. Where applicable, guidance on configuring the setting is provided.
-### Allowed Distributions
+### Allowed distributions
Add entries that define a maximum and minimum OS version for a Linux distribution type.
Users of devices that fail to meet the defined criteria need to install a different version or distribution of Linux to bring the device into compliance.
-### Custom Compliance
+### Custom compliance
Add the settings in this category when you use custom compliance settings for Linux.
For information about the available settings for custom compliance and how to use them, see [Use custom compliance policies and settings for Linux and Windows devices with Microsoft Intune](./custom-settings.md).
-### Device Encryption
+### Device encryption
Add settings to manage disk encryption.
@@ -64,7 +62,7 @@ Add settings to manage disk encryption.
- Pseudo-filesystems like */proc* or *tmpfs*
- The */boot* or */boot/efi* partitions
-### Password Policy
+### Password policy
Enforce common password requirements for Linux devices:
@@ -83,7 +81,7 @@ If you must modify a device's configuration, use one of the following methods to
- If the Microsoft Intune app is still running, on the apps *device details* page or the *compliance issues* page, select the **Refresh** link. The device starts a new check-in.
- If the Microsoft Intune app isn't running, start the app and sign in. Signing in starts a new check-in.
-- By default, the Microsoft Intune app periodically uses a background task to checks in while the computer is on and logged in.
+- By default, the Microsoft Intune app periodically uses a background task to check in while the computer is on and logged in.
## Next steps
diff --git a/intune/device-security/compliance/ref-macos-settings.md b/intune/device-security/compliance/ref-macos-settings.md
index ed5903f2d97..a08e853021e 100644
--- a/intune/device-security/compliance/ref-macos-settings.md
+++ b/intune/device-security/compliance/ref-macos-settings.md
@@ -10,7 +10,7 @@ ms.collection:
- sub-device-compliance
---
-# Device Compliance settings for macOS settings in Intune
+# Device compliance settings for macOS in Intune
This article lists and describes the different compliance settings you can configure on macOS devices in Intune. As part of your mobile device management (MDM) solution, use these settings to set a minimum or maximum OS version, set passwords to expire, and more.
@@ -18,7 +18,7 @@ This feature applies to:
- macOS
-As an Intune administrator, use these compliance settings to help protect your organizational resources. To learn more about compliance policies, and what they do, see [get started with device compliance](./overview.md).
+Settings in this article are organized by the sections that appear in the admin center when you create a compliance policy.
## Before you begin
@@ -29,13 +29,13 @@ As an Intune administrator, use these compliance settings to help protect your o
>
> Device compliance evaluation is not supported for userless macOS devices.
-## Device Health
+## Device health
- **Require a system integrity protection**
- **Not configured** (*default*) - This setting isn't evaluated for compliance or noncompliance.
- **Require** - Require macOS devices to have [System Integrity Protection](https://support.apple.com/HT204899) (opens Apple's web site) enabled.
-## Device Properties
+## Device properties
- **Minimum OS version**
A device that doesn't meet the minimum OS version requirement is considered to be noncompliant. The device user can view a link with information on how to upgrade and can choose to upgrade their device. After that, they can access organization resources.
@@ -49,7 +49,7 @@ As an Intune administrator, use these compliance settings to help protect your o
- **Maximum OS build version**
When Apple publishes security updates, the build number is typically updated, not the OS version. Use this feature to enter a maximum allowed build number on the device. For Apple Rapid Security Response updates, enter the supplemental build version, such as `22E772610a`.
-## System security settings
+## System security
### Password
@@ -58,7 +58,7 @@ As an Intune administrator, use these compliance settings to help protect your o
- **Require** Users must enter a password before they can access their device.
- **Simple passwords**
- - **Not configured** (*default*) - Users can create passwords simple like **1234** or **1111**.
+ - **Not configured** (*default*) - Users can create simple passwords like **1234** or **1111**.
- **Block** - Users can't create simple passwords, such as **1234** or **1111**.
- **Minimum password length**
@@ -91,13 +91,13 @@ As an Intune administrator, use these compliance settings to help protect your o
- **Not configured** (*default*)
- **Require** - Use *Require* to encrypt data storage on your devices.
-### Device Security
+### Device security
Firewall protects devices from unauthorized network access. You can use Firewall to control connections on a per-application basis.
- **Firewall**
- **Not configured** (*default*) - This setting leaves the firewall turned off, and network traffic is allowed (not blocked).
- - **Enable** - Use *Enable* to help protect devices from unauthorized access. Enabling this feature allows you to handle incoming internet connections, and use stealth mode.
+ - **Enable** - Use *Enable* to help protect devices from unauthorized access. Enabling this feature allows you to handle incoming internet connections, and use stealth mode.
- **Incoming connections**
- **Not configured** (*default*) - Allows incoming connections and sharing services.
@@ -105,7 +105,7 @@ Firewall protects devices from unauthorized network access. You can use Firewall
- **Stealth Mode**
- **Not configured** (*default*) - This setting leaves stealth mode turned off.
- - **Enable** - Turn on stealth mode to prevent devices from responding to probing requests, which can be made my malicious users. When enabled, the device continues to answer incoming requests for authorized apps.
+ - **Enable** - Turn on stealth mode to prevent devices from responding to probing requests, which can be made by malicious users. When enabled, the device continues to answer incoming requests for authorized apps.
### Gatekeeper
diff --git a/intune/device-security/compliance/ref-windows-settings.md b/intune/device-security/compliance/ref-windows-settings.md
index 4eef373a0b5..e54208f28ec 100644
--- a/intune/device-security/compliance/ref-windows-settings.md
+++ b/intune/device-security/compliance/ref-windows-settings.md
@@ -10,7 +10,7 @@ ms.collection:
- sub-device-compliance
---
-# Device Compliance settings for Windows in Intune
+# Device compliance settings for Windows in Intune
This article lists and describes the different compliance settings you can configure on Windows devices in Intune. As part of your mobile device management (MDM) solution, use these settings to require BitLocker, set a minimum and maximum operating system, set a risk level using Microsoft Defender for Endpoint, and more.
@@ -20,14 +20,14 @@ This feature applies to:
- Windows Holographic for Business
- Surface Hub
-As an Intune administrator, use these compliance settings to help protect your organizational resources. To learn more about compliance policies, and what they do, see [get started with device compliance](./overview.md).
+Settings in this article are organized by the sections that appear in the admin center when you create a compliance policy.
## Before you begin
[Create a compliance policy](./create-policy.md#create-the-policy). For **Platform**, select **Windows 10 and later**.
## Device health
-To ensure devices boot to a trusted state, Intune utilizes Microsoft device attestation services. Devices across Intune commercial, US Government GCC High, and DoD services running Windows 10 use the Device Health Attestation (DHA) service.
+To ensure devices boot to a trusted state, Intune uses Microsoft device attestation services. Devices across Intune commercial, US Government GCC High, and DoD services running Windows 10 use the Device Health Attestation (DHA) service.
For more information, see:
@@ -63,9 +63,9 @@ For more information, see:
- For details about how the Health Attestation service works, see [Health Attestation CSP](/windows/client-management/mdm/healthattestation-csp).
- [Support Tip: Using Device Health Attestation Settings as Part of Your Intune Compliance Policy](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Using-Device-Health-Attestation-Settings-as-Part-of/ba-p/282643).
-## Device Properties
+## Device properties
-### Operating System Version
+### Operating system version
To discover build versions for all Windows Feature Updates and Cumulative Updates (to be used in some of the fields below), see [Windows release information](/windows/release-information). Be sure to include the appropriate version prefix before the build numbers, like 11.0 for Windows 11.
@@ -86,7 +86,7 @@ To discover build versions for all Windows Feature Updates and Cumulative Update
- **Minimum OS required for mobile devices**:
Enter the minimum allowed version, in the major.minor.build number format.
- When a device has an earlier version that the OS version you enter, it's reported as noncompliant. A link with information on how to upgrade is shown. The end user can choose to upgrade their device. After they upgrade, they can access company resources.
+ When a device has an earlier version than the OS version you enter, it's reported as noncompliant. A link with information on how to upgrade is shown. The end user can choose to upgrade their device. After they upgrade, they can access company resources.
- **Maximum OS required for mobile devices**:
Enter the maximum allowed version, in the major.minor.build number.
@@ -94,18 +94,17 @@ To discover build versions for all Windows Feature Updates and Cumulative Update
When a device is using an OS version later than the version entered, access to organization resources is blocked. The end user is asked to contact their IT administrator. The device can't access organization resources until the rule is changed to allow the OS version.
- **Valid operating system builds**:
- Specify a list of minimum and maximum operating system builds. Valid operating system builds provides additional flexibility when compared against minimum and maximum OS versions. Consider a scenario where minimum OS version is set to 10.0.18362.xxx (Windows 10 1903) and maximum OS version is set to 10.0.18363.xxx (Windows 10 1909). This configuration can allow a Windows 10 1903 device that doesn't have recent cumulative updates installed to be identified as compliant. Minimum and maximum OS versions might be suitable if you have standardized on a single Windows 10 release, but might not address your requirements if you need to use multiple builds, each with specific patch levels. In such a case, consider leveraging valid operating system builds instead, which allows multiple builds to be specified as per the following example.
+ Specify a list of minimum and maximum OS build ranges. This setting offers more flexibility than **Minimum OS version** and **Maximum OS version**. Use it when you need to enforce specific patch levels across multiple Windows releases.
- The largest supported value for each of the version, major, minor, and build fields is 65535. For example, the largest value you can enter is 65535.65535.65535.65535.
+ Each entry requires a description and a minimum and maximum OS version in **major.minor.build.revision** format. The largest supported value for each field is 65535 (for example, 65535.65535.65535.65535). After you define one or more entries, you can **Export** the list as a CSV file.
- **Example**:
- The following table is an example of a range for the acceptable operating systems versions for different Windows 10 releases. In this example, three different Feature Updates have been allowed (1809, 1909 and 2004). Specifically, only those versions of Windows and which have applied cumulative updates from June to September 2020 will be considered to be compliant. This is sample data only. The table includes a first column that includes any text you want to describe the entry, followed by the minimum and maximum OS version for that entry. The second and third columns must adhere to valid OS build versions in the **major.minor.build.revision number** format. After you define one or more entries, you can **Export** the list as a comma-separated values (CSV) file.
+ **Example**:
- | Description | Minimum OS version | Maximum OS version |
- |-----------------------------|--------------------|--------------------|
- | Win 10 2004 (Jun-Sept 2020) | 10.0.19041.329 | 10.0.19041.508 |
- | Win 10 1909 (Jun-Sept 2020) | 10.0.18363.900 | 10.0.18363.1110 |
- | Win 10 1809 (Jun-Sept 2020) | 10.0.17763.1282 | 10.0.17763.1490 |
+ | Description | Minimum OS version | Maximum OS version |
+ |--------------------------------|--------------------|--------------------|
+ | Windows 11 24H2 (Oct–Dec 2024) | 10.0.26100.1742 | 10.0.26100.2605 |
+ | Windows 11 23H2 (Jul–Oct 2024) | 10.0.22631.3880 | 10.0.22631.4317 |
+ | Windows 10 22H2 (Jul–Oct 2024) | 10.0.19045.4651 | 10.0.19045.5011 |
> [!NOTE]
> If you specify multiple ranges of OS version builds in your policy, and a device has a build outside of the compliant ranges, Company Portal will notify the device user that the device is noncompliant with this setting. However, be aware that due to technical limitations, the compliance remediation message only shows the first OS version range specified in the policy. We recommend that you document the acceptable OS version ranges for managed devices in your organization.
@@ -118,7 +117,7 @@ Applies only to co-managed devices running Windows. Intune-only devices return a
- **Not configured** (*default*) - Intune doesn't check for any of the Configuration Manager settings for compliance.
- **Require** - Require all settings (configuration items) in Configuration Manager to be compliant.
-## System Security
+## System security
### Password
@@ -180,7 +179,7 @@ Applies only to co-managed devices running Windows. Intune-only devices return a
> [!NOTE]
> The **Encryption of data storage on a device** setting generically checks for the presence of encryption on the device, more specifically at the OS drive level. Currently, Intune supports only the encryption check with BitLocker. For a more robust encryption setting, consider using **Require BitLocker**, which leverages Windows Device Health Attestation to validate BitLocker status at the TPM level. However, when leveraging this setting, be aware that a reboot may be required before the device will reflect as compliant.
-### Device Security
+### Device security
- **Firewall**:
- **Not configured** (*default*) - Intune doesn't control the Windows Firewall, nor change existing settings.
@@ -250,9 +249,9 @@ For additional information on Microsoft Defender for Endpoint integration in Con
- **Require the device to be at or under the machine risk score**:
Use this setting to take the risk assessment from your defense threat services as a condition for compliance. Choose the maximum allowed threat level:
- **Not configured** (*default*)
- - **Clear** -This option is the most secure, as the device can't have any threats. If the device is detected as having any level of threats, it's evaluated as non-compliant.
- - **Low** - The device is evaluated as compliant if only low-level threats are present. Anything higher puts the device in a non-compliant status.
- - **Medium** - The device is evaluated as compliant if existing threats on the device are low or medium level. If the device is detected to have high-level threats, it's determined to be non-compliant.
+ - **Clear** - This option is the most secure, as the device can't have any threats. If the device is detected as having any level of threats, it's evaluated as noncompliant.
+ - **Low** - The device is evaluated as compliant if only low-level threats are present. Anything higher puts the device in a noncompliant status.
+ - **Medium** - The device is evaluated as compliant if existing threats on the device are low or medium level. If the device is detected to have high-level threats, it's determined to be noncompliant.
- **High** - This option is the least secure, and allows all threat levels. It may be useful if you're using this solution only for reporting purposes.
To set up Microsoft Defender for Endpoint as your defense threat service, see [Enable Microsoft Defender for Endpoint with Conditional Access](../microsoft-defender/overview.md).
diff --git a/intune/device-security/compliance/third-party-partners.md b/intune/device-security/compliance/third-party-partners.md
index 3d07cb2f6a9..9664097a096 100644
--- a/intune/device-security/compliance/third-party-partners.md
+++ b/intune/device-security/compliance/third-party-partners.md
@@ -12,23 +12,17 @@ ms.collection:
# Support third-party device compliance partners in Intune
-Several third-party device compliance partners were evaluated and are supported solutions that you can integrate with Microsoft Intune.. When you use a [third-party device compliance partner](#supported-device-compliance-partners), the partner adds the compliance state data it collects to Microsoft Entra ID. You can use device compliance data from the partner alongside the compliance results you collect with Intune. Together, these signals power [Conditional Access policies](./overview.md#integrate-with-conditional-access) that help to protect your organization and data.
+Microsoft Intune supports integration with several third-party device compliance partners. When you use a [third-party device compliance partner](#supported-device-compliance-partners), the partner adds the compliance state data it collects to Microsoft Entra ID. You can use device compliance data from the partner alongside the compliance results you collect with Intune. Together, these signals power [Conditional Access policies](./overview.md#integrate-with-conditional-access) that help to protect your organization and data.
-Third-party partners support one or more of the following platforms:
-
-- Android
-- iOS/iPadOS
-- macOS
-
-By default, Intune is set up to be the Mobile Device Management (MDM) authority for your devices. When you add a compliance partner to Microsoft Entra ID and Intune, that partner becomes the MDM authority for devices assigned to it through a Microsoft Entra user group.
+By default, Intune is the mobile device management (MDM) authority for your devices. When you add a compliance partner to Microsoft Entra ID and Intune, that partner becomes the MDM authority for devices assigned to it through a Microsoft Entra user group.
To enable user data from device compliance partners, complete the following tasks:
1. **Configure Intune to work with the device compliance partner**, and then configure groups of users whose devices are managed by that compliance partner.
-2. **Configure your compliance partner to send data to Intune**.
+1. **Configure your compliance partner to send data to Intune**.
-3. **Enroll your devices to your device compliance partner**.
+1. **Enroll your devices to your device compliance partner**.
With these tasks complete, the device compliance partner sends device state details to Intune. Intune adds this information to Microsoft Entra ID. For example, devices in a noncompliant state have a *not compliant* status added to their device record in Microsoft Entra ID.
@@ -56,17 +50,43 @@ The following compliance partners are supported as generally available:
- SOTI MobiControl
> [!NOTE]
-> If you offer an MDM product and would like to onboard as a device compliance partner, fill out this Form: [Intune partner compliance onboarding.](https://aka.ms/IntunePartnerComplianceOnboarding)
+> If you offer an MDM product and want to onboard as a device compliance partner, fill out the form: [Intune partner compliance onboarding](https://aka.ms/IntunePartnerComplianceOnboarding).
-## Prerequisites
+## Requirements
-- A subscription to Microsoft Intune, and access to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
-- Device users must be assigned a license for Intune.
+:::column-end:::
+:::column span="3":::
-- A subscription to the device compliance partner.
+> - Microsoft Intune subscription with access to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+> - Intune licenses assigned to device users.
+
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
+
+:::column-end:::
+:::column span="3":::
-- Review documentation for your compliance partner for supported device platforms and that partners prerequisites.
+> - Android
+> - iOS/iPadOS
+> - macOS
+>
+> Not all partners support all platforms. Check your partner's documentation for supported platforms.
+
+:::column-end:::
+:::row-end:::
+
+You also need:
+
+- A subscription to the device compliance partner.
+- Check your compliance partner's documentation for prerequisites.
## Configure Intune to work with a device compliance partner
@@ -76,44 +96,44 @@ Enable support for a device compliance partner to use compliance state data from
1. Sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Go to **Tenant Administration** > **Connectors and Tokens** > **Partner Compliance management** > **Add Compliance Partner**.
+1. Go to **Tenant Administration** > **Connectors and Tokens** > **Partner Compliance management** > **Add Compliance Partner**.
:::image type="content" alt-text="Add a device compliance partner" source="./media/third-party-partners/add-compliance-partner.png" lightbox="./media/third-party-partners/add-compliance-partner.png":::
-3. On the **Basics** page, expand the **Compliance partner** drop-down and select the partner you're adding.
+1. On **Basics**, expand the **Compliance partner** dropdown and select the partner you want to add.
- - To use VMware Workspace ONE as the compliance partner for iOS or Android platforms, select **VMware Workspace ONE mobile compliance**.
+ - To use Omnissa Workspace ONE UEM as the compliance partner for iOS or Android platforms, select **Omnissa Workspace ONE UEM**.
- Next, select the drop-down for **Platform**, and select the platform.
+ Next, select the dropdown for **Platform**, and select the platform.
- You're limited to a single partner per platform, even if you added multiple compliance partners to Microsoft Entra ID.
+ You can use only one partner per platform, even if you add multiple compliance partners to Microsoft Entra ID.
-4. On **Assignments**, select the user groups that include devices that are managed by this partner. With this assignment, you change the MDM authority for applicable devices to use this partner. Users who have devices managed by the partner must also be assigned a license for Intune.
+1. On **Assignments**, select the user groups that contain devices managed by this partner. With this assignment, you change the MDM authority for applicable devices to use this partner. Users who have devices managed by the partner must also be assigned a license for Intune.
-5. On the **Review + create** page, review your selections, and then select **Create** to complete this configuration.
+1. On **Review + create**, review your selections, and then select **Create** to complete this configuration.
-Your configuration now appears on the Partner compliance management page.
+Your configuration now appears on the **Partner compliance management** page.
### Modify the configuration for a compliance partner
1. Sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Go to **Tenant Administration** > **Connectors and Tokens** > **Partner Compliance management**, and then select the partner configuration you want to modify. Configurations appear by platform type.
+1. Go to **Tenant Administration** > **Connectors and Tokens** > **Partner Compliance management**, and then select the partner configuration you want to modify. Configurations appear by platform type.
-3. On the partner configuration **Overview** page, select **Properties** to open the Properties page where you can edit the assignments.
+1. On the partner configuration **Overview** page, select **Properties** to edit the assignments.
-4. On the **Properties** page, select **Edit** to open the Assignments view where you can change the groups that use this configuration.
+1. On the **Properties** page, select **Edit** to change the assigned groups.
-5. Select **Review + save** and then **Save** to save your edits.
+1. Select **Review + save** and then **Save** to save your edits.
-6. *This step only applies when you use VMware Workspace ONE*:
+1. *This step only applies when you use Omnissa Workspace ONE*:
- From within the Workspace ONE UEM console, you must manually synchronize the changes you saved in the Microsoft Intune admin center. Until you manually sync changes, Workspace ONE UEM isn’t aware of configuration changes, and users in newly assigned groups do not successfully report compliance.
+ From within the Workspace ONE UEM console, you must manually synchronize the changes you saved in the Microsoft Intune admin center. Until you manually sync changes, Workspace ONE UEM isn't aware of configuration changes, and users in newly assigned groups don't successfully report compliance.
To manually sync from Azure Services:
- 1. Sign in to your VMware Workspace ONE UEM console.
- 2. Go to **Settings** > **System** > **Enterprise Integration** > **Directory Services**.
- 3. For *Sync Azure Services*, select **SYNC**.
+ 1. Sign in to your Omnissa Workspace ONE UEM console.
+ 1. Go to **Settings** > **System** > **Enterprise Integration** > **Directory Services**.
+ 1. For *Sync Azure Services*, select **SYNC**.
Azure services synchronize all changes made after the initial configuration or the last manual synchronization to UEM.
@@ -133,38 +153,37 @@ To enable a device compliance partner to work with Intune, you must complete con
## Enroll your devices to your device compliance partner
-Refer to the documentation from your device compliance partner for how to enroll devices with that partner. After devices enroll and submit compliance data to the partner, that compliance data is forwarded to Intune and added to Microsoft Entra ID.
+See your device compliance partner's documentation to enroll devices. After devices enroll and submit compliance data to the partner, that compliance data is forwarded to Intune and added to Microsoft Entra ID.
## Monitor devices managed by third-party device compliance partners
-After you configure third-party device compliance partners and enroll devices with them, the partner will forward compliance details to Intune. After Intune receives that data, you can view details about the devices in the Azure portal.
+After you configure a third-party compliance partner and enroll devices, the partner forwards compliance data to Intune. You can then view device details in the Microsoft Entra admin center.
-Sign in to the Azure portal and go to **Microsoft Entra ID** > **Devices** > [**All devices**](https://portal.azure.com/#blade/Microsoft_AAD_Devices/DevicesMenuBlade/Devices/menuId/).
+Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) and go to **Devices** > [**All devices**](https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices).
-## Best practices for migrating devices from 3rd party MDM to Intune MDM
+## Best practices for migrating devices from third-party MDM to Intune MDM
-When you migrate devices from third-party MDM providers to a full Intune stack, we recommend you follow these cleanup steps:
+When you migrate devices from third-party MDM providers to a full Intune stack, follow these cleanup steps:
-1. Initiate a retirement action from the third-party MDM service before the device is enrolled with Intune MDM. This retirement action notifies Intune to perform the necessary cleanup tasks in our third-party integration services.
-> [!NOTE]
-> Removing the third-party MDM profile locally on a device doesn't sufficiently trigger the Intune cleanup tasks.
+1. Initiate a retirement action from the third-party MDM service before enrolling the device with Intune MDM. This retirement action notifies Intune to perform the necessary cleanup tasks in its third-party integration services.
+ > [!NOTE]
+ > Removing the third-party MDM profile locally on a device doesn't sufficiently trigger the Intune cleanup tasks.
-2. Confirm that devices retired from the third-party MDM appear in Microsoft Entra ID with **None** listed in the **MDM** column. At this point, your devices can be newly enrolled with Intune MDM.
+1. Confirm that devices retired from the third-party MDM appear in Microsoft Entra ID with **None** listed in the **MDM** column. At this point, your devices can now be enrolled with Intune MDM.
-3. After all devices migrate to Intune via steps 1 and 2, disable the Intune connection in your third-party MDM provider's admin console. If that isn't an option, you can also disable the connection console in the Microsoft Intune admin center.
+1. After all devices migrate to Intune through steps 1 and 2, disable the Intune connection in your third-party MDM provider's admin console. If that isn't an option, you can also disable the connection console in the Microsoft Intune admin center.
1. Go to **Tenant administration** > **Connectors and tokens** > **Device compliance partner**.
1. Select the device compliance partner you want to disable.
1. Toggle the connection to **Off**.
> [!NOTE]
-> If devices don’t complete the cleanup tasks and still appear enrolled in Intune, Intune applies its own compliance policies and ignores third‑party policies.
+> If devices don't complete the cleanup tasks and still appear enrolled in Intune, Intune applies its own compliance policies and ignores third‑party policies.
## Next steps
-Use the documentation from your third-party partner to create compliance policies for devices.
+Use your partner's documentation to create compliance policies for devices.
- [Addigy](https://support.addigy.com/hc/en-us/articles/12346305032211)
- [Blackberry UEM](https://docs.blackberry.com/en/id-comm-collab/blackberry-workspaces/blackberry-workspaces-plug-in-for-blackberry-uem/4_10/compatibility-matrix/imm1460398825659/ioz1460399956336)
- [Citrix Endpoint Management - Integrate with Microsoft Entra Conditional Access](https://docs.citrix.com/en-us/citrix-endpoint-management/prepare-to-enroll-devices-and-deliver-resources.html#integrate-with-azure-ad-conditional-access)
- [Ivanti Neurons for MDM](https://forums.ivanti.com/s/article/MobileIron-Cloud-Azure-Device-Compliance-for-iOS-and-Android)
-- [VMware Workspace ONE UEM](https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2102/Directory_Service_Integration/GUID-800FB831-AA66-4094-8F5A-FA5899A3C70C.html)
diff --git a/intune/device-security/conditional-access-integration/app-based-policies.md b/intune/device-security/conditional-access-integration/app-based-policies.md
index a4097bd980f..ff84c5a7380 100644
--- a/intune/device-security/conditional-access-integration/app-based-policies.md
+++ b/intune/device-security/conditional-access-integration/app-based-policies.md
@@ -12,68 +12,94 @@ ms.collection:
# Use app-based Conditional Access policies with Intune
-Microsoft Intune app protection policies work with Microsoft Entra Conditional Access to help protect your organizational data on devices your employees use. These policies work on devices that enroll with Intune and on employee owned devices that don't enroll. Combined, they're referred to app-based Conditional Access.
+Microsoft Intune app protection policies work with Microsoft Entra Conditional Access to help protect your organizational data on devices your employees use. These policies work on devices that enroll with Intune and on employee owned devices that don't enroll. Combined, they're referred to as app-based Conditional Access.
-[App protection policies](../../app-management/protection/overview.md) are rules that ensure an organization's data remains safe or contained in a managed app:
+App-based Conditional Access with client app management adds a security layer that makes sure only client apps that support Intune app protection policies can access Exchange Online and other Microsoft 365 services.
-- An app protection policy can be a rule that's enforced when a user attempts to access or move your organizations data, or a set of actions that are prohibited or monitored when a user is working inside a managed app.
-- A managed app is an app that has app protection policies applied to it, and can be managed by Intune.
-- You can also block the built-in mail apps on iOS/iPadOS and Android when you allow only the Microsoft Outlook app to access Exchange Online. Additionally, you can block apps that don't have Intune app protection policies applied from accessing SharePoint Online.
+> [!TIP]
+> In addition to app-based Conditional Access policies, you can use [device-based Conditional Access with Intune](./device-based-policies.md).
-App-based Conditional Access with client app management adds a security layer that makes sure only client apps that support Intune app protection policies can access Exchange online and other Microsoft 365 services.
+## Requirements
-> [!TIP]
-> In addition to app-based Conditional Access policies, you can use [device-based Conditional Access with Intune](/entra/identity/conditional-access/policy-all-users-device-compliance).
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
+
+:::column-end:::
+:::column span="3":::
+
+> Before you create an app-based Conditional Access policy, you must have a **Microsoft Entra ID P1 or P2** license. Users must also be licensed for Microsoft Entra ID. For more information, see [Microsoft Entra pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing).
+
+:::column-end:::
+:::row-end:::
-## Prerequisites
+:::row:::
+:::column span="1":::
+[!INCLUDE [rbac](../../includes/requirements/rbac.md)]
-Before you create an app-based Conditional Access policy, you must have:
+:::column-end:::
+:::column span="3":::
-- **Enterprise Mobility + Security (EMS)** or an **Microsoft Entra ID P1 or P2 subscription**
-- Users must be licensed for EMS or Microsoft Entra ID
+> Your account must have one of the following roles in Microsoft Entra:
+> - Security administrator
+> - Conditional Access administrator
-For more information, see [Enterprise Mobility pricing](https://www.microsoft.com/cloud-platform/enterprise-mobility-pricing) or [Microsoft Entra pricing](https://azure.microsoft.com/pricing/details/active-directory/).
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
+
+:::column-end:::
+:::column span="3":::
+
+> - Android
+> - iOS/iPadOS
+
+:::column-end:::
+:::row-end:::
## Supported apps
-A list of apps that support app-based Conditional Access can be found in [Conditional Access: Conditions](/azure/active-directory/conditional-access/concept-conditional-access-conditions#client-apps) in the Microsoft Entra documentation.
+A list of apps that support app-based Conditional Access can be found in [Conditional Access: Conditions](/entra/identity/conditional-access/concept-conditional-access-conditions#client-apps) in the Microsoft Entra documentation.
App-based Conditional Access [also supports line-of-business (LOB) apps](./block-no-modern-auth.md), but these apps need to use [Microsoft 365 modern authentication](/microsoft-365/enterprise/modern-auth-for-office-2013-and-2016?view=o365-worldwide&preserve-view=true).
## How app-based Conditional Access works
-In this example, the admin has applied app protection policies to the Outlook app followed by a Conditional Access rule that adds the Outlook app to an approved list of apps that can be used when accessing corporate email.
-
-> [!NOTE]
-> The following flowchart can be used for other managed apps.
+App-based Conditional Access works by requiring a broker app to register the device with Microsoft Entra ID. The broker app can be Microsoft Authenticator on iOS, or Company Portal on Android. During authentication, Microsoft Entra ID checks whether the app is on the policy-approved list before granting access. The following diagram illustrates this process:
-1. The user tries to authenticate to Microsoft Entra ID from the Outlook app.
+For a detailed technical overview, see [Client apps](/entra/identity/conditional-access/concept-conditional-access-conditions#client-apps) in the Microsoft Entra documentation.
-2. The user gets redirected to the app store to install a broker app when trying to authenticate for the first time. The broker app can be the Microsoft Authenticator for iOS, or Microsoft Company portal for Android devices.
+## Create app-based Conditional Access policies
- If users try to use a native email app, they are redirected to the app store to then install the Outlook app.
+Conditional Access is a Microsoft Entra technology. The Conditional Access node you access from the Microsoft Intune admin center is the same node you access from Microsoft Entra ID, so you don't need to switch between them to configure policies.
-3. The broker app gets installed on the device.
+Before you create Conditional Access policies, you need to have [Intune app protection policies](../../app-management/protection/create-policy.md) applied to your apps.
-4. The broker app starts the Microsoft Entra registration process, which creates a device record in Microsoft Entra ID. This process isn't the same as the mobile device management (MDM) enrollment process, but this record is necessary so the Conditional Access policies can be enforced on the device.
+> [!IMPORTANT]
+> This section walks through the steps to add a simple app-based Conditional Access policy. You can use the same steps for other cloud apps. For more information, see [Plan Conditional Access deployment](/entra/identity/conditional-access/plan-conditional-access).
-5. The broker app confirms the Microsoft Entra device ID, the user, and the application. This information is passed to the Microsoft Entra sign-in servers to validate access to the requested service.
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-6. The broker app sends the App Client ID to Microsoft Entra ID as part of the user authentication process to check if it's in the policy approved list.
+2. Select **Endpoint security** > **Conditional Access** > **Create new policy**.
-7. Microsoft Entra ID allows the user to authenticate and use the app based on the policy approved list. If the app isn't on the list, Microsoft Entra ID denies access to the app.
+3. Enter a policy **Name**, and then under **Assignments**, configure **Users and groups** to apply the policy to users and groups. Use the **Include** or **Exclude** options to add your groups.
-8. The Outlook app communicates with Outlook Cloud Service to initiate communication with Exchange Online.
+4. Under **Assignments**, configure **Target resources**. Apply the policy to **Cloud apps**. Use the **Include** or **Exclude** options to select the apps to protect. For example, choose **Select apps**, and select **Office 365**.
-9. Outlook Cloud Service communicates with Microsoft Entra ID to retrieve Exchange Online service access token for the user.
+5. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**.
-10. The Outlook app communicates with Exchange Online to retrieve the user's corporate email.
+6. Under **Access controls**, configure **Grant**. For example, select **Grant access** > **Require approved client app** and **Require app protection policy**, then select **Require one of the selected controls**.
-11. Corporate email is delivered to the user's mailbox.
+7. Under **Enable policy**, select **On**, and then select **Create**.
## Next steps
-- [Create an app-based Conditional Access policy](./create-app-based-policy.md)
-- [Block apps that don't have modern authentication](./block-no-modern-auth.md)
+- [Device-based Conditional Access with Intune](./device-based-policies.md)
+- [Block apps that don't use modern authentication](./block-no-modern-auth.md)
+- [Protect app data with app protection policies](../../app-management/protection/create-policy.md)
+- [Plan Conditional Access deployment](/entra/identity/conditional-access/plan-conditional-access)
diff --git a/intune/device-security/conditional-access-integration/block-no-modern-auth.md b/intune/device-security/conditional-access-integration/block-no-modern-auth.md
index 05a163d6d1e..16ac53d9131 100644
--- a/intune/device-security/conditional-access-integration/block-no-modern-auth.md
+++ b/intune/device-security/conditional-access-integration/block-no-modern-auth.md
@@ -22,9 +22,8 @@ To block access to apps that don't use modern authentication, use Intune app pro
## Additional information
For more information about Microsoft Entra Conditional Access, see the following topics:
-- [What is Conditional Access in Microsoft Entra ID?](/azure/active-directory/conditional-access/overview)
+- [What is Conditional Access in Microsoft Entra ID?](/entra/identity/conditional-access/overview)
- [How app-based Conditional Access works](./app-based-policies.md#how-app-based-conditional-access-works)
-- [Set up SharePoint Online and Exchange Online for Microsoft Entra Conditional Access](/azure/active-directory/conditional-access/conditional-access-for-exo-and-spo)
## Next steps
diff --git a/intune/device-security/conditional-access-integration/create-app-based-policy.md b/intune/device-security/conditional-access-integration/create-app-based-policy.md
deleted file mode 100644
index 32c9b5e1ace..00000000000
--- a/intune/device-security/conditional-access-integration/create-app-based-policy.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Set up app-based Conditional Access policies with Intune
-description: Create Conditional Access policies that work with Intune app protection policies
-ms.date: 04/15/2022
-ms.topic: how-to
-ms.reviewer: elocholi
-ms.collection:
-- M365-identity-device-management
-- conditional-access
-- sub-device-compliance
----
-
-# Set up app-based Conditional Access policies with Intune
-
-Set up app-based Conditional Access policies for apps that are part of the list of approved apps. The list of approved apps consists of apps that were tested by Microsoft.
-
-Before you can use app-based Conditional Access policies, you need to have [Intune app protection policies](../../app-management/protection/create-policy.md) applied to your apps.
-
-> [!IMPORTANT]
-> This article walks through the steps to add a simple app-based Conditional Access policy. You can use the same steps for other cloud apps. For more information, see [Plan Conditional Access deployment](/azure/active-directory/conditional-access/plan-conditional-access)
-
-## Create app-based Conditional Access policies
-
-Conditional Access is a Microsoft Entra technology. The Conditional Access node you access from *Intune* is the same node that you access from *Microsoft Entra ID*. Because it's the same node, you don't need to switch between Intune and Microsoft Entra ID to configure policies.
-
-Before you can create Conditional Access policies from the Microsoft Intune admin center, you must have a Microsoft Entra ID P1 or P2 license.
-
-### To create an app-based Conditional Access policy
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-
-2. Select **Endpoint security** > **Conditional Access** > **Create new policy**.
-
-3. Enter a policy **Name**, and then under *Assignments*, select **Users or workload identities**, and apply the policy to *Users and groups*. Use the Include or Exclude options to add your groups for the policy.
-
-4. Select **Cloud apps or actions**, and apply the policy to *Cloud apps*. Use the Include or Exclude options to select the apps to protect. For example, choose **Select apps**, and select **Office 365 (preview)**.
-
-5. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then select the checkboxes for enable **Browser** and **Mobile apps and desktop clients**.
-
-6. Under *Access controls*, select **Grant** to apply Conditional Access based on a device compliance status. For example, select **Grant access** > **Require approved client app** and **Require app protection policy**, then select **Require one of the selected controls**.
-
-7. For **Enable policy**, select **On**, and then select **Create** to save your changes. By default, *Enable policy* is set to *Report-only*.
-
-## Next steps
-
-- [Block apps that don't have modern authentication](./block-no-modern-auth.md)
-- [Protect app data with app protection policies](../../app-management/protection/create-policy.md)
-- Learn about [Conditional Access in Microsoft Entra ID](/azure/active-directory/active-directory-conditional-access)
diff --git a/intune/device-security/conditional-access-integration/device-based-policies.md b/intune/device-security/conditional-access-integration/device-based-policies.md
new file mode 100644
index 00000000000..46d5b8290a6
--- /dev/null
+++ b/intune/device-security/conditional-access-integration/device-based-policies.md
@@ -0,0 +1,122 @@
+---
+title: Set up device-based Conditional Access policies with Intune
+description: Configure a device-based Conditional Access policy that uses device compliance status from Intune device compliance policies.
+author: lenewsad
+ms.author: lanewsad
+ms.date: 09/18/2023
+ms.topic: how-to
+ms.reviewer: ilwu
+ms.collection:
+- M365-identity-device-management
+- conditional-access
+- sub-device-compliance
+---
+
+# Create a device-based Conditional Access policy
+
+Microsoft Intune device compliance policies can evaluate the status of managed devices to ensure they meet your requirements before you grant them access to your organization's apps and services. The status results from your device compliance policies can be used by Microsoft Entra Conditional Access policies to enforce security and compliance standards. This combination is referred to as device-based Conditional Access.
+
+> [!TIP]
+> In addition to device-based Conditional Access policies, you can use [App-based Conditional Access with Intune](./app-based-policies.md).
+
+Conditional Access is a Microsoft Entra technology. The Conditional Access node you access from the Microsoft Intune admin center is the same node you access from Microsoft Entra ID, so you don't need to switch between them to configure policies.
+
+## Requirements
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
+
+:::column-end:::
+:::column span="3":::
+
+> Before you create a device-based Conditional Access policy, you must have a **Microsoft Entra ID P1 or P2** license. For more information, see [Microsoft Entra pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing).
+
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [rbac](../../includes/requirements/rbac.md)]
+
+:::column-end:::
+:::column span="3":::
+
+> Your account must have one of the following roles in Microsoft Entra:
+> - Security administrator
+> - Conditional Access administrator
+
+:::column-end:::
+:::row-end:::
+
+> [!IMPORTANT]
+> Before you set up Conditional Access, you'll need to set up Intune device compliance policies to evaluate devices based on whether they meet specific requirements. See [Get started with device compliance policies in Intune](../compliance/create-policy.md).
+
+## How this works
+
+Device-based Conditional Access uses compliance status signals from Intune to enforce access controls in Microsoft Entra ID. Configuration involves two phases:
+
+- Phase 1 - Configure device compliance policies in Intune: These policies evaluate whether managed devices meet your security requirements. Intune reports that compliance status to Microsoft Entra ID.
+
+- Phase 2 - Create a Conditional Access policy in Microsoft Entra: The policy uses the compliance signal from Intune. This article shows you how to configure the policy from within the Microsoft Intune admin center.
+
+## Create the Conditional Access policy
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+2. Select **Endpoint security** > **Conditional Access** > **Create new policy**.
+
+ The **New** pane opens, which is the configuration pane from Microsoft Entra. The policy you’re creating is a Microsoft Entra policy for Conditional Access. To learn more about this pane and Conditional Access policies, see [Conditional Access policy components](/entra/identity/conditional-access/concept-conditional-access-policies) in the Microsoft Entra content.
+
+3. Under **Assignments**, configure **Users and groups** to select the Identities in the directory that the policy applies to. To learn more, see [Users and groups](/entra/identity/conditional-access/concept-conditional-access-users-groups) in the Microsoft Entra documentation.
+
+ - On the **Include** tab, configure the user and groups you want to include.
+ - Use the **Exclude** tab if there are any users, roles, or groups you want to exclude from this policy.
+
+ > [!TIP]
+ > Test the policy against a smaller group of users to make sure it works as expected before deploying it to larger groups.
+
+4. Next configure **Target resources**, which is also under *Assignments*. Use the drop-down for *Select what this policy applies to* to select **Cloud apps**.
+
+ - On the **Include** tab, use available options to identify the apps and services that you want to protect with this Conditional Access policy.
+
+ If you choose **Select apps**, use the available UI to select apps and services to protect with this policy.
+
+ > [!CAUTION]
+ > **Don't lock yourself out**. If you choose **All cloud apps**, be sure to review the warning, and then **Exclude** from this policy your user account or other relevant users and groups that should retain access to use the Microsoft Entra admin center or Microsoft Intune admin center after this policy takes effect.
+
+ - Use the **Exclude** tab if there are any apps or services you want to exclude from this policy.
+
+ For more information, see [Cloud apps or actions](/entra/identity/conditional-access/concept-conditional-access-cloud-apps) in the Microsoft Entra documentation.
+
+5. Next, configure **Conditions**. Select the signals you want to use as conditions for this policy. Options include:
+
+ - User risk
+ - Sign-in risk
+ - Device platforms
+ - Locations
+ - Client apps
+ - Filter for devices
+
+ For information about these options, see [Conditions](/entra/identity/conditional-access/concept-conditional-access-conditions) in the Microsoft Entra documentation.
+
+ > [!TIP]
+ > If you want to protect both **Modern authentication** clients and **Exchange ActiveSync clients**, create two separate Conditional Access policies, one for each client type. Although Exchange ActiveSync supports modern authentication, the only condition that is supported by Exchange ActiveSync is platform. Other conditions, including multifactor authentication, aren't supported. To effectively protect access to Exchange Online from Exchange ActiveSync, create a Conditional Access policy that specifies the cloud app Microsoft 365 Exchange Online and the client app Exchange ActiveSync with Apply policy only to supported platforms selected.
+
+6. Under **Access controls**, configure **Grant** to select one or more requirements. To learn about the options for Grant, see [Grant](/entra/identity/conditional-access/concept-conditional-access-grant) in the Microsoft Entra Documentation.
+
+ > [!IMPORTANT]
+ >
+ > To have this policy use device compliance status, for *Grant access* you must select *Require device to be marked as compliant*.
+
+ - **Block access**: Denies access to the specified apps or services.
+ - **Grant access**: Grants access, but you can require one or more conditions. To use device compliance status from Intune, select **Require device to be marked as compliant**.
+
+7. Under **Enable policy**, select **On**. By default, the policy is set to *Report-only*.
+
+8. Select **Create**.
+
+## Next steps
+
+- [App-based Conditional Access with Intune](./app-based-policies.md)
+- [Troubleshooting Intune Conditional Access](/troubleshoot/mem/intune/device-protection/troubleshoot-conditional-access)
diff --git a/intune/device-security/conditional-access-integration/manage-exchange-access.md b/intune/device-security/conditional-access-integration/manage-exchange-access.md
index 5d99f387448..94d343b4b96 100644
--- a/intune/device-security/conditional-access-integration/manage-exchange-access.md
+++ b/intune/device-security/conditional-access-integration/manage-exchange-access.md
@@ -15,7 +15,7 @@ When you use Microsoft Intune, you can still manage employee access to their wor
To complete the necessary steps, confirm you have licenses for Microsoft 365, or Microsoft Entra ID P1 and Intune. Employees need to have a [supported iOS/iPadOS or Android device](../../fundamentals/ref-supported-platforms.md).
-If you decide to set up a device management system, you can as this type of app protection works independently of device management.
+If you decide to set up a device management system, you can, as this type of app protection works independently of device management.
## Action plan
@@ -34,7 +34,7 @@ If you decide to set up a device management system, you can as this type of app
You have used app-based Conditional Access to increase the security of company data. As part of next steps, you can learn more about the other ways you can increase the protection of your company's data, including:
-- Setting up app protection policies to help you protect your company data against intentional or unintentional data leaks.
+- Setting up app protection policies to help you protect your company data against intentional or accidental data leaks.
- Use of Azure Information Protection to protect company data outside your network.
Want help with enabling this or other EMS or Microsoft 365 scenarios? If you have at least 150 licenses for Microsoft 365, Enterprise Mobility + Security, or Microsoft Entra ID P1, use your [FastTrack benefits](/enterprise-mobility-security/solutions/enterprise-mobility-fasttrack-program).
diff --git a/intune/device-security/conditional-access-integration/overview.md b/intune/device-security/conditional-access-integration/overview.md
index e02cda32691..b9db20a1909 100644
--- a/intune/device-security/conditional-access-integration/overview.md
+++ b/intune/device-security/conditional-access-integration/overview.md
@@ -1,6 +1,6 @@
---
title: Use Conditional Access with Microsoft Intune compliance policies
-description: Combine Conditional Access with Intune compliance policies to define the requirements that users and devices must meet before gaining access your organizations resources.
+description: Combine Conditional Access with Intune compliance policies to define the requirements that users and devices must meet before gaining access to your organization's resources.
ms.date: 04/25/2024
ms.topic: overview
ms.reviewer: ilwu
@@ -14,13 +14,9 @@ ms.collection:
Use Conditional Access with Microsoft Intune compliance policies to control the devices and apps that can connect to your email and company resources. When integrated, you can gate access to keep your corporate data secure, while giving users an experience that allows them to do their best work from any device, and from any location.
-[Conditional Access](/azure/active-directory/conditional-access/overview) is a Microsoft Entra capability that is included with a Microsoft Entra ID P1 or P2 license. Through Microsoft Entra ID, Conditional Access brings signals together to make decisions, and enforce organizational policies. Intune enhances this capability by adding mobile device compliance and mobile app management data to the solution. Common signals include:
+[Conditional Access](/entra/identity/conditional-access/overview) is a Microsoft Entra capability that is included with a Microsoft Entra ID P1 or P2 license. Through Microsoft Entra ID, Conditional Access brings signals together to make decisions, and enforce organizational policies. Intune enhances this capability by adding mobile device compliance and mobile app management data as signals for Conditional Access decisions. For a full list of supported signals, see [What is Conditional Access?](/entra/identity/conditional-access/overview) in the Microsoft Entra documentation.
-- User or group membership.
-- IP location information.
-- Device details, including device compliance or configuration status.
-- Application details, including requiring use of managed apps to access corporate data.
-- Real-time and calculated risk detection, when you also use a mobile threat defense partner.
+You configure Conditional Access policies from the Microsoft Intune admin center. The Conditional Access node in the Microsoft Intune admin center is the same node as in Microsoft Entra ID, so you don't need to switch between them.
:::image type="content" source="./media/scenarios/ca-diagram-1.png" alt-text="Conceptual Conditional Access process flow.":::
@@ -29,25 +25,17 @@ Use Conditional Access with Microsoft Intune compliance policies to control the
## Ways to use Conditional Access with Intune
-Conditional Access works with Intune device configuration and compliance policies, and with Intune Application protection policies.
+Conditional Access works with Intune device configuration and compliance policies, and with Intune app protection policies.
- **Device-based Conditional Access**
- Intune and Microsoft Entra ID work together to make sure only managed and compliant devices can access email, Microsoft 365 services, Software as a service (SaaS) apps, and on-premises apps. Additionally, you can set a policy in Microsoft Entra ID to enable only domain-joined computers or mobile devices that have enrolled in Intune to access Microsoft 365 services. Including:
+ Intune and Microsoft Entra ID work together to make sure only managed and compliant devices can access email, Microsoft 365 services, software as a service (SaaS) apps, and on-premises apps.
- - Conditional Access based on network access control
-
- - Conditional Access based on device risk
-
- - Conditional Access for Windows PCs. Both corporate-owned and bring your own device (BYOD).
-
- - Conditional Access for Exchange on-premises
-
- Learn more about [device-based Conditional Access with Intune](/entra/identity/conditional-access/policy-all-users-device-compliance)
+ Learn more about [device-based Conditional Access with Intune](./device-based-policies.md).
- **App-based Conditional Access**
- Intune and Microsoft Entra ID work together to make sure only managed apps can access corporate e-mail or other Microsoft 365 services.
+ Intune and Microsoft Entra ID work together to make sure only managed apps can access corporate email or other Microsoft 365 services.
Learn more about [app-based Conditional Access with Intune](./app-based-policies.md).
diff --git a/intune/device-security/conditional-access-integration/scenarios.md b/intune/device-security/conditional-access-integration/scenarios.md
index d25e5ebe665..d28d9977980 100644
--- a/intune/device-security/conditional-access-integration/scenarios.md
+++ b/intune/device-security/conditional-access-integration/scenarios.md
@@ -12,16 +12,23 @@ ms.collection:
# Common ways to use Conditional Access with Intune
-There are two types of Conditional Access policies you can use with Intune: device-based Conditional Access and app-based Conditional Access. To support each, you need to configure the related Intune policies. When the Intune policies are in place and deployed, you can then use Conditional Access to do things like allow or block access to Exchange, control access to your network, or integrate with a Mobile Threat Defense solution.
+There are two types of Conditional Access policies you can use with Intune: device-based and app-based. This article covers common scenarios for both types.
-The information in this article can help you understand how to use the Intune mobile *device* compliance capabilities and the Intune mobile *application* management (MAM) capabilities.
+The information in this article can help you understand how to use both the Intune mobile device compliance capabilities and the Intune mobile application management (MAM) capabilities.
> [!NOTE]
-> Conditional Access is a Microsoft Entra capability that is included with a Microsoft Entra ID P1 or P2 license. Intune enhances this capability by adding mobile device compliance and mobile app management to the solution. The Conditional Access node accessed from *Intune* is the same node as accessed from *Microsoft Entra ID*.
+> Conditional Access is a Microsoft Entra capability that is included with a Microsoft Entra ID P1 or P2 license. The Conditional Access node accessed from the Microsoft Intune admin center is the same node as accessed from Microsoft Entra ID.
+
+## Applications available in Conditional Access for controlling Microsoft Intune
+
+When you configure Conditional Access in the Microsoft Entra admin center, you have two applications to choose from:
+
+- **Microsoft Intune** - This application controls access to the Microsoft Intune admin center and data sources. Configure grants/controls on this application when you want to target the Microsoft Intune admin center and data sources.
+- **Microsoft Intune Enrollment** - This application controls the enrollment workflow. Configure grants/controls on this application when you want to target the enrollment process. For more information, see [Require multifactor authentication for Intune device enrollments](../../device-enrollment/configure-multifactor-authentication.md).
## Device-based Conditional Access
-Intune and Microsoft Entra ID work together to make sure only managed and compliant devices can access your organization's email, Microsoft 365 services, Software as a service (SaaS) apps, and [on-premises apps](/entra/identity/app-proxy). Additionally, you can set a policy in Microsoft Entra ID to only enable domain-joined computers or mobile devices that are enrolled in Intune to access Microsoft 365 services.
+Intune and Microsoft Entra ID work together to make sure only managed and compliant devices can access your organization's email, Microsoft 365 services, software as a service (SaaS) apps, and [on-premises apps](/entra/identity/app-proxy). Additionally, you can set a policy in Microsoft Entra ID to only enable domain-joined computers or mobile devices that are enrolled in Intune to access Microsoft 365 services.
With Intune, you deploy device compliance policies to determine if a device meets your expected configuration and security requirements. The compliance policy evaluation determines the device's compliance status, which is reported to both Intune and Microsoft Entra ID. It's in Microsoft Entra ID that Conditional Access policies can use a device's compliance status to make decisions on whether to allow or block access to your organization's resources from that device.
@@ -33,24 +40,9 @@ Device-based Conditional Access policies for Exchange online and other Microsoft
- Learn more about [Supported browsers with Conditional Access in Microsoft Entra ID](/entra/identity/conditional-access/concept-conditional-access-conditions#supported-browsers).
-> [!NOTE]
-> When you enable Device Based Access for content that users access from browser apps on their Android personally owned work profile devices, users that enrolled before January 2021 must enable browser access as follows:
->
-> 1. Launch the **Company Portal** app.
-> 2. Go to the **Settings** page from the menu.
-> 3. In the **Enable Browser Access** section, tap the **ENABLE** button.
-> 4. Close and then restart the browser app.
->
-> This enables access in browser apps, but not to browser WebViews that open within apps.
-
-## Applications available in Conditional Access for controlling Microsoft Intune
-
-When you configure Conditional Access in the Microsoft Entra admin center, you have two applications to choose from:
-
-1. **Microsoft Intune** - This application controls access to the Microsoft Intune admin center and data sources. Configure grants/controls on this application when you want to target the Microsoft Intune admin center and data sources.
-2. **Microsoft Intune Enrollment** - This application controls the enrollment workflow. Configure grants/controls on this application when you want to target the enrollment process. For more information, see [Require multifactor authentication for Intune device enrollments](../../device-enrollment/configure-multifactor-authentication.md).
+The following scenarios build on device-based Conditional Access to show how it applies in specific contexts.
-## Conditional Access based on network access control
+### Conditional Access based on network access control
Intune integrates with partners like Cisco ISE, Aruba Clear Pass, and Citrix NetScaler to provide access controls based on the Intune enrollment and the device compliance state.
@@ -58,42 +50,39 @@ Users can be allowed or denied access to corporate Wi-Fi or VPN resources based
- Learn more about the [NAC integration with Intune](../integrate-network-access-control.md).
-## Conditional Access based on device risk
-
-Intune partners with Mobile Threat Defense vendors that provide a security solution to detect malware, Trojans, and other threats on mobile devices.
+### Conditional Access based on device risk
-### How the Intune and Mobile Threat Defense integration works
-
-When mobile devices have the Mobile Threat Defense agent installed, the agent sends compliance state messages back to Intune reporting when a threat is found on the mobile device itself.
-
-The Intune and mobile threat defense integration plays a factor in the Conditional Access decisions based on device risk.
+Intune partners with mobile threat defense vendors that provide a security solution to detect malware, Trojans, and other threats on mobile devices. When mobile devices have the mobile threat defense agent installed, the agent sends compliance state messages back to Intune reporting when a threat is found. This integration plays a factor in Conditional Access decisions based on device risk.
- Learn more about [Intune mobile threat defense](../mobile-threat-defense/overview.md).
-## Conditional Access for Windows PCs
+### Conditional Access for Windows PCs
-Conditional Access for PCs provides capabilities similar to those available for mobile devices. Let's talk about the ways you can use Conditional Access when managing PCs with Intune.
+Conditional Access for PCs provides capabilities similar to those available for mobile devices. The following options are available when managing PCs with Intune.
-### Corporate-owned
+#### Corporate-owned
- **Microsoft Entra hybrid joined:** This option is commonly used by organizations that are reasonably comfortable with how they're already managing their PCs through AD group policies or Configuration Manager.
- **Microsoft Entra domain joined and Intune management:** This scenario is for organizations that want to be cloud-first (that is, primarily use cloud services, with a goal to reduce use of an on-premises infrastructure) or cloud-only (no on-premises infrastructure). Microsoft Entra join works well in a hybrid environment, enabling access to both cloud and on-premises apps and resources. The device joins to the Microsoft Entra ID and gets enrolled to Intune, which can be used as a Conditional Access criteria when accessing corporate resources.
-### Bring your own device (BYOD)
+#### Bring your own device (BYOD)
- **Workplace join and Intune management:** Here the user can join their personal devices to access corporate resources and services. You can use Workplace join and enroll devices into Intune MDM to receive device-level policies, which are another option to evaluate Conditional Access criteria.
-Learn more about [Device Management in Microsoft Entra ID](/azure/active-directory/devices/overview).
+Learn more about [Device Management in Microsoft Entra ID](/entra/identity/devices/overview).
## App-based Conditional Access
-Intune and Microsoft Entra ID work together to make sure only managed apps can access corporate e-mail or other Microsoft 365 services. Learn more about [app-based Conditional Access with Intune](./app-based-policies.md).
-
+App-based Conditional Access protects access at the app level rather than the device level, making it well-suited for unenrolled devices. The following articles cover app-based Conditional Access scenarios for Intune:
+- [Use app-based Conditional Access policies with Intune](./app-based-policies.md)
+- [Require approved app or app protection policy (Microsoft Entra)](/entra/identity/conditional-access/policy-all-users-approved-app-or-app-protection)
## Next steps
[How to configure Conditional Access in Microsoft Entra ID](/entra/identity/conditional-access/concept-conditional-access-policy-common)
-[Set up app-based Conditional Access policies](./create-app-based-policy.md)
+[Set up device-based Conditional Access policies](./device-based-policies.md)
+
+[Set up app-based Conditional Access policies](./app-based-policies.md)
diff --git a/intune/device-security/conditional-access-integration/setup-jamf-manually.md b/intune/device-security/conditional-access-integration/setup-jamf-manually.md
index d969497a19e..2623e3ba04a 100644
--- a/intune/device-security/conditional-access-integration/setup-jamf-manually.md
+++ b/intune/device-security/conditional-access-integration/setup-jamf-manually.md
@@ -158,7 +158,7 @@ The app registration process in Microsoft Entra ID is complete.
*Exclude* overrides *Include*, which means any device that is in both groups is excluded from Jamf and directed to enroll with Intune.
>[!NOTE]
- > This method of including and excluding user groups affects the enrollment experience of the user. Any user with a macOS device thats already enrolled in either Jamf or Intune who is then targeted to enroll with the other MDM must unenroll their device and then re-enroll it with the new MDM before management of the device works properly.
+ > This method of including and excluding user groups affects the enrollment experience of the user. Any user with a macOS device that's already enrolled in either Jamf or Intune who is then targeted to enroll with the other MDM must unenroll their device and then re-enroll it with the new MDM before management of the device works properly.
3. Select **Evaluate** to determine how many devices will be enrolled with Jamf, based on your group configurations.
diff --git a/intune/device-security/conditional-access-integration/toc.yml b/intune/device-security/conditional-access-integration/toc.yml
index 147cd5fb365..bd669782ca6 100644
--- a/intune/device-security/conditional-access-integration/toc.yml
+++ b/intune/device-security/conditional-access-integration/toc.yml
@@ -6,8 +6,8 @@ items:
href: ./scenarios.md
- name: App-based Conditional Access
href: ./app-based-policies.md
- - name: Create app-based Conditional Access
- href: ./create-app-based-policy.md
+ - name: Device-based Conditional Access
+ href: ./device-based-policies.md
- name: Block apps that don't use modern authentication (MSAL)
href: ./block-no-modern-auth.md
- name: Manage access to Exchange Online
@@ -20,7 +20,7 @@ items:
href: ./configure-jamf-cloud-connector.md
- name: Integrate Jamf Pro with Intune for compliance
href: ./setup-jamf-manually.md
- - name: Integrate Jamf Pro with Intune to report compliance to Microsoft Entra ID
+ - name: Integrate Jamf Pro with Intune
href: ../compliance/jamf-entra-id.md
- name: Enforce compliance on Macs managed with Jamf Pro
href: ./assign-jamf-policies.md
diff --git a/intune/device-security/endpoint-security-policies.md b/intune/device-security/endpoint-security-policies.md
index 6a1bfdc81b5..b963ee07706 100644
--- a/intune/device-security/endpoint-security-policies.md
+++ b/intune/device-security/endpoint-security-policies.md
@@ -105,8 +105,8 @@ Endpoint Privilege Management enforces least privilege access by allowing users
You deploy Endpoint Privilege Management by creating elevation rules that define which applications can run with administrative privileges and under what conditions. Elevation rules support multiple validation methods including file hashes, publisher certificates, and file paths. You can configure automatic elevation for trusted applications, user-confirmed elevation with optional authentication requirements, support-approved elevation where administrators review requests, or deny rules to block specific files. EPM includes detailed reporting for both managed elevations and unmanaged elevations, helping you identify elevation patterns, refine rules, and plan the transition of users from administrator to standard user accounts.
-> [!IMPORTANT]
-> Endpoint Privilege Management is available as an [Intune add-on](../fundamentals/add-ons.md) that requires an additional license beyond Microsoft Intune. You can license EPM as a standalone add-on or as part of the Microsoft Intune Suite. EPM policies are only available for Windows devices.
+> [!NOTE]
+> Endpoint Privilege Management is a [Microsoft Intune advanced capability](../fundamentals/advanced-capabilities.md) that requires additional licensing beyond Microsoft Intune.
For more information, see [Endpoint Privilege Management](../epm/overview.md).
diff --git a/intune/device-security/microsoft-defender/overview.md b/intune/device-security/microsoft-defender/overview.md
index 84abad8b436..053783a4701 100644
--- a/intune/device-security/microsoft-defender/overview.md
+++ b/intune/device-security/microsoft-defender/overview.md
@@ -57,7 +57,7 @@ You can add these permissions to a [custom Intune role](../../fundamentals/role-
**Subscription**: Microsoft Intune Plan 1 subscription provides access to Intune and the Microsoft Intune admin center.
-For licensing options, see [Microsoft Intune licensing](../../fundamentals/licensing/index.md).
+For licensing options, see [Microsoft Intune licensing](../../fundamentals/licensing.md).
**Supported platforms**:
diff --git a/intune/device-security/microsoft-tunnel/mam-android.md b/intune/device-security/microsoft-tunnel/mam-android.md
index 66c848c9683..48a4f677ed0 100644
--- a/intune/device-security/microsoft-tunnel/mam-android.md
+++ b/intune/device-security/microsoft-tunnel/mam-android.md
@@ -12,7 +12,7 @@ ms.collection:
# Microsoft Tunnel for Mobile Application Management for Android
-[!INCLUDE [intune-add-on-note](../../advanced-analytics/includes/intune-add-on-note.md)]
+[!INCLUDE [additional-licensing-plan2](../../includes/licensing/additional-licensing-plan2.md)]
When you add Microsoft Tunnel for Mobile Application Management (MAM) to your tenant, you can use Microsoft Tunnel VPN Gateway with unenrolled Android devices to support MAM scenarios. With support for MAM, your unenrolled devices can use Tunnel to securely connect to your organization allowing users and apps safe access to your organizational data.
diff --git a/intune/device-security/microsoft-tunnel/mam-ios.md b/intune/device-security/microsoft-tunnel/mam-ios.md
index d8c84299efa..9bb4de1414e 100644
--- a/intune/device-security/microsoft-tunnel/mam-ios.md
+++ b/intune/device-security/microsoft-tunnel/mam-ios.md
@@ -12,7 +12,7 @@ ms.collection:
# Microsoft Tunnel for Mobile Application Management for iOS/iPadOS
-[!INCLUDE [intune-add-on-note](../../advanced-analytics/includes/intune-add-on-note.md)]
+[!INCLUDE [additional-licensing-plan2](../../includes/licensing/additional-licensing-plan2.md)]
When you add Microsoft Tunnel for Mobile Application Management (MAM) to your tenant, you can use Microsoft Tunnel VPN Gateway with unenrolled iOS devices to support MAM the following scenarios:
diff --git a/intune/device-security/microsoft-tunnel/mam.md b/intune/device-security/microsoft-tunnel/mam.md
index faf776b0572..058c7cbf59a 100644
--- a/intune/device-security/microsoft-tunnel/mam.md
+++ b/intune/device-security/microsoft-tunnel/mam.md
@@ -12,27 +12,37 @@ ms.collection:
# Microsoft Tunnel for Mobile Application Management
-[!INCLUDE [intune-add-on-note](../../includes/intune-plan2-suite-note.md)]
-
When you use the Microsoft Tunnel VPN Gateway, you can extend Tunnel support by adding Tunnel for Mobile Application Management (MAM). Tunnel for MAM extends the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that aren't enrolled with Microsoft Intune. With this solution, your users can use a single device that isn't enrolled with Intune to gain secure access to the organizations on-premises apps and resources using modern authentication, single sign-on, and Conditional Access. With Tunnel for MAM, your users can use their own device (BYOD) for both work and personal use, without having to grant the organization's IT department control over that device.
-Applies to:
-
-- Android
-- iOS/iPadOS
-
-## Platform requirements and feature overview
-
Before you begin, you must already have deployed the Microsoft Tunnel gateway. To learn more about Microsoft Tunnel gateway and how to install and configure it, see:
- [Learn about the Microsoft Tunnel VPN solution for Microsoft Intune](./overview.md)
- [Identify the prerequisites to install and use the Microsoft Tunnel VPN solution for Microsoft Intune](./prerequisites.md)
- [Install and configure Microsoft Tunnel VPN solution for Microsoft Intune](./install.md)
-Microsoft Tunnel for MAM supports the following platforms:
+## Prerequisites
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
+
+:::column-end:::
+:::column span="3":::
+>- Android Enterprise
+>- iOS/iPadOS
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
+
+:::column-end:::
+:::column span="3":::
-- Android Enterprise version 10.0 or higher
-- iOS version 14.0 or higher
+>[!INCLUDE [additional-licensing-plan2](../../includes/licensing/additional-licensing-plan2.md)]
+:::column-end:::
+:::row-end:::
The following table identifies key features for the supported platforms:
diff --git a/intune/device-security/microsoft-tunnel/overview.md b/intune/device-security/microsoft-tunnel/overview.md
index d79ea34d28e..df268e521ea 100644
--- a/intune/device-security/microsoft-tunnel/overview.md
+++ b/intune/device-security/microsoft-tunnel/overview.md
@@ -17,7 +17,7 @@ This article introduces the core Microsoft Tunnel, how it works, and its archite
If you're ready to deploy the Microsoft Tunnel, see [Prerequisites for the Microsoft Tunnel](./prerequisites.md), and then [Configure the Microsoft Tunnel](./install.md).
-After you deploy Microsoft Tunnel, you can choose to add [Microsoft Tunnel for Mobile Application Management](./mam.md) (Tunnel for MAM). Tunnel for MAM extends the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that aren't enrolled with Microsoft Intune. Tunnel for MAM is available when you add *Microsoft Intune Plan 2* or *Microsoft Intune Suite* as an [add-on license](../../fundamentals/add-ons.md) to your Tenant.
+After you deploy Microsoft Tunnel, you can choose to add [Microsoft Tunnel for Mobile Application Management](./mam.md) (Tunnel for MAM). Tunnel for MAM extends the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that aren't enrolled with Microsoft Intune. Tunnel for MAM is is a [Microsoft Intune advanced capability](../../fundamentals/advanced-capabilities.md) that requires additional licensing beyond Microsoft Intune.
> [!NOTE]
>
@@ -38,7 +38,7 @@ Microsoft Tunnel Gateway installs onto a container that runs on a Linux server.
- A friendly name for the VPN connection that is visible to your end users.
- The site that the VPN client connects to.
- Per-app VPN configurations that define which apps the VPN profile is used for, and if it's always-on or not. When always-on, the VPN automatically connects and is used only for the apps you define. If no apps are defined, the always-on connection provides tunnel access for all network traffic from the device.
-- For iOS devices that have Microsoft Defender configured to support per-app VPNs and *TunnelOnly* mode set to *True*, users don’t need to open or sign-in to Microsoft Defender on their device for the Tunnel to be used. Instead, with the user signed-in to the Company Portal on the device or to any other app that uses multifactor authentication that has a valid token for access, the Tunnel per-app VPN is used automatically. *TunnelOnly* mode is supported for iOS/iPadOS, and disables the Defender functionality, leaving only the Tunnel capabilities.
+- For iOS devices that have Microsoft Defender configured to support per-app VPNs and *TunnelOnly* mode set to *True*, users don't need to open or sign-in to Microsoft Defender on their device for the Tunnel to be used. Instead, with the user signed-in to the Company Portal on the device or to any other app that uses multifactor authentication that has a valid token for access, the Tunnel per-app VPN is used automatically. *TunnelOnly* mode is supported for iOS/iPadOS, and disables the Defender functionality, leaving only the Tunnel capabilities.
- Manual connections to the tunnel when a user launches the VPN and selects *Connect*.
- On-demand VPN rules that allow use of the VPN when conditions are met for specific FQDNs or IP addresses. *(iOS/iPadOS)*
- Proxy support. *(iOS/iPadOS, Android 11+)*
@@ -46,11 +46,11 @@ Microsoft Tunnel Gateway installs onto a container that runs on a Linux server.
When a device is identified as rooted, the client immediately marks the device's risk category as *High*, drops active Tunnel connections, and continues to block access until the device is determined to be compliant. The device user receives a notification about this status from the Defender client.
- This capability doesn’t replace the use of Intune compliance policies for Android to manage the settings for *Rooted devices*, *Play Integrity Verdict*, and *Require the device to be at or under the Device Threat Level*. Use of Intune compliance policies to manage keys settings for Android supports the Microsoft Zero Trust security model for Android Enterprise [personally owned](../security-configurations/android-personally-owned.md#personally-owned-work-profile-enhanced-security-level-2) and [fully managed](../security-configurations/android-fully-managed.md#fully-managed-basic-security-level-1) devices.
+ This capability doesn't replace the use of Intune compliance policies for Android to manage the settings for *Rooted devices*, *Play Integrity Verdict*, and *Require the device to be at or under the Device Threat Level*. Use of Intune compliance policies to manage keys settings for Android supports the Microsoft Zero Trust security model for Android Enterprise [personally owned](../security-configurations/android-personally-owned.md#personally-owned-work-profile-enhanced-security-level-2) and [fully managed](../security-configurations/android-fully-managed.md#fully-managed-basic-security-level-1) devices.
### Setup Overview
-Through the Microsoft Intune admin center, you’ll:
+Through the Microsoft Intune admin center, you'll:
- Download the Microsoft Tunnel installation script that you run on the Linux servers.
- Configure aspects of Microsoft Tunnel Gateway like IP addresses, DNS servers, and ports.
@@ -61,9 +61,9 @@ Through the Defender app, iOS/iPadOS and Android Enterprise devices:
- Use Microsoft Entra ID to authenticate to the tunnel.
- Use Active Directory Federation Services (AD FS) to authenticate to the tunnel.
-- Are evaluated against your Conditional Access policies. If the device isn’t compliant, then it can't access your VPN server or your on-premises network.
+- Are evaluated against your Conditional Access policies. If the device isn't compliant, then it can't access your VPN server or your on-premises network.
-You can install multiple Linux servers to support Microsoft Tunnel, and combine servers into logical groups called *Sites*. Each server can join a single Site. When you configure a Site, you’re defining a connection point for devices to use when they access the tunnel. Sites require a *Server configuration* that you define and assign to the Site. The Server configuration is applied to each server you add to that Site, simplifying the configuration of more servers.
+You can install multiple Linux servers to support Microsoft Tunnel, and combine servers into logical groups called *Sites*. Each server can join a single Site. When you configure a Site, you're defining a connection point for devices to use when they access the tunnel. Sites require a *Server configuration* that you define and assign to the Site. The Server configuration is applied to each server you add to that Site, simplifying the configuration of more servers.
To direct devices to use the tunnel, you create and deploy a VPN policy for Microsoft Tunnel. This policy is a device configuration VPN profile that uses Microsoft Tunnel for its connection type.
@@ -80,7 +80,7 @@ Site configuration includes:
- A public IP address or FQDN, which is the connection point for devices that use the tunnel. This address can be for an individual server or the IP or FQDN of a load-balancing server.
- The Server configuration that is applied to each server in the Site.
-You assign a server to a Site at the time you install the tunnel software on the Linux server. The installation uses a script that you can download from within the admin center. After starting the script, you’ll be prompted to configure its operation for your environment, which includes specifying the Site the server will join.
+You assign a server to a Site at the time you install the tunnel software on the Linux server. The installation uses a script that you can download from within the admin center. After starting the script, you'll be prompted to configure its operation for your environment, which includes specifying the Site the server will join.
To use the Microsoft Tunnel, devices must install the Microsoft Defender app. You get the applicable app from the iOS/iPadOS or Android app stores and deploy it to users.
diff --git a/intune/device-security/microsoft-tunnel/prerequisites.md b/intune/device-security/microsoft-tunnel/prerequisites.md
index c9cc1fcdc9d..81303aa4a42 100644
--- a/intune/device-security/microsoft-tunnel/prerequisites.md
+++ b/intune/device-security/microsoft-tunnel/prerequisites.md
@@ -16,10 +16,11 @@ Before you can install the Microsoft Tunnel VPN gateway for Microsoft Intune, re
At a high level, the Microsoft Tunnel requires:
- An Azure subscription.
-
- A *Microsoft Intune Plan 1* subscription.
+
> [!NOTE]
- > This prerequisite is for *Microsoft Tunnel*, and does not include [Microsoft Tunnel for Mobile Application Management](./mam.md), which is an [Intune add-on](../../fundamentals/add-ons.md) that requires a *Microsoft Intune Plan 2* subscription.
+ > This prerequisite is for *Microsoft Tunnel*, and does not include [Microsoft Tunnel for Mobile Application Management](./mam.md), which is a [Microsoft Intune advanced capability](../../fundamentals/advanced-capabilities.md) that requires that requires additional licensing beyond Microsoft Intune.
+
- To complete setup of Microsoft Tunnel, the account you'll use to register Tunnel Gateway with Microsoft Intune and your Intune tenant must be assigned the Microsoft Entra ID role of *Intune Administrator* and be assigned an Intune license.
diff --git a/intune/device-security/overview.md b/intune/device-security/overview.md
index 1be4541f058..4f5708fbb5e 100644
--- a/intune/device-security/overview.md
+++ b/intune/device-security/overview.md
@@ -179,8 +179,8 @@ Conditional Access works across managed and unmanaged devices, helping create an
- Applications are validated using file hashes, certificates, or other criteria.
- Common elevated scenarios: application installations, driver updates, Windows diagnostics.
-> [!TIP]
-> EPM is available as an [Intune add-on](../fundamentals/add-ons.md) for Windows devices and requires an additional license.
+> [!NOTE]
+> EPM is a [Microsoft Intune advanced capability](../fundamentals/advanced-capabilities.md) for Windows devices and requires additional licensing beyond Microsoft Intune.
## Next steps
diff --git a/intune/device-security/ref-zero-trust-security.md b/intune/device-security/ref-zero-trust-security.md
index 0172ea8617c..50a6d7d7ada 100644
--- a/intune/device-security/ref-zero-trust-security.md
+++ b/intune/device-security/ref-zero-trust-security.md
@@ -54,7 +54,7 @@ Ensure tenant-level governance, identity, and configuration consistency.
For license details, see:
-- [Microsoft Intune licensing](../fundamentals/licensing/index.md)
+- [Microsoft Intune licensing](../fundamentals/licensing.md)
- [Microsoft Entra licensing](/entra/fundamentals/licensing)
- [Overview of Microsoft Defender for Endpoint Plan 1](/defender-endpoint/defender-endpoint-plan-1)
@@ -83,7 +83,7 @@ Secure endpoints through device configuration and security policies.
For license details, see:
-- [Microsoft Intune licensing](../fundamentals/licensing/index.md)
+- [Microsoft Intune licensing](../fundamentals/licensing.md)
- [Overview of Microsoft Defender for Endpoint Plan 1](/defender-endpoint/defender-endpoint-plan-1)
## Secure Data
@@ -102,7 +102,7 @@ Protect data on devices and in transit, and enforce secure access to organizatio
For license details, see:
-- [Microsoft Intune licensing](../fundamentals/licensing/index.md)
+- [Microsoft Intune licensing](../fundamentals/licensing.md)
- [Microsoft Entra licensing](/entra/fundamentals/licensing)
## Related content
diff --git a/intune/device-security/security-baselines/configure-baselines.md b/intune/device-security/security-baselines/configure-baselines.md
index 5d8ce7423ab..2496b533329 100644
--- a/intune/device-security/security-baselines/configure-baselines.md
+++ b/intune/device-security/security-baselines/configure-baselines.md
@@ -49,7 +49,7 @@ Find out what you need to manage Intune security baselines.
### Licensing
-- Use of Intune to deploy security baselines requires a Microsoft Intune Plan 1 subscription. See [Microsoft Intune licensing](../../fundamentals/licensing/index.md).
+- Use of Intune to deploy security baselines requires a Microsoft Intune Plan 1 subscription. See [Microsoft Intune licensing](../../fundamentals/licensing.md).
> [!TIP]
>
diff --git a/intune/device-updates/android/manage-fota.md b/intune/device-updates/android/manage-fota.md
index 630976f3655..e27a92b1661 100644
--- a/intune/device-updates/android/manage-fota.md
+++ b/intune/device-updates/android/manage-fota.md
@@ -1,43 +1,82 @@
---
-title: Android FOTA Updates
+title: Manage Android FOTA updates with Microsoft Intune
description: Use Microsoft Intune to manage firmware updates on Android devices. A FOTA update can include software and security patches, feature updates, and other changes to the device's firmware.
-ms.date: 04/09/2025
+ms.date: 05/12/2026
ms.topic: how-to
ms.reviewer: jieyan
ms.subservice: suite
---
-# Android FOTA Updates
-You can use Microsoft Intune to manage software updates on the following Android Enterprise devices:
+# Manage Firmware Over-the-Air updates on Android
-- Fully Managed
-- Dedicated
-- Corporate-Owned Work Profile devices
+Firmware Over-the-Air (FOTA) updates let you remotely update device firmware over a wireless connection. A FOTA update can include software and security patches, feature updates, and other changes to the device's firmware. This method is more efficient, convenient, and more secure than manual updates and can be performed on a scheduled or on-demand basis.
-You have two ways to manage software updates on android:
+In the context of FOTA, a *deployment* is an update policy that includes instructions about the firmware update to be deployed to devices and other update-related settings. For example, Schedule type, and charging requirements.
+
+## Prerequisites
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
+
+:::column-end:::
+:::column span="3":::
+
+> FOTA updates are supported on Android Enterprise devices enrolled in Intune. This includes the following enrollment types:
+> - Android Enterprise corporate-owned dedicated (COSU)
+> - Android Enterprise corporate-owned fully managed (COBO)
+> - Android Enterprise corporate-owned work profile (COPE)
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
+
+:::column-end:::
+:::column span="3":::
+
+>[!INCLUDE [additional-licensing-plan2](../../includes/licensing/additional-licensing-plan2.md)]
+:::column-end:::
+:::row-end:::
+
+## Manage FOTA updates
+
+You have two ways to manage software updates:
- Use Firmware Over-the-Air (FOTA), which works for some OEMs.
> [!NOTE]
- > This feature requires a Microsoft Intune Plan 2 or Microsoft Intune Suite license. See [Intune add-ons and licensing](../../fundamentals/add-ons.md) for details.
- >
> If Zebra updated the available firmware list in the last 24 hours, then the list of firmware available might take up to 24 hours to populate.
- If FOTA isn't available you can use Device restrictions profiles, which work for all OEMs.
- 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
- 2. Navigate to **Devices** > **By platform** > **Android** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Fully Managed, Dedicated, and Corporate-Owned Work Profile** > **Device restrictions**.
- 3. Device restrictions profiles offer control over how the device handles over-the-air updates and allow you to set a freeze period for these updates.
- > [!NOTE]
- > Not all device manufacturers support over-the-air updates. For more information about device restriction settings, see [Corporate-owned Android Enterprise device restrictions](../../device-configuration/templates/ref-device-restrictions-android-enterprise.md).
+### FOTA update management for specific OEMs
+
+Manufacturer-specific FOTA support might offer more controls beyond what device restrictions profiles offer.
-Firmware Over-the-Air (FOTA) updates allow remotely updating the firmware of devices using a wireless connection, rather than requiring the devices to be physically connected to a computer or network.
+Intune supports FOTA update management for supported devices from the following manufacturers:
-A FOTA update can include software and security patches, feature updates, and other changes to the device's firmware. This method is more efficient, convenient, and more secure than manual updates and can be performed on a scheduled or on-demand basis.
+- **Zebra**: For Zebra devices, see [LifeGuard Over-the-Air Integration with Microsoft Intune](setup-zebra-lifeguard.md).
+- **Samsung**: For Samsung devices, see [E-FOTA Update Management with Microsoft Intune](https://techcommunity.microsoft.com/t5/intune-customer-success/samsung-e-fota-update-management-with-microsoft-endpoint-manager/ba-p/2002552).
-In the context of FOTA, a deployment is an update policy that includes instructions about the firmware update to be deployed to devices and other update-related settings. For example, Schedule type, and charging requirements.
+### Use device restrictions profiles to manage FOTA updates
-In addition, Microsoft Intune supports FOTA update management for supported devices from the following manufacturers. Manufacturer-specific FOTA support might offer more controls beyond what Device restrictions profiles offer.
+Device restrictions profiles offer control over how the device handles over-the-air updates and allow you to set a freeze period for these updates. A freeze period is a specified time frame during which over-the-air updates are blocked from being installed on the device. This can be useful for organizations that want to prevent updates from being installed during critical business periods or when devices are in use.
-- **Zebra**: For Zebra devices, see [LifeGuard Over-the-Air Integration with Microsoft Intune](setup-zebra-lifeguard.md).
-- **Samsung**: For Samsung devices, see [E-FOTA Update Management with Microsoft Endpoint Manager](https://techcommunity.microsoft.com/t5/intune-customer-success/samsung-e-fota-update-management-with-microsoft-endpoint-manager/ba-p/2002552).
+> [!NOTE]
+> Not all device manufacturers support over-the-air updates.
+
+To manage FOTA updates using device restrictions profiles:
+
+1. In the [Microsoft Intune admin center], select [**Devices**] > **Android**.
+1. Select **Manage devices** > **Configuration** > **Create** > **New policy**
+1. Under **Platform**, select **Android Enterprise**.
+1. Under **Policy type**, select **Templates**.
+1. Under **Fully Managed, Dedicated, and Corporate-Owned Work Profile**, select **Device restrictions** > **Create**.
+1. Configure the system update settings as needed. For more information about these settings, see [Device restrictions for Android Enterprise](../../device-configuration/templates/ref-device-restrictions-android-enterprise.md).
+
+
+
+[Microsoft Intune admin center]: https://go.microsoft.com/fwlink/?linkid=2109431
+[**Devices**]: https://go.microsoft.com/fwlink/?linkid=2109431#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/overview
diff --git a/intune/device-updates/android/setup-zebra-lifeguard.md b/intune/device-updates/android/setup-zebra-lifeguard.md
index bec17b499a2..cc3f37d2ce9 100644
--- a/intune/device-updates/android/setup-zebra-lifeguard.md
+++ b/intune/device-updates/android/setup-zebra-lifeguard.md
@@ -6,10 +6,8 @@ ms.topic: how-to
ms.reviewer: jieyan
ms.subservice: suite
---
-# Zebra LifeGuard Over-the-Air Integration with Microsoft Intune
-> [!IMPORTANT]
-> This feature is now generally available.
+# Zebra LifeGuard Over-the-Air Integration with Microsoft Intune
Microsoft Intune supports/provides integration with Zebra LifeGuard Over-the-Air (LG OTA), so that you can have a single area for managing firmware updates for supported Zebra devices. Zebra LifeGuard Over-the-Air (LG OTA) is a service offered by Zebra Technologies that allows deployment of updates to their Android devices in a hands-free and automated manner.
@@ -19,52 +17,89 @@ Intune manages the creation, management, and monitoring of these deployments thr
## Prerequisites
-- Managed Google Play must be configured for your tenant. For setup instructions, see [Set up Managed Google Play](../../device-enrollment/android/connect-managed-google-play.md).
-
-- Administrators must have all the required RBAC (role-based access control) permissions:
-
- - Mobile Apps (to create and deploy app configuration profiles)
- - Android FOTA (to manage firmware OTA updates)
-
-- A Microsoft Intune Plan 2 or Microsoft Intune Suite license is required. For details, see [Intune add-ons and licensing](../../fundamentals/add-ons.md).
-
-- Access to all appropriate Zebra licenses, and entitlements to use the LG OTA service. For more information, contact Zebra support or see the [Zebra LifeGuard FAQ](https://techdocs.zebra.com/lifeguard/faq/).
-- For information about services ports and endpoints used by Zebra OTA updates, refer to [Zebra Lifeguard Over the Air FOTA Updates Ports](https://supportcommunity.zebra.com/s/article/000022419?language=en_US).
-- For more information about which Zebra devices work with the service based on the platform, see [Zebra LifeGuard device requirements](https://techdocs.zebra.com/lifeguard/update/#devicerequirements).
-
-## Government cloud support
-
-Zebra LifeGuard Over-the-Air updates are supported with the following sovereign cloud environments:
-
-- U.S. Government Community Cloud (GCC) High
-- U.S. Department of Defense (DoD)
-
-For more information, see [Microsoft Intune for US Government GCC service description](../../fundamentals/government-service.md).
-
-## Supported Devices
-
-LG OTA is supported on the following devices:
-
-- [Android Enterprise dedicated devices](../../device-enrollment/android/guide.md#android-enterprise-dedicated-devices)
-- [Android Enterprise fully managed devices](../../device-enrollment/android/guide.md#android-enterprise-fully-managed)
-
-For more specific information on supported devices, see [Zebra LifeGuard device requirements](https://techdocs.zebra.com/lifeguard/update/#devicerequirements).
-
-The following aren't supported in public preview:
-
-- Graph assignment with inclusions/exclusions
-
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
+
+:::column-end:::
+:::column span="3":::
+> FOTA updates are supported on Android Enterprise devices enrolled in Intune. This includes the following enrollment types:
+> - Android Enterprise corporate-owned dedicated (COSU)
+> - Android Enterprise corporate-owned fully managed (COBO)
+>
+> For information about which Zebra devices work with the service based on the platform, see [Zebra LifeGuard device requirements](https://techdocs.zebra.com/lifeguard/update/#devicerequirements).
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [network-connectivity](../../includes/requirements/network-connectivity.md)]
+
+:::column-end:::
+:::column span="3":::
+> For information about services ports and endpoints used by Zebra OTA updates, refer to [Zebra Lifeguard Over the Air FOTA Updates Ports](https://supportcommunity.zebra.com/s/article/000022419).
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
+
+:::column-end:::
+:::column span="3":::
+
+>You must have access to all appropriate Zebra licenses and entitlements to use the LG OTA service. For more information, contact Zebra support or see the [Zebra LifeGuard FAQ](https://techdocs.zebra.com/lifeguard/faq/).
+>
+>[!INCLUDE [additional-licensing-plan2](../../includes/licensing/additional-licensing-plan2.md)]
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [rbac](../../includes/requirements/rbac.md)]
+
+:::column-end:::
+:::column span="3":::
+>Administrators must have all the required RBAC (role-based access control) permissions:
+> - Mobile Apps (to create and deploy app configuration profiles)
+> - Android FOTA (to manage firmware OTA updates)
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [tenant-configuration](../../includes/requirements/tenant-configuration.md)]
+
+:::column-end:::
+:::column span="3":::
+> Managed Google Play must be configured for your tenant. For setup instructions, see [Set up Managed Google Play](../../device-enrollment/android/connect-managed-google-play.md).
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [cloud](../../includes/requirements/cloud.md)]
+
+:::column-end:::
+:::column span="3":::
+> Zebra LifeGuard Over-the-Air updates are supported in the following cloud environments:
+> - Public cloud
+> - Sovereign cloud environments:
+> - U.S. Government Community Cloud (GCC) High
+> - U.S. Department of Defense (DoD)
+:::column-end:::
+:::row-end:::
## Process overview
The process for using LG OTA via Intune is as follows:
1. [Set up Zebra connector](#step-1-set-up-zebra-connector).
-2. [Enroll devices with Zebra LG OTA service](#step-2-enroll-devices-with-zebra-lg-ota-service).
- 3. [Approve and deploy required apps for your tenant](#2a-approve-and-deploy-required-apps-for-your-tenant).
- 4. [Create app configuration policy](#2b-create-app-configuration-policy).
-5. [Create and assign deployments in Intune](#step-3-create-and-assign-deployments).
-6. [View and manage deployments](#step-4-view-and-manage-deployments).
+1. [Enroll devices with Zebra LG OTA service](#step-2-enroll-devices-with-zebra-lg-ota-service).
+ - [Approve and deploy required apps for your tenant](#2a-approve-and-deploy-required-apps-for-your-tenant).
+ - [Create app configuration policy](#2b-create-app-configuration-policy).
+1. [Create and assign deployments in Intune](#step-3-create-and-assign-deployments).
+1. [View and manage deployments](#step-4-view-and-manage-deployments).
## Before you start
diff --git a/intune/device-updates/apple/index.md b/intune/device-updates/apple/index.md
index b62a4d49756..726b8cba84e 100644
--- a/intune/device-updates/apple/index.md
+++ b/intune/device-updates/apple/index.md
@@ -72,9 +72,6 @@ When designing your Apple device update strategy, align with your organization's
| **Declarative Device Management** > **Software Update Enforce Latest** | **Delay in Days**
Specify the number of days that should pass before a deadline is enforced. This delay is based on either the posting date of the new update when released by Apple, or when the policy is configured. The delay only determines the target enforcement date and not the date that the update is offered to users.|
| **Declarative Device Management** > **Software Update Enforce Latest** | **Install Time**
Specify the local device time for when updates are enforced. The Install Time setting is configured using the 24-hour clock format where midnight is `00:00` and 11:59pm is `23:59`. Ensure that you include the leading 0 on single digit hours. For example, `01:00`, `02:00`, `03:00`.|
- > [!NOTE]
- > Once an update enforcement is assigned, the update may install before the deadline if the device is idle or automatic update actions are configured to Always On.
-
1. [Assign the policy](../../device-configuration/assign-device-profile.md) to a group to target users or devices.
# [**Targeted version**](#tab/manual-updates)
@@ -92,6 +89,9 @@ When designing your Apple device update strategy, align with your organization's
---
+> [!NOTE]
+> When an update enforcement is assigned, the device ignores software update settings, including automatic update actions. The update may install before the deadline if the device is idle.
+
For more information about configuring Software Update policies and the available settings, see [Software Update](../../device-configuration/settings-catalog/ref-apple-settings.md#software-update).
## Software Update Settings
diff --git a/intune/device-updates/windows/includes/prerequisites-licensing.md b/intune/device-updates/windows/includes/prerequisites-licensing.md
index dc6f91af0f5..7f94f5f3293 100644
--- a/intune/device-updates/windows/includes/prerequisites-licensing.md
+++ b/intune/device-updates/windows/includes/prerequisites-licensing.md
@@ -12,7 +12,7 @@ ms.date: 01/08/2026
:::column-end:::
:::column span="3":::
> To use this feature, the following licenses are required:
-> - [Microsoft Intune Plan 1](../../../fundamentals/licensing/index.md)
+> - [Microsoft Intune Plan 1](../../../fundamentals/licensing.md)
> - A Windows license that includes the [Autopatch entitlement](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#licenses-and-entitlements).
:::column-end:::
:::row-end:::
diff --git a/intune/device-updates/windows/manage-update-rings.md b/intune/device-updates/windows/manage-update-rings.md
index 17bfbf47043..9936b016ea4 100644
--- a/intune/device-updates/windows/manage-update-rings.md
+++ b/intune/device-updates/windows/manage-update-rings.md
@@ -25,7 +25,7 @@ In Microsoft Intune, update rings are configured through **update ring policies*
:::column-end:::
:::column span="3":::
-> - [Microsoft Intune Plan 1](../../fundamentals/licensing/index.md)
+> - [Microsoft Intune Plan 1](../../fundamentals/licensing.md)
:::column-end:::
:::row-end:::
diff --git a/intune/docfx.json b/intune/docfx.json
index 9a25b780a2b..a710fc247e7 100644
--- a/intune/docfx.json
+++ b/intune/docfx.json
@@ -138,7 +138,6 @@
"epm/**/*": "brenduns",
"fundamentals/certificates/**/*": "paolomatarazzo",
"fundamentals/filters/**/*": "mandiohlinger",
- "fundamentals/licensing/**/*": "paolomatarazzo",
"fundamentals/role-based-access-control/**/*": "brenduns",
"privacy/**/*": "paolomatarazzo",
"remote-help/**/*": "lenewsad",
@@ -171,7 +170,6 @@
"epm/**/*": "brenduns",
"fundamentals/certificates/**/*": "paoloma",
"fundamentals/filters/**/*": "mandia",
- "fundamentals/licensing/**/*": "paoloma",
"fundamentals/role-based-access-control/**/*": "brenduns",
"privacy/**/*": "paoloma",
"remote-help/**/*": "lanewsad",
diff --git a/intune/endpoint-analytics/index.md b/intune/endpoint-analytics/index.md
index ce40554bc3b..066eaba46c8 100644
--- a/intune/endpoint-analytics/index.md
+++ b/intune/endpoint-analytics/index.md
@@ -27,40 +27,32 @@ The service integrates with Microsoft Intune, enabling IT pros to:
Endpoint analytics organizes insights into reports that highlight performance and reliability issues across managed devices. These reports help IT teams identify trends, diagnose problems, and implement improvements to enhance the overall user experience. Endpoint analytics includes the following reports:
:::row:::
- :::column:::
-#### :::image type="icon" source="../media/icons/24/report.svg" border="false"::: Startup performance
+:::column:::
+> [!div class="nextstepaction"]
+> [Startup performance report](startup-performance.md)
> Identifies devices with slow boot times and factors that delay startup.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](startup-performance.md)
:::column-end:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/report.svg" border="false"::: Application reliability
+> [!div class="nextstepaction"]
+> [Application reliability report](app-reliability.md)
> Monitors app crashes and stability trends to improve user experience.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](app-reliability.md)
:::column-end:::
:::row-end:::
:::row:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/report.svg" border="false"::: Work from anywhere
+> [!div class="nextstepaction"]
+> [Work from anywhere report](work-from-anywhere.md)
> Evaluates device readiness for secure and efficient remote work.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](work-from-anywhere.md)
:::column-end:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/query.svg" border="false"::: Advanced Analytics
+> [!div class="nextstepaction"]
+> [Advanced Analytics](../advanced-analytics/index.md)
> Provides deeper insights and extended reporting capabilities (**requires additional licensing**).
->
-> > [!div class="nextstepaction"]
-> > [Learn more](../advanced-analytics/index.md)
:::column-end:::
:::row-end:::
@@ -145,7 +137,7 @@ To use endpoint analytics, ensure your environment meets the following prerequis
:::column span="3":::
::: zone pivot="intune"
-> Devices enrolled in endpoint analytics need a valid license for the use of Microsoft Intune. For more information, see [Microsoft Intune licensing](../fundamentals/licensing/index.md).
+> Devices enrolled in endpoint analytics need a valid license for the use of Microsoft Intune. For more information, see [Microsoft Intune licensing](../fundamentals/licensing.md).
::: zone-end
diff --git a/intune/endpoint-analytics/toc.yml b/intune/endpoint-analytics/toc.yml
index 93b96da801c..1bbc67936a3 100644
--- a/intune/endpoint-analytics/toc.yml
+++ b/intune/endpoint-analytics/toc.yml
@@ -1,33 +1,33 @@
items:
-- name: Endpoint analytics overview
+- name: Overview
href: index.md
displayName: endpoint analytics
- name: Configure the service
href: configure.md
- displayName: endpoint analytics
+ displayName: endpoint analytics, setup, prerequisites, enable, onboard
- name: Scores, baselines, and insights
href: scores.md
- displayName: endpoint analytics
-- name: Endpoint analytics reports
+ displayName: endpoint analytics, scores, baselines, benchmarks, insights
+- name: Reports
items:
- name: Startup performance
href: startup-performance.md
- displayName: endpoint analytics report
+ displayName: endpoint analytics report, boot time, login, sign-in, slow startup
- name: Application reliability
href: app-reliability.md
- displayName: endpoint analytics report
+ displayName: endpoint analytics report, app crashes, hangs, freezes
- name: Work from anywhere
href: work-from-anywhere.md
- displayName: endpoint analytics report
-- name: Endpoint analytics in Microsoft Adoption Score
+ displayName: endpoint analytics report, remote work, cloud identity, cloud management
+- name: Adoption Score integration
href: adoption-score.md
- displayName: endpoint analytics
+ displayName: endpoint analytics, Microsoft Adoption Score, productivity score
- name: Data collection
href: ref-data-collection.md
- displayName: endpoint analytics
+ displayName: endpoint analytics, telemetry, data, privacy
- name: Troubleshooting
href: troubleshoot.md
- displayName: endpoint analytics
+ displayName: endpoint analytics, troubleshoot, errors, issues
- name: Support options
href: support.md
- displayName: endpoint analytics
+ displayName: endpoint analytics, support, contact, help
diff --git a/intune/epm/create-elevation-rules.md b/intune/epm/create-elevation-rules.md
index 00dbdd9d1a0..e9560357477 100644
--- a/intune/epm/create-elevation-rules.md
+++ b/intune/epm/create-elevation-rules.md
@@ -13,10 +13,6 @@ ms.collection:
# Creating elevation rules with Endpoint Privilege Management
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
Elevation rules policies allow Endpoint Privilege Management (EPM) to identify specific files and scripts and perform the associated elevation action. For elevation rules to take effect, devices must have an *elevation settings policy* targeted that enables EPM. For more information, see [EPM elevation settings](./manage-elevation-settings.md).
> [!NOTE]
diff --git a/intune/epm/deploy.md b/intune/epm/deploy.md
index 0e172502e1a..03b5e1b51be 100644
--- a/intune/epm/deploy.md
+++ b/intune/epm/deploy.md
@@ -13,10 +13,6 @@ ms.collection:
# Deploy Endpoint Privilege Management with Microsoft Intune
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
To deploy Endpoint Privilege Management (EPM), start by enabling reporting, then use reports to create rules for elevation. This article describes some common deployment scenarios and outlines the recommended deployment phases for your organization.
- [Windows elevation settings policy](./manage-elevation-settings.md).
diff --git a/intune/epm/deployment-planning.md b/intune/epm/deployment-planning.md
index 4bb5a95fa04..cae49257372 100644
--- a/intune/epm/deployment-planning.md
+++ b/intune/epm/deployment-planning.md
@@ -13,10 +13,6 @@ ms.collection:
# Plan and Prepare for Endpoint Privilege Management Deployment
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
This article covers the information required to plan for Endpoint Privilege Management (EPM) deployment including requirements, important concepts, security recommendations, and role based access control.
## Planning Checklist
@@ -35,51 +31,78 @@ This article covers the information required to plan for Endpoint Privilege Mana
## Prerequisites
-✅ Find out what you need for EPM
-
-### Licensing
-
-Endpoint Privilege Management requires an add-on license beyond the *Microsoft Intune Plan 1* license. You can choose between a stand-alone license that adds only EPM, or license EPM as part of the Microsoft Intune Suite. For more information, see [Use Intune Suite add-on capabilities](../fundamentals/add-ons.md).
-
-### Requirements
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../includes/requirements/licensing.md)]
-Endpoint Privilege Management has the following requirements:
+:::column-end:::
+:::column span="3":::
-- Microsoft Entra joined *or* Microsoft Entra hybrid joined
-- Microsoft Intune Enrollment *or* Microsoft Configuration Manager [co-managed](../configmgr/comanage/overview.md) devices (no workload requirements)
-- Supported Operating System
-- Clear line of sight (without SSL-Inspection) to the [required endpoints](../fundamentals/endpoints.md#microsoft-intune-endpoint-privilege-management)
+>[!INCLUDE [additional-licensing](../includes/licensing/additional-licensing.md)]
+:::column-end:::
+:::row-end:::
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../includes/requirements/platform.md)]
-Endpoint Privilege Management supports the following operating systems:
+:::column-end:::
+:::column span="3":::
-- Windows 11, version 24H2
-- Windows 11, version 23H2 (22631.2506 or later) with [KB5031455](https://support.microsoft.com/topic/october-31-2023-kb5031455-os-builds-22621-2506-and-22631-2506-preview-6513c5ec-c5a2-4aaf-97f5-44c13d29e0d4)
-- Windows 11, version 22H2 (22621.2215 or later) with [KB5029351](https://support.microsoft.com/topic/august-22-2023-kb5029351-os-build-22621-2215-preview-9af25662-083a-43f5-b3a7-975fe25cc692)
-- Windows 11, version 21H2 (22000.2713 or later) with [KB5034121](https://support.microsoft.com/topic/january-9-2024-kb5034121-os-build-22000-2713-f5847e32-0b71-4151-8190-54d3e36386f0)
-- Windows 10, version 22H2 (19045.3393 or later) with [KB5030211](https://support.microsoft.com/topic/september-12-2023-kb5030211-os-builds-19044-3448-and-19045-3448-c0dee353-f025-4f03-bcc1-336f74fb992c)
-- Windows 10, version 21H2 (19044.3393 or later) with [KB5030211](https://support.microsoft.com/topic/september-12-2023-kb5030211-os-builds-19044-3448-and-19045-3448-c0dee353-f025-4f03-bcc1-336f74fb992c)
-
-Endpoint Privilege Management supports the following virtual platforms:
+>Endpoint Privilege Management supports the following operating systems:
+>
+>- Windows 11, version 24H2
+>- Windows 11, version 23H2 (22631.2506 or later) with [KB5031455](https://support.microsoft.com/topic/october-31-2023-kb5031455-os-builds-22621-2506-and-22631-2506-preview-6513c5ec-c5a2-4aaf-97f5-44c13d29e0d4)
+>- Windows 11, version 22H2 (22621.2215 or later) with [KB5029351](https://support.microsoft.com/topic/august-22-2023-kb5029351-os-build-22621-2215-preview-9af25662-083a-43f5-b3a7-975fe25cc692)
+>- Windows 11, version 21H2 (22000.2713 or later) with [KB5034121](https://support.microsoft.com/topic/january-9-2024-kb5034121-os-build-22000-2713-f5847e32-0b71-4151-8190-54d3e36386f0)
+>- Windows 10, version 22H2 (19045.3393 or later) with [KB5030211](https://support.microsoft.com/topic/september-12-2023-kb5030211-os-builds-19044-3448-and-19045-3448-c0dee353-f025-4f03-bcc1-336f74fb992c)
+>- Windows 10, version 21H2 (19044.3393 or later) with [KB5030211](https://support.microsoft.com/topic/september-12-2023-kb5030211-os-builds-19044-3448-and-19045-3448-c0dee353-f025-4f03-bcc1-336f74fb992c)
+>
+>Endpoint Privilege Management supports the following virtual platforms:
+>
+>- Azure Virtual Desktop (AVD) single-session virtual machines (VMs)
+>- Windows 365
+>
+>> [!IMPORTANT]
+>> [!INCLUDE [windows-10-support](../includes/windows-10-support.md)]
+>
+>> [!IMPORTANT]
+>>
+>> - Elevation settings policies report as 'not applicable' for devices that don't run a supported operating system version.
+>> - Endpoint Privilege Management is only compatible with 64-bit Operating System Architectures, including Arm64.
-- Azure Virtual Desktop (AVD) single-session virtual machines (VMs)
-- Windows 365
+:::column-end:::
+:::row-end:::
-> [!IMPORTANT]
-> [!INCLUDE [windows-10-support](../includes/windows-10-support.md)]
+:::row:::
+:::column span="1":::
+[!INCLUDE [device-configuration](../includes/requirements/device-configuration.md)]
+:::column-end:::
+:::column span="3":::
-> [!IMPORTANT]
+>To use Endpoint Privilege Management, devices must be:
>
-> - Elevation settings policies report as 'not applicable' for devices that don't run a supported operating system version.
-> - Endpoint Privilege Management is only compatible with 64-bit Operating System Architectures, including Arm64.
-
-### Government cloud support
-
-Endpoint Privilege Management is supported with the following sovereign cloud environments:
-
-- U.S. Government Community Cloud (GCC) High
-- U.S. Department of Defense (DoD)
+>- Microsoft Entra joined *or* Microsoft Entra hybrid joined
+>- Enrolled in Intune *or* Microsoft Configuration Manager [co-managed](../configmgr/comanage/overview.md) (no workload requirements)
+>
+>Devices must also have clear line of sight (without SSL-Inspection) to the [required endpoints](../fundamentals/endpoints.md#microsoft-intune-endpoint-privilege-management) for Endpoint Privilege Management.
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [cloud](../includes/requirements/cloud.md)]
+
+:::column-end:::
+:::column span="3":::
+> Specialty device management is supported in the following cloud environments:
+> - Public cloud
+> - Sovereign cloud environments:
+> - U.S. Government Community Cloud (GCC) High
+> - U.S. Department of Defense (DoD)
+:::column-end:::
+:::row-end:::
For more information, see [Microsoft Intune for US Government GCC service description](../fundamentals/government-service.md).
diff --git a/intune/epm/frequently-asked-questions.md b/intune/epm/frequently-asked-questions.md
index da73e2f7753..2832b940ddd 100644
--- a/intune/epm/frequently-asked-questions.md
+++ b/intune/epm/frequently-asked-questions.md
@@ -13,10 +13,6 @@ ms.collection:
# Frequently asked questions for Endpoint Privilege Management
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
The following sections of this article discuss frequently asked questions for Endpoint Privilege Management (EPM).
## Frequently asked questions
@@ -30,7 +26,7 @@ Endpoint Privilege Management is supported with the following virtual devices:
### Why is my elevation settings policy showing error/not applicable?
-The elevation settings policy controls the enablement of EPM and the configuration of the client side components. When this policy is in error or shows not applicable, it indicates the device had an issue enabling EPM. The two most common reasons are missing the [required Windows updates](./deployment-planning.md#requirements) or failure to communicate with required [Intune Endpoints for Endpoint Privilege Management](../fundamentals/endpoints.md#microsoft-intune-endpoint-privilege-management).
+The elevation settings policy controls the enablement of EPM and the configuration of the client side components. When this policy is in error or shows not applicable, it indicates the device had an issue enabling EPM. The two most common reasons are missing the [required Windows updates](./deployment-planning.md#prerequisites) or failure to communicate with required [Intune Endpoints for Endpoint Privilege Management](../fundamentals/endpoints.md#microsoft-intune-endpoint-privilege-management).
### What happens when someone with administrative privileges uses a device that is enabled for EPM?
@@ -54,7 +50,7 @@ EPM allows standard users to perform tasks that require elevated privileges with
### Do I need additional licensing for EPM?
-Yes, Endpoint Privilege Management requires specific licensing. For more information, see [Intune add-ons](../fundamentals/add-ons.md).
+Yes, Endpoint Privilege Management requires specific licensing. For more information, see [Microsoft Intune advanced capabilities](../fundamentals/advanced-capabilities.md).
### How does EPM and Windows Defender Application Control (WDAC) differ?
diff --git a/intune/epm/includes/intune-epm-overview.md b/intune/epm/includes/intune-epm-overview.md
deleted file mode 100644
index e14e91eb462..00000000000
--- a/intune/epm/includes/intune-epm-overview.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.topic: include
-ms.date: 09/03/2025
----
-
-With Microsoft Intune **Endpoint Privilege Management (EPM)** your organization's users can run as a standard user (without administrator rights) and complete tasks that require elevated privileges. For more information, see [EPM Overview](../overview.md).
-
-Applies to:
-
-- Windows
diff --git a/intune/epm/manage-elevation-settings.md b/intune/epm/manage-elevation-settings.md
index 0b008c736a2..6ceb23ef90b 100644
--- a/intune/epm/manage-elevation-settings.md
+++ b/intune/epm/manage-elevation-settings.md
@@ -13,8 +13,6 @@ ms.collection:
# Managing elevation settings with Endpoint Privilege Management
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
To configure Endpoint Privilege Management (EPM) on devices, deploy *Windows elevation settings policy* to users or devices:
- Enable or disable EPM on a device.
diff --git a/intune/epm/manage-support-approvals.md b/intune/epm/manage-support-approvals.md
index f1c054b2b54..fd58cb71df4 100644
--- a/intune/epm/manage-support-approvals.md
+++ b/intune/epm/manage-support-approvals.md
@@ -15,10 +15,6 @@ ms.collection:
# Support approved file elevations for Endpoint Privilege Management
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
This article explains how to use the **support approved** workflow with Endpoint Privilege Management.
Support approved elevations allow you to require approval before an elevation being allowed. You can use the support approved functionality as part of an elevation rule, or as default client behavior. Requests that are submitted require Intune administrators to approve the request on a case-by-case basis.
diff --git a/intune/epm/monitor-reports.md b/intune/epm/monitor-reports.md
index 486b1b9cc0d..662a8aeba02 100644
--- a/intune/epm/monitor-reports.md
+++ b/intune/epm/monitor-reports.md
@@ -13,11 +13,6 @@ ms.collection:
# Reports for Endpoint Privilege Management
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
The information available in Endpoint Privilege Management (EPM) reports depends on the *reporting scope* of a device. The reporting scope for each device is configured as part of a [Windows elevation settings policy](./manage-elevation-settings.md), and different devices can have different reporting scope configurations.
EPM reports are found within the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) at **Endpoint security** > **Endpoint Privilege Management**, and available through the Overview tab and the Reports tab. The [**Overview** tab](#overview-dashboard) is a readiness dashboard for moving admin users to standard users. The [**Reports**](#available-reports) tab presents several report tiles for different aspects of EPM, which also help power the readiness dashboard. EPM report data is retained for 30 days.
diff --git a/intune/epm/overview.md b/intune/epm/overview.md
index 5ccabd74fd0..2eaf3454a46 100644
--- a/intune/epm/overview.md
+++ b/intune/epm/overview.md
@@ -14,8 +14,6 @@ ms.collection:
# Use Endpoint Privilege Management with Microsoft Intune
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
With Microsoft Intune **Endpoint Privilege Management (EPM)** your organization's users can run as a standard user (without administrator rights) and complete tasks that require elevated privileges. Tasks that commonly require administrative privileges are application installs (like Microsoft 365 Applications), updating device drivers, and running certain Windows diagnostics.
Endpoint Privilege Management supports your [Zero Trust](/security/zero-trust/zero-trust-overview) journey by helping your organization achieve a broad user base running with least privilege, while still elevating selected tasks when necessary to remain productive. For more information, see [Zero Trust with Microsoft Intune](../fundamentals/zero-trust.md).
@@ -135,7 +133,7 @@ EPM includes reports to help you prepare for, monitor, and use the service. Repo
Endpoint Privilege Management (EPM) is administered from the [Microsoft Intune Admin Center](https://intune.microsoft.com). When organizations get started with EPM, they use the following high-level process:
- **License EPM and Plan**
- - **License EPM** - Before you can use Endpoint Privilege Management policies, you must license EPM in your tenant as an Intune add-on. For licensing information, see [Use Intune Suite add-on capabilities](../fundamentals/add-ons.md).
+ - **License EPM** - Before you can use Endpoint Privilege Management policies, you must license EPM in your tenant. For licensing information, see [Microsoft Intune advanced capabilities](../fundamentals/advanced-capabilities.md).
- **Plan for EPM** - Before you start using EPM, there are some key requirements and concepts you should consider. For more information, see [Plan for EPM](./deployment-planning.md).
- **Deploy EPM** - To deploy EPM, enable auditing, create rules, and monitor the deployment. For more information, see [Deploy EPM](./deploy.md).
diff --git a/intune/epm/ref-data-collection.md b/intune/epm/ref-data-collection.md
index 87702ebe9c2..ddf32ce2118 100644
--- a/intune/epm/ref-data-collection.md
+++ b/intune/epm/ref-data-collection.md
@@ -13,10 +13,6 @@ ms.collection:
# Data collection and privacy for Endpoint Privilege Management
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
This article provides information about the data that EPM can collect from devices.
## Overview of data collection
diff --git a/intune/epm/troubleshoot-known-issues.md b/intune/epm/troubleshoot-known-issues.md
index 4d5c038f652..4b2e9e26ebd 100644
--- a/intune/epm/troubleshoot-known-issues.md
+++ b/intune/epm/troubleshoot-known-issues.md
@@ -15,10 +15,6 @@ ms.collection:
# Known Issues for Endpoint Privilege Management
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
This article lists known issues with Endpoint Privilege Management.
## Windows 10 devices might not immediately receive confirmation of support approvals
diff --git a/intune/epm/tutorial-admin-to-standard-user.md b/intune/epm/tutorial-admin-to-standard-user.md
index 8e1e83412e0..9ccd1a9dfd7 100644
--- a/intune/epm/tutorial-admin-to-standard-user.md
+++ b/intune/epm/tutorial-admin-to-standard-user.md
@@ -13,10 +13,6 @@ ms.collection:
# Use Endpoint Privilege Management to transition users from administrator to standard user
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
A common scenario for customers who want to use Endpoint Privilege Management is to reduce the number of local administrators in their environment. This scenario adheres to the Zero Trust principle of least privilege. This document steps through the steps a customer could follow to use EPM to move users from administrators to standard users with minimal disruption.
## Phase 1: Auditing
diff --git a/intune/fundamentals/account-sign-up.md b/intune/fundamentals/account-sign-up.md
index 47b65412f9c..f6c358ec9ea 100644
--- a/intune/fundamentals/account-sign-up.md
+++ b/intune/fundamentals/account-sign-up.md
@@ -53,6 +53,10 @@ After you sign up for a new subscription, you receive an email message that cont
After completing the sign-up process, you're directed to the Microsoft 365 admin center to add users and assign them licenses. If you only have cloud-based accounts using your default *onmicrosoft.com* domain name, then you can go ahead and add users and assign licenses at this point. However, if you plan to use your organization's [custom domain name](configure-custom-domain.md) or [synchronize user account information](tenant-administration/add-users.md#sync-active-directory-and-add-users-to-intune) from on-premises Active Directory, then you can close that browser window.
+### Microsoft Intune Onboarding benefit
+
+Microsoft offers an Intune Onboarding benefit for eligible services. The benefit lets you work remotely with Microsoft specialists to prepare your Intune environment for use. For more information, see [Microsoft Intune Onboarding Benefit Description](/microsoft-365/fasttrack/introduction).
+
## Sign in to Microsoft Intune
After signing up for Intune, use any device with a [supported browser](./ref-supported-platforms.md#intune-supported-web-browsers) to sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) to administer the service. Administration of Intune requires your account to have sufficient RBAC permissions within Intune for the tasks you want to manage. Initially, you might use an account that is assigned the Microsoft Entra ID built-in role of [Intune Administrator](/entra/identity/role-based-access-control/permissions-reference#intune-administrator).
@@ -73,6 +77,18 @@ Microsoft 365 Business: `https://portal.microsoft.com/adminportal`
Microsoft 365 Mobile Device Management: `https://admin.microsoft.com/adminportal/home#/MifoDevices`
+## Buy Microsoft Intune
+
+You can purchase Microsoft Intune Plan 1, Plan 2, Suite, and standalone capability licenses through any of the following:
+
+- A Microsoft partner or reseller
+- Microsoft Volume License Servicing Center (VLSC)
+- Web direct purchase in the [Microsoft 365 admin center](https://admin.microsoft.com)
+
+After purchase, the licenses appear in your tenant and the corresponding capability status updates to **Active**. Each capability has its own license-count requirements based on the users you target.
+
+For information on assigning licenses, see [Assign Microsoft Intune licenses](assign-licenses.md).
+
## Related content
- [Configure domains](./configure-custom-domain.md)
diff --git a/intune/fundamentals/add-ons.md b/intune/fundamentals/add-ons.md
deleted file mode 100644
index 5ba6ef0e0b7..00000000000
--- a/intune/fundamentals/add-ons.md
+++ /dev/null
@@ -1,159 +0,0 @@
----
-title: Use Intune Suite add-on capabilities
-description: Microsoft Intune Suite unifies a series of mission-critical advanced endpoint management and security capabilities. The capabilities of the suite are integrated with Microsoft 365 and Microsoft Security across endpoint platforms for both cloud and on-premises co-managed devices.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 03/05/2026
-ms.topic: how-to
-ms.reviewer: aanavath
-ms.subservice: suite
-ms.collection:
-- M365-identity-device-management
----
-
-# Use Microsoft Intune Suite add-on capabilities
-
-Microsoft Intune Suite provides mission-critical advanced endpoint management and security capabilities into Microsoft Intune. You can find add-ons to Intune in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) under **Tenant administration** > **Intune add-ons**. The **Summary** blade shows all available Intune add-ons, a short description, and the status of the add-on. Each add-on shows a status of either **Active** or **Available for trial or purchase**.
-
-Licenses for the Intune add-ons can be added for an additional cost to the licensing options that include Microsoft Intune or Microsoft Configuration Manager. For more information, see [Licenses available for Microsoft Intune](./licensing/index.md).
-
-> [!NOTE]
-> Intune add-ons are currently not supported in Sovereign clouds.
-
-## Available add-ons
-
-Some capabilities are available to buy as a standalone add-on. Other capabilities are only available with Intune Plan 2 or the Intune Suite.
-
-The following table provides a list of add-on capabilities and associated Intune Plans. For information about Microsoft Intune Plans and pricing, see [Intune Plans and pricing](https://aka.ms/IntuneSuitePricing).
-
-| Capability | Standalone add-on | Intune Plan 2 | Intune Suite |
-|:-|:-:|:-:|:-:|
-| [Endpoint Privilege Management](../epm/overview.md) | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-| [Enterprise App Management](../app-management/deployment/enterprise-app-management.md) | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-| [Advanced Analytics](../advanced-analytics/index.md) | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-| [Remote Help](../remote-help/index.md) | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-| [Microsoft Tunnel for Mobile Application Management](../device-security/microsoft-tunnel/mam.md) | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-| [Microsoft Cloud PKI](../cloud-pki/index.md) | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-| [Firmware-over-the-air update](../device-updates/android/setup-zebra-lifeguard.md) | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-| [Specialized devices management](../device-management/specialty-devices.md) | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-
-> [!TIP]
-> For a customized experience based on your environment, you can access the [Intune Suite add-ons guide](https://go.microsoft.com/fwlink/?linkid=2314706) in the Microsoft 365 admin center.
-
-### Microsoft Intune Endpoint Privilege Management
-
-Endpoint Privilege Management supports your zero-trust journey by helping your organization achieve a broad user base running with least privilege, while allowing users to still run tasks allowed by your organization to remain productive.
-
-For more information, see [Endpoint Privilege Management](../epm/overview.md).
-
-### Microsoft Intune Enterprise App Management
-
-Enterprise App Management is an Intune Suite add-on that is available for trial and purchase. Enterprise Application Management provides an Enterprise App Catalog of Win32 applications that are easily accessible in Intune. You can add these applications to your tenant by selecting them from the Enterprise App Catalog. When you add an Enterprise App Catalog app to your Intune tenant, default installation, requirements, and detection settings are automatically provided. You can modify these settings as well. In addition, Intune hosts Enterprise App Catalog apps in Microsoft storage. For more information, see [Microsoft Intune Enterprise Application Management](../app-management/deployment/enterprise-app-management.md).
-
-### Microsoft Intune Advanced Analytics
-
-Microsoft Intune Advanced Analytics is set of analytics-driven capabilities that help IT admins understand, anticipate, and improve the end-user experience.
-
-For more information, see [Intune Advanced Analytics](../advanced-analytics/index.md).
-
-### Microsoft Intune Remote Help
-
-Remote Help is a cloud-based solution for secure help desk connections with role-based access controls. For more information, see [Remote Help](../remote-help/index.md).
-
-### Microsoft Tunnel for Mobile Application Management
-
-When you use the Microsoft Tunnel VPN Gateway, you can extend Tunnel support by adding Tunnel for Mobile Application Management (MAM). Tunnel MAM extends the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that aren't enrolled with Microsoft Intune.
-
-For more information, see [Microsoft Tunnel for Mobile Application Management](../device-security/microsoft-tunnel/mam.md).
-
-### Microsoft Cloud PKI
-
-Microsoft Cloud PKI is a cloud-based service that simplifies and automates certificate lifecycle management for Intune-managed devices. It provides a dedicated public key infrastructure (PKI) for your organization and handles the certificate issuance, renewal, and revocation for all Intune-supported platforms.
-
-For more information, see [Overview of Microsoft Cloud PKI](../cloud-pki/index.md).
-
-### Mobile Firmware-over-the-air update
-
-Firmware over-the-air (FOTA) update allows you to remotely update the firmware of supported devices wirelessly with more control.
-
-For more information, see [Zebra LifeGuard Over-the-Air Integration with Microsoft Intune](../device-updates/android/setup-zebra-lifeguard.md)
-
-### Managing specialty devices with Microsoft Intune
-
-Specialized devices management is a set of device management, configuration, and protection capabilities for special, purpose-built devices such as AR/VR headsets, large smart-screen devices, and conference room meeting devices.
-
-For more information, see [Managing specialized devices with Microsoft Intune](../device-management/specialty-devices.md).
-
-## Using the Intune add-ons page
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as a Global or Billing administrator.
-
-2. Navigate to **Tenant administration** > **Intune add-ons**.
-
-3. The **Your add-ons** tab shows a list of all Intune add-ons in trial or purchased for a billing account in your organization.
-
-4. The **All add-ons** tab shows you a list of all Intune add-ons that are available for trial or purchase. For more information on how to Try or buy Intune add-ons, see [Try or buy Intune add-ons](#try-or-buy-intune-add-ons).
-
-5. The **Capabilities** tab provides details about each of the Intune add-on capabilities that are available for trial or purchase. For more information, select **Learn more**.
-
-> [!NOTE]
-> If you are not a global or billing admin, the **your add-ons** tab is not visible. However, the **Capabilities** tab allows you to see what you are eligible to use.
-
-## Try or buy Intune add-ons
-
-Global and Billing administrators can choose to start free trials or purchase licenses for Intune add-ons through the [Microsoft 365 admin center](https://admin.microsoft.com). Administrators who aren't Global or Billing administrators can still see the status of their tenant's Intune add-ons trial or active licenses in the centralized Intune add-on page in the Intune admin center. However, they can't start a free trial or purchase licenses.
-
-Starting a free trial gives you a 90-day period to use the Intune add-on capability without any charge. Trials can be up to 250 users per tenant. At the end of the trial period, there's a 30-day grace period. After this point, you'll be unable to use the Intune add-on capability in Microsoft Intune for users within your tenant unless you've purchased the appropriate licenses. There's a one-time limit to start a trial for each tenant.
-
-Purchasing licenses lets you use the Intune add-on capability in your tenant for the duration in which the licenses are active on your tenant based on the option selected during the Billing process.
-
-Intune add-on capabilities are disabled in [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) unless you are in the free trial period or have purchased licenses.
-
-### How to start a trial through the Microsoft 365 admin center
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as a Global or Billing administrator.
-
-2. Navigate to **Tenant administration** > **Intune add-ons**.
-
-3. Select **All add-ons** tab. The list of Intune add-ons that are available for trial or purchase is displayed. Identify the Intune add-ons that you require. The list of add-ons includes a short description, the subscription status of the add-on, and a link to view details.
-
- - **Subscription status** - Each add-on shows a status of either *Active* or *Available for trial or purchase*. For add-ons that say *Available for trial or purchase* in the **Subscription status** column, you can start the free trial or purchase licenses.
-
- - **Try or Buy** - Select **View details** in the **Try or Buy** column to know more about what's included and the trial and purchase information.
-
- - Select **To try or buy, go to Purchase services** link to navigate to the Microsoft 365 admin center. A new tab opens on the **Product details** page for the selected Intune add-on.
-
-4. In the Microsoft 365 Admin Center, follow the prompts to **Start free trial** and confirm your order.
-
-5. Navigate to **Tenant administration** > **Intune add-ons** and see that the Intune add-on capability you added is now **Active**.
-
-### How to purchase Intune add-ons
-
-Licenses for Intune add-ons can be purchased just as you would purchase Intune Plan 1 licenses through the following ways:
-
-- Web direct purchase in the Microsoft 365 Admin Center
-- Microsoft Volume License Servicing Center (VLSC)
-- Existing relationships with Microsoft partners/resellers
-
-After you buy licenses via any source, the licenses are available in your tenant and the status of the Intune add-ons capability will update accordingly.
-
-## How to assign licenses
-
-For information on how to assign licenses in the Microsoft Intune admin center, see [Assign Microsoft Intune licenses](./licensing/assign-licenses.md).
-
-## Monitor license use
-
-Each of the Intune add-ons have their own requirements for how many licenses need to be purchased.
-
-## Next steps
-
-Learn more about:
-
-- [Remote Help](../remote-help/index.md)
-- [Microsoft Tunnel for Mobile Application Management](../device-security/microsoft-tunnel/mam.md)
-- [Managing Mobile Firmware-over-the-air updates with Microsoft Intune](../device-updates/android/setup-zebra-lifeguard.md)
-- [Intune Advanced Analytics](../advanced-analytics/index.md)
-- [Endpoint Privilege Management](../epm/overview.md).
-- [Microsoft Tunnel for Mobile Application Management](../device-security/microsoft-tunnel/mam.md)
-- [Remote Help](../remote-help/index.md)
-- [Managing specialized devices with Microsoft Intune](../device-management/specialty-devices.md)
diff --git a/intune/fundamentals/advanced-capabilities.md b/intune/fundamentals/advanced-capabilities.md
new file mode 100644
index 00000000000..60a1ba641c1
--- /dev/null
+++ b/intune/fundamentals/advanced-capabilities.md
@@ -0,0 +1,118 @@
+---
+title: Microsoft Intune advanced capabilities
+description: Microsoft Intune advanced capabilities deliver advanced endpoint management and security. Learn what they are, which licenses include them, and how to get them.
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/20/2026
+ms.topic: overview
+ms.reviewer: aanavath
+ms.subservice: suite
+ms.collection: M365-identity-device-management
+---
+
+# Microsoft Intune advanced capabilities
+
+Intune includes capabilities that extend endpoint management and security across Microsoft 365 and Microsoft Security. This article describes each capability, shows which licenses include them, and explains how to try them.
+
+## Capabilities
+
+Intune offers the following advanced capabilities:
+
+:::row:::
+ :::column:::
+> [!div class="nextstepaction"]
+> [Firmware Over-the-Air updates](../device-updates/android/manage-fota.md)
+
+> Remotely deliver firmware updates to Android devices over the air, without user action.
+
+ :::column-end:::
+ :::column:::
+> [!div class="nextstepaction"]
+> [Specialty device management](../device-management/specialty-devices.md)
+
+> Manage AR/VR headsets, large smart-screen devices, and conference room meeting devices.
+
+ :::column-end:::
+:::row-end:::
+
+:::row:::
+ :::column:::
+
+> [!div class="nextstepaction"]
+> [Microsoft Tunnel for MAM](../device-security/microsoft-tunnel/mam.md)
+
+> Extend the Microsoft Tunnel VPN to Android and iOS devices that aren't enrolled in Intune.
+ :::column-end:::
+ :::column:::
+> [!div class="nextstepaction"]
+> [Advanced Analytics](../advanced-analytics/index.md)
+
+> Get analytics-driven insights to understand and improve the user experience across your endpoints.
+ :::column-end:::
+:::row-end:::
+
+:::row:::
+ :::column:::
+> [!div class="nextstepaction"]
+> [Remote Help](../remote-help/index.md)
+
+> Securely connect to user devices for cloud-based help-desk support with role-based access controls.
+ :::column-end:::
+ :::column:::
+> [!div class="nextstepaction"]
+> [Microsoft Cloud PKI](../cloud-pki/index.md)
+
+> Use a managed certificate authority for issuance, renewal, and revocation across Intune platforms.
+ :::column-end:::
+:::row-end:::
+
+:::row:::
+ :::column:::
+> [!div class="nextstepaction"]
+> [Endpoint Privilege Management](../epm/overview.md)
+
+> Run users with least privilege while still allowing approved tasks that require elevation.
+ :::column-end:::
+ :::column:::
+> [!div class="nextstepaction"]
+> [Enterprise Application Management](../app-management/deployment/enterprise-app-management.md)
+
+> Deploy curated Win32 apps from a Microsoft-hosted Enterprise App Catalog with built-in install settings.
+ :::column-end:::
+:::row-end:::
+
+## Intune plans and advanced capabilities
+
+Advanced capabilities are available through Microsoft Intune Plan 2, the Microsoft Intune Suite, and select Microsoft 365 bundles. For what's included in each plan, current pricing, and how to buy, see [Microsoft Intune plans and pricing](https://www.microsoft.com/security/business/microsoft-intune-pricing).
+
+For licensing concepts and admin-access requirements, see [Microsoft Intune licensing](licensing.md).
+
+## Trial subscriptions for advanced capabilities
+
+A free trial of an advanced capability lasts 90 days, with up to 250 users per tenant. Each tenant can start a trial of any given capability once. After the trial ends, you have a 30-day grace period before the capability becomes unavailable in the admin center.
+
+> [!NOTE]
+> If your organization has Microsoft 365 E3, E5, E7, or Microsoft Intune Suite, you already have access to the included capabilities and don't need a trial. Start a trial only for capabilities not included in your current licenses.
+
+To start a capability trial:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as a Global or Billing administrator.
+1. Select **Tenant administration** > **Intune add-ons**.
+1. Select the **All add-ons** tab and find the capability you want.
+1. Select **View details** in the **Try or Buy** column, then select **To try or buy, go to Microsoft 365 admin center**.
+1. In the Microsoft 365 admin center, complete the **Start free trial** flow.
+1. Return to **Tenant administration** > **Intune add-ons**. The capability now shows **Active**.
+
+> [!NOTE]
+> If you're not a Global or Billing admin, the **Your add-ons** tab isn't visible. The **Capabilities** tab still shows what your tenant is eligible for.
+
+To try Microsoft Intune itself (rather than an advanced capability), see [Sign Up for Microsoft Intune Free Trial Setup Guide](free-trial-sign-up.md).
+
+## Related content
+
+- [Microsoft Intune licensing](licensing.md)
+- [What is Microsoft Intune?](what-is-intune.md)
+- [Microsoft Intune architecture](architecture.md)
+- [Sign up or sign in to Microsoft Intune](account-sign-up.md)
+- [Sign Up for Microsoft Intune Free Trial Setup Guide](free-trial-sign-up.md)
+- [Assign Microsoft Intune licenses](assign-licenses.md)
diff --git a/intune/fundamentals/architecture.md b/intune/fundamentals/architecture.md
index 49310089348..3508a18520c 100644
--- a/intune/fundamentals/architecture.md
+++ b/intune/fundamentals/architecture.md
@@ -1,19 +1,182 @@
---
-title: High-Level Architecture for Microsoft Intune
-description: This reference architecture shows options for integrating Microsoft Intune in your Azure environment with Microsoft Entra ID.
-author: nicholasswhite
-ms.author: nwhite
-ms.date: 02/25/2025
-ms.topic: article
+title: Microsoft Intune architecture
+description: Reference architecture for a Microsoft Intune deployment, including cloud and on-premises components and Microsoft and third-party integrations.
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/12/2026
+ms.topic: concept-article
ms.reviewer: davidra
-#ms.custom:
ms.collection:
- M365-identity-device-management
- triage
---
-# High-Level Architecture for Microsoft Intune
-This reference architecture shows options for integrating Microsoft Intune in your Azure environment with Microsoft Entra ID.
-:::image type="content" source="./media/architecture/intunearchitecture_wh.png" alt-text="High-level architectural diagram for Microsoft Intune" lightbox="./media/architecture/intunearchitecture_wh.png":::
+# Microsoft Intune architecture
-
+This article describes the architecture of a Microsoft Intune deployment: the cloud and on-premises components and the Microsoft and third-party products Intune integrates with.
+
+For an introduction to what Intune does, see [What is Microsoft Intune?](what-is-intune.md). For a conceptual walkthrough of how Intune manages identities, devices, and apps, see [Microsoft Intune core concepts](core-concepts.md).
+
+:::image type="content" source="./media/architecture/intune-reference-architecture.png" alt-text="Diagram that shows Microsoft Intune in a reference architecture with Microsoft Entra, Microsoft 365, Configuration Manager, on-premises connectors, and managed endpoints." lightbox="./media/architecture/intune-reference-architecture.png" border="false":::
+
+The diagram organizes a typical Intune deployment into seven tiers:
+
+1. **Cloud control plane**: Microsoft-hosted Intune services.
+1. **Managed endpoints**: devices that Intune manages.
+1. **Endpoint family services**: Microsoft products whose primary purpose is endpoint management.
+1. **Connectors and extensions**: cloud-based external services Intune integrates with.
+1. **Peer integrations**: other Microsoft products that integrate with Intune.
+1. **Partner ecosystem**: third-party products and services that integrate with Intune.
+1. **On-premises services**: customer-operated infrastructure that integrates with the Intune cloud.
+
+Each tier is described in the following sections.
+
+## Cloud control plane
+
+:::row:::
+ :::column:::
+ The cloud control plane is the set of Microsoft-hosted services that constitute the Intune tenant. They store configurations, deliver policy, expose programmatic interfaces, and surface the admin and user experiences.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="media/architecture/cloud-control-plane.png" alt-text="Diagram of the cloud control plane." border="false" lightbox="media/architecture/cloud-control-plane-on.png":::
+ :::column-end:::
+:::row-end:::
+
+| Component | Role |
+|---|---|
+| **Microsoft Intune service** | The cloud control plane that stores configurations and orchestrates policy delivery. |
+| **[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** | Web console for administrators. |
+| **[Microsoft Graph API](/graph/intune-concept-overview)** | Public programming interface. Every admin center action is backed by a Graph API call. |
+| **[Microsoft Intune Company Portal app and website](../app-management/configuration/configure-company-portal.md)** | User-facing surface that enrolls devices, surfaces required apps, and shows compliance status. |
+
+## Managed endpoints
+
+:::row:::
+ :::column:::
+ Intune supports the following platforms: Android, iOS, iPadOS, Linux, macOS, tvOS, visionOS, and Windows. Specialty scenarios include kiosks, frontline devices, and rugged hardware managed through platform-specific enrollment paths.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="media/architecture/managed-endpoints.png" alt-text="Diagram of managed endpoints as they relate to the cloud control plane." border="false" lightbox="media/architecture/managed-endpoints-on.png":::
+ :::column-end:::
+:::row-end:::
+
+Devices come under management through several modes:
+
+- **Mobile device management (MDM)**: typical for organization-owned devices; Intune manages the entire device.
+- **Mobile application management (MAM)**: typical for personal (BYOD) devices; Intune manages only work apps and data.
+- **Automated enrollment** for organization-owned hardware: Windows Autopilot, Apple Automated Device Enrollment, and Android Enterprise.
+
+For the full supported-OS matrix, see [Supported operating systems and browsers for Intune](ref-supported-platforms.md).
+
+## Endpoint family services
+
+:::row:::
+ :::column:::
+ Endpoint family services are Microsoft products whose primary purpose is endpoint management. Each specializes in a specific aspect of the endpoint lifecycle.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="media/architecture/endpoint-family-services.png" alt-text="Diagram of endpoint family services as they relate to the cloud control plane." border="false" lightbox="media/architecture/endpoint-family-services-on.png":::
+ :::column-end:::
+:::row-end:::
+
+
+
+| Service | What it does | When to use |
+|---|---|---|
+| **[Windows Autopilot](/autopilot/overview)** | Cloud-based provisioning for new and existing Windows devices, with options for user-driven, self-deploying (zero-touch), pre-provisioning, and reset | Shipping devices directly from OEM to end users, or repurposing existing devices at scale |
+| **[Windows 365](/windows-365/enterprise/overview)** | Cloud-hosted Windows desktops (Cloud PCs) | Remote workers, BYOD, contractors, regulated workloads |
+| **[Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)** | Managed update service for Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, Microsoft Teams, and device drivers and firmware | Reducing manual update administration |
+| **[Endpoint analytics](../endpoint-analytics/index.md)** | Telemetry and recommendations on device health and performance | Identifying performance issues and reducing help-desk volume |
+
+## Connectors and extensions
+
+:::row:::
+ :::column:::
+ Connectors and extensions are cloud-based external services that Intune integrates with. They have no on-premises footprint. Intune communicates with them over the internet.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="media/architecture/connectors-and-extensions.png" alt-text="Diagram of connectors and extensions as they relate to the cloud control plane." border="false" lightbox="media/architecture/connectors-and-extensions-on.png":::
+ :::column-end:::
+:::row-end:::
+
+| Connector | Role |
+|---|---|
+| **[Microsoft Cloud PKI](../cloud-pki/index.md)** | Cloud-hosted PKI that issues, renews, and revokes SCEP certificates for Intune-managed devices without requiring on-premises AD CS, NDES, or the certificate connector. Supports a fully cloud-hosted hierarchy or anchoring to your existing private root (BYOCA). |
+| **[Apple Business / VPP](../app-management/deployment/manage-vpp-apple.md)** | Token-based integration for Apple app delivery. |
+| **[Apple Push Notification service (APNs)](../device-enrollment/apple/create-mdm-push-certificate.md)** | Required for Apple device management. |
+| **[Managed Google Play](../app-management/deployment/add-managed-google-play.md)** | Android Enterprise app catalog. |
+| **[Microsoft Store](../app-management/deployment/add-microsoft-store.md)** | Built-in catalog for Windows apps. |
+
+## Peer integrations
+
+:::row:::
+ :::column:::
+ Peer integrations are Microsoft products that work alongside Intune. They have their own primary purpose; integration with Intune is one of many uses.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="media/architecture/peer-integrations.png" alt-text="Diagram of peer integrations as they relate to the cloud control plane." border="false" lightbox="media/architecture/peer-integrations-on.png":::
+ :::column-end:::
+:::row-end:::
+
+| Product | Role |
+|---|---|
+| **[Microsoft 365 apps](../app-management/deployment/add-microsoft-365-windows.md)** | Deployed to managed endpoints via Intune. |
+| **[Endpoint security in Microsoft Defender](../device-security/microsoft-defender/configure-integration.md)** | Feeds real-time device risk signals into Intune compliance evaluation and Conditional Access decisions. Also serves as a mobile threat defense (MTD) source for iOS, iPadOS and Android. |
+| **[Copilot in Intune](../copilot/index.md)** | Microsoft Security Copilot capabilities surfaced inside the Microsoft Intune admin center. |
+| **[Microsoft Purview](/purview/device-onboarding-mdm)** | Sensitivity labels and endpoint data loss prevention (DLP) policies that apply to data on Intune-managed devices. |
+
+## Partner ecosystem
+
+:::row:::
+ :::column:::
+ The partner ecosystem includes third-party products and services that integrate with Intune through documented APIs, connectors, or configuration patterns.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="media/architecture/partner-ecosystem.png" alt-text="Diagram of the partner ecosystem as it relates to the cloud control plane." border="false" lightbox="media/architecture/partner-ecosystem-on.png":::
+ :::column-end:::
+:::row-end:::
+
+| Category | Description and examples |
+|---|---|
+| **[Mobile threat defense (MTD) partners](../device-security/mobile-threat-defense/overview.md)** | Third-party services that feed device risk signals into Intune. Examples: Lookout, Zimperium, Check Point. Endpoint security in Microsoft Defender is also an MTD source: see [Peer integrations](#peer-integrations). |
+| **[Device compliance partners](../device-security/compliance/third-party-partners.md)** | Non-Intune MDMs that become the MDM authority for assigned user groups and report device compliance state into Microsoft Entra ID for Intune Conditional Access. Supported on Android, iOS, iPadOS, and macOS. Examples: Jamf Pro, Ivanti EPMM, BlackBerry UEM, Omnissa Workspace ONE, Kandji, SOTI MobiControl. |
+| **IT service management (ITSM) partners** | Incident and asset integration. Examples: [ServiceNow](../device-management/tools/setup-servicenow.md), Jira. |
+| **Remote support partners** | Remote control and assistance. Example: [TeamViewer](../device-management/tools/setup-teamviewer.md). |
+| **Device vendor portals** | Vendor-specific management for specialty hardware. Examples: [Surface Management Portal](/surface/surface-management-portal), Lenovo, Intel vPro. |
+| **Network access control (NAC) partners** | Network-tier access enforcement. Examples: Cisco ISE, Aruba ClearPass. |
+
+## On-premises services
+
+:::row:::
+ :::column:::
+ On-premises services are customer-operated infrastructure that runs on your network and integrates with the Intune cloud control plane.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="media/architecture/on-premises-services.png" alt-text="Diagram of on-premises services as they relate to the cloud control plane." border="false" lightbox="media/architecture/on-premises-services-on.png":::
+ :::column-end:::
+:::row-end:::
+
+| Component | Role |
+|---|---|
+| **[Microsoft Tunnel Gateway](../device-security/microsoft-tunnel/overview.md)** | VPN gateway for iOS, iPadOS and Android Enterprise devices and apps. Runs in a container on Linux. |
+| **[Certificate Connector for Microsoft Intune](certificates/connector/overview.md)** | Bridges Intune to your on-premises certificate services to issue SCEP and PKCS certificates, import PFX certificates for S/MIME, and revoke certificates. |
+| **[Microsoft Configuration Manager](../configmgr/core/understand/introduction.md)** | On-premises peer to Intune for Windows clients and servers. Integrates with Intune through co-management and tenant attach. See [Co-management and tenant attach](#co-management-and-tenant-attach). |
+
+### Co-management and tenant attach
+
+Microsoft Configuration Manager is the on-premises peer to Intune for Windows clients and servers. It manages desktops, Windows servers, and laptops on your network or connected over the internet via cloud management gateway. Configuration Manager and Intune integrate through:
+
+- **[Co-management](../configmgr/comanage/overview.md)**: lets Configuration Manager and Intune both manage Windows clients. You move workloads to the cloud at your own pace.
+- **[Tenant attach](../configmgr/tenant-attach/prerequisites.md)**: brings Configuration Manager-managed devices into the Intune admin center for visibility, remote actions, cloud-based reporting, endpoint security policy authoring (Antivirus, ASR), CMPivot, PowerShell scripts, application installs, and a unified device timeline.
+
+By using co-management and tenant attach, organizations that already run Configuration Manager can add Intune capabilities without rebuilding their environment.
+
+## Related content
+
+- [What is Microsoft Intune?](what-is-intune.md)
+- [Microsoft Intune core concepts](core-concepts.md)
+- [Network endpoints for Microsoft Intune](endpoints.md)
+- [Common ways to deploy Microsoft Intune](deploy-setup-step-1.md)
+- [Cloud-native endpoints](../solutions/cloud-native-endpoints/overview.md)
+- [Microsoft Intune advanced capabilities](advanced-capabilities.md)
+- [Passwordless authentication with Microsoft Intune](../solutions/passwordless.md)
\ No newline at end of file
diff --git a/intune/fundamentals/licensing/assign-licenses.md b/intune/fundamentals/assign-licenses.md
similarity index 96%
rename from intune/fundamentals/licensing/assign-licenses.md
rename to intune/fundamentals/assign-licenses.md
index e4f60df65ed..b39a18cf888 100644
--- a/intune/fundamentals/licensing/assign-licenses.md
+++ b/intune/fundamentals/assign-licenses.md
@@ -2,15 +2,17 @@
title: Assign Microsoft Intune licenses
description: Assign licenses to users so they can enroll in Intune
+author: paolomatarazzo
+ms.author: paoloma
ms.date: 01/24/2025
ms.topic: how-to
ms.collection:
- M365-identity-device-management
---
-# Assign licenses to users so they can enroll devices in Intune
+# Assign licenses to users
-Whether you manually add users or synchronize from your on-premises Active Directory, you must first assign each user license before users can enroll their devices in Intune. For a list of licenses, see [Microsoft Intune licensing](index.md).
+Whether you manually add users or synchronize from your on-premises Active Directory, you must first assign each user license before users can enroll their devices in Intune. For a list of licenses, see [Microsoft Intune licensing](licensing.md).
> [!NOTE]
> Users assigned Intune app protection policy and not enrolling their devices into Microsoft Intune will also require an Intune license to receive the policy.
@@ -21,7 +23,7 @@ You can use the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?
1. In the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?LinkId=698854), select **Users** > **Active users** > *choose an unlicensed user* > **Licenses and apps**.
-2. Choose the box for **Intune** > **Save changes**. If you want to use the Enterprise Mobility + Security E5 or other license, choose that box instead. For more information about Microsoft Intune licenses, see [Microsoft Intune licensing](index.md).
+2. Choose the box for **Intune** > **Save changes**. If you want to use the Enterprise Mobility + Security E5 or other license, choose that box instead. For more information about Microsoft Intune licenses, see [Microsoft Intune licensing](licensing.md).
The user account now has the permissions needed to use the service and enroll devices into Intune management.
@@ -102,7 +104,7 @@ To view the number of free and used licenses on a Microsoft Intune subscription,
A list of the **Account ID**, the **Active Units**, and the **Consumed Units** will appear. Note that this will also display any Microsoft Office 365 licenses on the subscription.
> [!NOTE]
-> To confirm your Microsoft Entra ID P1 or P2 and Microsoft Intune using Microsoft Intune admin center, see [Confirm your licenses](index.md#confirm-your-licenses).
+> To confirm your Microsoft Entra ID P1 or P2 and Microsoft Intune using Microsoft Intune admin center, see [Confirm your licenses](licensing.md#confirm-your-licenses).
## Use PowerShell to selectively manage EMS user licenses
@@ -156,6 +158,6 @@ Verify with:
## Related content
-- [Assign Microsoft Intune roles to groups of users for role-based access control](../role-based-access-control/assign-role.md)
-- [Set the MDM authority](../../fundamentals/setup-mdm-authority.md)
+- [Assign Microsoft Intune roles to groups of users for role-based access control](./role-based-access-control/assign-role.md)
+- [Set the MDM authority](./setup-mdm-authority.md)
diff --git a/intune/fundamentals/core-concepts.md b/intune/fundamentals/core-concepts.md
new file mode 100644
index 00000000000..121dc0aa323
--- /dev/null
+++ b/intune/fundamentals/core-concepts.md
@@ -0,0 +1,144 @@
+---
+title: Microsoft Intune core concepts
+description: Learn how Microsoft Intune works across identities, devices, and apps, and how the three pillars come together to drive access decisions.
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/14/2026
+ms.topic: concept-article
+ms.collection:
+- M365-identity-device-management
+---
+
+# Microsoft Intune core concepts
+
+Microsoft Intune is built around three pillars: the **identities** that sign in, the **devices** they sign in from, and the **apps** they use to get work done. Intune orchestrates these pillars on top of Microsoft Entra ID and feeds device and app posture back to Microsoft Entra Conditional Access, which gates access to corporate resources.
+
+For an introduction to what Intune does and why, see [What is Microsoft Intune?](what-is-intune.md). For the components, integrations, and deployment view, see [Microsoft Intune architecture](architecture.md).
+
+:::image type="content" source="./media/shared/intune-overview.png" alt-text="Diagram showing Microsoft Intune managing identities, devices, and apps, with signals from Endpoint security in Microsoft Defender. Intune is extended by advanced capabilities, automated by Copilot, and uses Microsoft Entra ID for Conditional Access to corporate resources." lightbox="./media/shared/intune-overview.png" border="false":::
+
+## The three pillars
+
+| Pillar | What Intune does | What Intune relies on |
+|---|---|---|
+| **Identities** | Targets policies to users and groups, scopes admin access through role-based access control (RBAC), and creates user affinity at enrollment. | [Microsoft Entra ID](/entra/fundamentals/whatis) for accounts, groups, authentication, and Conditional Access. |
+| **Devices** | Enrolls, configures, protects, and retires the hardware that runs your organization's work. Reports compliance state for Conditional Access. | Platform enrollment programs (Windows Autopilot, Apple Automated Device Enrollment, Android Enterprise). |
+| **Apps** | Deploys, configures, protects, and updates the apps users need, on enrolled and personal devices. | App stores and vendor catalogs (Microsoft Store, App Store, Managed Google Play, Apple Business). |
+
+The rest of this article walks through each pillar and ends with a worked example that traces a single sign-in across all three.
+
+## Identities
+
+Intune doesn't store user identities. It uses [Microsoft Entra ID](/entra/fundamentals/whatis) for accounts, groups, authentication, and Conditional Access. Within Intune, identities surface in three places.
+
+### User affinity at enrollment
+
+When a user signs into a device for the first time, the device becomes associated with that user. This association is called **user affinity**. Policies assigned to the user follow them across all of their associated devices, and the user can access their email, files, and apps from any of those devices.
+
+When no user is associated with a device, the device is **user-less**. This pattern is common for kiosks dedicated to a single task and for shared devices used by multiple people.
+
+Decide the device's intended purpose before enrollment so you can choose the right enrollment method. For platform-specific guidance, see [Device enrollment in Microsoft Intune](../device-enrollment/guide.md).
+
+### Role-based access for admins
+
+Intune uses role-based access control (RBAC) to determine what each admin can see and do in the admin center. Built-in roles such as **Application Manager** and **Policy and Profile Manager** scope permissions to specific endpoint-management tasks. Because Intune uses Microsoft Entra ID, the built-in Microsoft Entra roles (including **Intune Administrator**) are also available.
+
+Pair RBAC with **scope tags** to narrow what an admin can see, not just what they can do. For example, give a regional help desk a role that allows device wipes, but tag it so they can only see and wipe devices in their region.
+
+For details, see [Role-based access control with Microsoft Intune](role-based-access-control/overview.md) and [Use scope tags to filter policies](role-based-access-control/scope-tags.md).
+
+### Targeting policies and assignments
+
+Intune is cloud-based and targets policies directly to users or groups. There's no hierarchy of containers like organizational units. You create a policy, then **assign** it to one or more Microsoft Entra groups.
+
+You can target a policy to:
+
+- **User groups**, when the setting should follow the user across their devices. For example, an email profile or an app deployment.
+- **Device groups**, when the setting should apply regardless of who's signed in For example, a kiosk configuration or a frontline-worker policy.
+- **Built-in virtual groups** (**All users**, **All devices**) when a setting applies tenant-wide.
+
+For details, see [Add groups to organize users and devices](tenant-administration/add-groups.md) and [Assign device profiles in Microsoft Intune](../device-configuration/assign-device-profile.md).
+
+## Devices
+
+Intune manages and secures the desktops, laptops, tablets, and phones your organization relies on across Android, iOS, iPadOS, Linux, macOS, tvOS, visionOS, and Windows. For the full supported-OS matrix, see [Supported operating systems and browsers](ref-supported-platforms.md).
+
+### Device lifecycle
+
+Every managed device passes through four stages, all handled in the same admin center.
+
+- **Enroll**: Bring devices under management. Organization-owned hardware typically uses automated enrollment through Windows Autopilot, Apple Automated Device Enrollment, or Android Enterprise. Personal devices enroll through the Company Portal app.
+- **Configure**: Apply settings for Wi-Fi, VPN, certificates, email, device features, and platform-specific options. The settings catalog exposes thousands of platform settings.
+- **Protect**: Enforce compliance rules, encrypt disks, deploy security baselines, and integrate with mobile threat defense. Compliance state feeds Microsoft Entra Conditional Access.
+- **Retire**: When a device is lost, replaced, or no longer needed, remote actions let you wipe organization data, factory-reset the device, or unenroll it.
+
+### MDM and MAM
+
+Intune supports two management modes. You can use them independently or together.
+
+- **Mobile device management (MDM)** brings the entire device under Intune control: settings, apps, and data. MDM is typical for organization-owned hardware.
+- **Mobile application management (MAM)** manages only the work apps and the data inside them. The user keeps control of the rest of the device. MAM is typical for bring-your-own-device (BYOD) scenarios.
+
+You can combine the two on the same device. For example, an enrolled corporate phone (MDM) can also have app protection policies (MAM) on apps that handle especially sensitive data.
+
+For details, see [Device enrollment in Microsoft Intune](../device-enrollment/guide.md) and [App protection policies overview](../app-management/protection/overview.md).
+
+### Organization-owned and personal devices
+
+Most organizations manage two device populations: hardware they own and personal devices that employees use for work. Intune supports both with different controls.
+
+- **Organization-owned devices** should be enrolled in MDM. Don't rely on users to manage these devices themselves.
+- **Personal devices** can be MDM-enrolled when users want full access to organizational resources, or they can use only MAM policies that protect data inside Outlook, Teams, and other managed apps.
+
+### Device groups
+
+Device groups are Microsoft Entra groups that contain only devices. They're useful when a setting should apply regardless of who's signed in: kiosks, shared PCs, frontline-worker devices, or specialty hardware.
+
+Membership can be **static** or **dynamic**:
+
+- **Static groups** require manual addition and removal of devices. They're useful for small, stable sets of devices.
+- **Dynamic groups** automatically add and remove devices based on criteria you define. They're useful for large, changing fleets of devices
+
+## Apps
+
+Intune covers the full app lifecycle (deploy, configure, protect, update) across every supported platform.
+
+### App lifecycle
+
+- **Deploy** apps from public stores, vendor catalogs, your own line-of-business (LOB) packages, or built-in entries in the admin center.
+- **Configure** apps before users open them, using app configuration policies. Set the app language, add your organization's logo, block personal accounts, and more.
+- **Protect** the data inside apps using app protection policies. Require a PIN, block copy-paste to personal apps, prevent backups to personal cloud services, encrypt at-rest data, and selectively wipe organization data.
+- **Update** apps automatically as new versions become available. For Microsoft 365 apps, Microsoft Edge, and Microsoft Teams on Windows, you can hand updates to Windows Autopatch.
+
+### App protection without enrollment (MAM-WE)
+
+App protection policies don't require MDM enrollment. They work on three device populations:
+
+- **Personal devices** that aren't enrolled in any MDM (BYOD).
+- **Devices enrolled in another MDM provider**: Intune can still protect the data inside its managed apps.
+- **Intune-enrolled devices**, for apps that need an extra layer beyond MDM.
+
+For details, see [App protection policies overview](../app-management/protection/overview.md).
+
+### Apps by platform
+
+Intune supports public store apps, line-of-business (LOB) apps, web apps, and platform-specific app types across Android, iOS, iPadOS, macOS, and Windows. For the per-platform breakdown of app types and where they come from, see [Add and update apps in Microsoft Intune](../app-management/deployment/index.md).
+
+## How the pillars fit together
+
+A typical access decision touches all three pillars:
+
+1. A user signs in to a managed device and **Microsoft Entra ID** authenticates the user.
+1. The device checks in with **Intune** and reports its compliance state and inventory.
+1. Intune forwards the compliance state to Microsoft Entra ID.
+1. The user opens a corporate app. **Microsoft Entra Conditional Access** evaluates the request using the user, the device's compliance state, the app, the location, and signals from **Endpoint security in Microsoft Defender**.
+1. Conditional Access allows or blocks access. If access is allowed and the app is a managed app, **app protection policies** enforce in-app controls (PIN, copy-paste restrictions, selective wipe).
+
+Every access decision exercises all three pillars together: the user's identity, the device's compliance, and the app the user is opening.
+
+## Related content
+
+- **Identities**: [Microsoft Entra ID fundamentals](/entra/fundamentals/whatis), [Use Conditional Access with Microsoft Intune](../device-security/conditional-access-integration/overview.md), [Role-based access control with Microsoft Intune](role-based-access-control/overview.md)
+- **Devices**: [Device enrollment in Microsoft Intune](../device-enrollment/guide.md), [Use compliance policies to set rules for devices you manage](../device-security/compliance/overview.md), [Manage endpoint security in Microsoft Intune](../device-security/endpoint-security-policies.md)
+- **Apps**: [Add and update apps in Microsoft Intune](../app-management/deployment/index.md), [App configuration policies](../app-management/configuration/overview.md), [App protection policies overview](../app-management/protection/overview.md)
+- **Architecture**: [Microsoft Intune architecture](architecture.md)
diff --git a/intune/fundamentals/deploy-configuration-step-4.md b/intune/fundamentals/deploy-configuration-step-4.md
index c6e70f783d6..bef8cae3e2c 100644
--- a/intune/fundamentals/deploy-configuration-step-4.md
+++ b/intune/fundamentals/deploy-configuration-step-4.md
@@ -442,9 +442,9 @@ This level expands on what you configured in levels 1 and 2. It adds extra secur
Microsoft Tunnel uses Intune, Microsoft Entra ID, and Active Directory Federation Services (AD FS). For more information, see [Microsoft Tunnel for Microsoft Intune](../device-security/microsoft-tunnel/overview.md).
- - **Use Microsoft Tunnel for Mobile Application Management** (Tunnel for MAM) to extend tunnel capabilities to Android and iOS/iPad devices that are *not enrolled* with Intune. [Tunnel for MAM](../device-security/microsoft-tunnel/mam.md) is available as an Intune add-on that requires an extra license.
+ - **Use Microsoft Tunnel for Mobile Application Management** (Tunnel for MAM) to extend tunnel capabilities to Android and iOS/iPad devices that are *not enrolled* with Intune. [Tunnel for MAM](../device-security/microsoft-tunnel/mam.md) is an advanced capability that requires additional licensing beyond Microsoft Intune.
- For more information, see [Use Intune Suite add-on capabilities](./add-ons.md).
+ For more information, see [Microsoft Intune advanced capabilities](./advanced-capabilities.md).
- **Use Local Administrator Password Solution (LAPS) policy** to manage and back up the local administrator account on your devices.
@@ -470,7 +470,7 @@ This level expands on what you configured in levels 1 and 2. It adds extra secur
- Support requests by users to elevate a managed process.
- Allow for automatic elevations of files that just need to run without any user interruption.
- [Endpoint Privilege Management](../epm/overview.md) is available as an Intune add-on that requires an extra license. For more information, see [Use Intune Suite add-on capabilities](./add-ons.md).
+ [Endpoint Privilege Management](../epm/overview.md) is an advanced capability that requires additional licensing. For more information, see [Microsoft Intune advanced capabilities](./advanced-capabilities.md).
- **Use Android Common Criteria mode** on Android devices that are used by highly sensitive organizations, like government establishments.
diff --git a/intune/fundamentals/deploy-protect-apps-step-2.md b/intune/fundamentals/deploy-protect-apps-step-2.md
index 21626185dee..a893efc43d3 100644
--- a/intune/fundamentals/deploy-protect-apps-step-2.md
+++ b/intune/fundamentals/deploy-protect-apps-step-2.md
@@ -98,7 +98,7 @@ Before adding apps to Intune, consider reviewing the support app types and asses
### Add Microsoft apps
-Intune includes a number of Microsoft apps based on the Microsoft license that you use for Intune. To learn more about the different Microsoft enterprise licenses available that include Intune, see [Microsoft Intune licensing](./licensing/index.md). To compare the different Microsoft apps that are available with Microsoft 365, see the [licensing options available with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans). To see all the options for each plan (including the available Microsoft apps), download the full [Microsoft subscription comparison table](https://go.microsoft.com/fwlink/?linkid=2139145) and locate the plans that include Microsoft Intune.
+Intune includes a number of Microsoft apps based on the Microsoft license that you use for Intune. To learn more about the different Microsoft enterprise licenses available that include Intune, see [Microsoft Intune licensing](./licensing.md). To compare the different Microsoft apps that are available with Microsoft 365, see the [licensing options available with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans). To see all the options for each plan (including the available Microsoft apps), download the full [Microsoft subscription comparison table](https://go.microsoft.com/fwlink/?linkid=2139145) and locate the plans that include Microsoft Intune.
One of the available app types is Microsoft 365 apps for Windows devices. By selecting this app type in Intune, you can assign and install Microsoft 365 apps to devices you manage that run Windows. You can also assign and install apps for the Microsoft Project Online desktop client and Microsoft Visio Online Plan 2, if you own licenses for them. The available Microsoft 365 apps are displayed as a single entry in the list of apps in the Intune console within Azure.
@@ -273,7 +273,7 @@ For more information about protecting Exchange Online, go to the following topic
The following list provides the end-user requirements to use app protection policies on apps managed by Intune include the following:
- The end user must have a Microsoft Entra account. See [Add users and give administrative permission to Intune](tenant-administration/add-users.md) to learn how to create Intune users in Microsoft Entra ID.
-- The end user must have a license for Microsoft Intune assigned to their Microsoft Entra account. See [Manage Intune licenses](./licensing/assign-licenses.md) to learn how to assign Intune licenses to end users.
+- The end user must have a license for Microsoft Intune assigned to their Microsoft Entra account. See [Manage Intune licenses](./assign-licenses.md) to learn how to assign Intune licenses to end users.
- The end user must belong to a security group that is targeted by an app protection policy. The same app protection policy must target the specific app being used. App protection policies can be created and deployed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). Security groups can currently be created in the [Microsoft 365 admin center](https://admin.microsoft.com).
- The end user must sign into the app using their Microsoft Entra account.
diff --git a/intune/fundamentals/deploy-setup-step-1.md b/intune/fundamentals/deploy-setup-step-1.md
index b3e1b53f599..c572819d98c 100644
--- a/intune/fundamentals/deploy-setup-step-1.md
+++ b/intune/fundamentals/deploy-setup-step-1.md
@@ -108,22 +108,22 @@ Intune is available with different subscriptions, including as a stand-alone ser
:::image type="icon" source="../media/icons/16/check.svg" border="false"::: **Determine your license needs**
-Microsoft Intune is available for different organization sizes and needs. It offers a simple-to-use management experience for schools and small businesses, and more advanced functionality required by enterprise customers. An admin must have a license assigned to them to administer Intune unless [unlicensed admin access](./licensing/unlicensed-admins.md) is available. Tenants created after July 2021 support unlicensed admins by default.
+Microsoft Intune is available for different organization sizes and needs. It offers a simple-to-use management experience for schools and small businesses, and more advanced functionality required by enterprise customers. An admin must have a license assigned to them to administer Intune unless [unlicensed admin access](./licensing.md#unlicensed-admin-access) is available. Tenants created after July 2021 support unlicensed admins by default.
-For guidance, see [Microsoft Intune licensing](./licensing/index.md).
+For guidance, see [Microsoft Intune licensing](./licensing.md).
:::image type="icon" source="../media/icons/16/check.svg" border="false"::: **Get started with assigning licenses to users**
Whether you add users one at a time or all at once, you must assign each user an Intune license before users can enroll their devices in Intune. The [Microsoft Intune's free trial](try-overview.md) provides 25 Intune licenses. For a list of licenses, see Licenses that include Intune.
Give users permission to use Intune. Each user or userless device requires an Intune license to access the service.
-For guidance, see [Assign licenses](./licensing/assign-licenses.md).
+For guidance, see [Assign licenses](./assign-licenses.md).
:::image type="icon" source="../media/icons/16/check.svg" border="false"::: **Unlicensed admins**
Intune supports unlicensed administrator access, which lets administrators manage Intune without an assigned Intune license. Tenants created after July 2021 have this enabled by default. Tenants created before July 2021 can enable it manually. This feature applies to any administrator, including Intune administrators, Microsoft Entra administrators, and so on.
-For guidance, see [Unlicensed admins](./licensing/unlicensed-admins.md).
+For guidance, see [Unlicensed admins](./licensing.md#unlicensed-admin-access).
## 7 - Manage roles and grant admin permissions for Intune
diff --git a/intune/fundamentals/endpoint-management.md b/intune/fundamentals/endpoint-management.md
deleted file mode 100644
index c38fa332d02..00000000000
--- a/intune/fundamentals/endpoint-management.md
+++ /dev/null
@@ -1,177 +0,0 @@
----
-title: Endpoint management services and solutions at Microsoft
-description: Microsoft Intune is a family of on-premises products and cloud services. It includes Intune, Configuration Manager, co-management, Endpoint Analytics, Windows Autopilot, and the admin center to manage cloud devices and on on-premises.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 08/20/2024
-ms.topic: overview
-ms.collection:
- - M365-identity-device-management
----
-
-# Endpoint management at Microsoft
-
-This article provides an overview of endpoint management solutions at Microsoft.
-
-:::image type="content" source="./media/endpoint-management-microsoft.png" alt-text="Endpoint management for Microsoft includes Microsoft Intune, Windows Autopilot, and Endpoint analytics. It integrates with Microsoft Entra ID, on-premises Configuration Manager, mobile threat defense partners, Security Copilot, and Microsoft 365 apps." lightbox="./media/endpoint-management-microsoft.png":::
-
-## Microsoft Intune
-
-Microsoft Intune is a family of products and services. The Intune family includes:
-
-- Microsoft Intune service
-- Configuration Manager and co-management
-- Endpoint Analytics
-- Windows Autopilot
-- Intune admin center
-
-These products and services offer a **cloud-based unified endpoint management** solution. It simplifies management across multiple operating systems, cloud, on-premises, mobile, desktop, and virtualized endpoints. It also:
-
-- Uses the Intune service for **cloud-native mobile device management (MDM) and mobile application management (MAM)**. End users and devices only need internet access; no need for on-premises infrastructure.
-- **Supports data protection on company-owned and bring your own devices** through nonintrusive mobile application management.
-- Empowers organizations to **provide data protection and endpoint compliance** that support a Zero Trust security model.
-- Brings together **device visibility, endpoint security, and data-driven insights** to increase IT efficiency. In hybrid work environments, admin tasks and end user experiences are improved.
-
-Intune integrates with other services, including Microsoft Entra, on-premises Configuration Manager, mobile threat defense (MTD) apps & services, Win32 & custom LOB apps, and more.
-
-If you're moving to the cloud or are adopting more cloud-based services, then use Intune.
-
-For more information, go to:
-
-- [What is Microsoft Intune?](./what-is-intune.md)
-- [Get started with Microsoft Intune](./get-started.md)
-
-## Configuration Manager and co-management
-
-Configuration Manager is an on-premises management solution that uses Active Directory and Group Policy Objects (GPOs). It can **manage desktops, Windows servers, and laptops** that are on your network or are internet-based. You can use Configuration Manager to manage data centers, apps, software updates, and operating systems.
-
-To benefit from everything that's happening in Microsoft Intune, connect your Configuration Manager to the cloud with co-management. Co-management combines your existing on-premises Configuration Manager investment with some of the cloud-based features in Intune, including using the web-based Microsoft Intune admin center.
-
-Co-management is a great way to get started with cloud-based device management, and to start moving some workloads to the cloud.
-
-For more information, go to:
-
-- [What is Configuration Manager?](../configmgr/core/understand/introduction.md)
-- [What is co-management?](../configmgr/comanage/overview.md)
-- [Tenant attach: Prerequisites](../configmgr/tenant-attach/prerequisites.md)
-
-## Intune Suite
-
-The Intune Suite is a collection of add-on features that are available in Intune. The suite includes features that **expand device management capabilities**, including:
-
-- Remote help for secure help desk connections
-- Microsoft Tunnel VPN for mobile application management of devices that aren't enrolled in Intune
-- Endpoint Privilege Management (EPM) so standard nonadmin users can complete tasks that require elevated privileges
-- Support for specialty devices, like AR/VR headsets, large smart-screen devices, and select conference room meeting devices
-
-The suite and its individual features are available as add-ons to your existing licenses and are also licensed individually.
-
-There's also a free trial to help you determine if these features can help your organization.
-
-For more information, go to:
-
-- [Intune Suite add-on capabilities](./add-ons.md)
-
-## Intune admin center
-
-The [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) is a **one-stop web site**. Use the admin center to add users & groups, create & manage policies, and monitor your policies using report data. If you use Configuration Manager tenant-attach or co-management, you can see your on-premises devices and run some actions on these devices.
-
-The admin center also plugs-in other key device management services, including:
-
-- [**Microsoft Entra Privileged Identity Management** to monitor access to important resources](/azure/active-directory/privileged-identity-management/pim-configure)
-- [**Microsoft Tunnel** VPN gateway solution that runs on Linux](../device-security/microsoft-tunnel/overview.md)
-- [**Mobile threat defense** partners](../device-security/mobile-threat-defense/overview.md)
-- [**Remote Help** for remote assistance](../remote-help/index.md)
-- [**TeamViewer** for remote administration](../device-management/tools/teamviewer-legacy.md)
-- [**Windows 365** for your Windows virtual machines](/windows-365/overview)
-- [**Windows Autopatch** to automate updates](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)
-
-## Microsoft Entra ID
-
-Microsoft Entra ID, previously known as Azure Active Directory (Azure AD), is a cloud-native service that's used by Intune to **manage the identities of users, devices, and groups**. The Intune policies you create are assigned to these users, devices, and groups. When devices are enrolled in Intune, your users sign in to their devices with their Microsoft Entra accounts (`user@contoso.com`).
-
-**Microsoft Entra** has [different license plans that include more features](https://www.microsoft.com/security/business/microsoft-entra-pricing) to help protect devices, apps, and data, including dynamic groups, automatic enrollment in Intune, and Conditional Access.
-
-For more information, go to:
-
-- [Add users](./tenant-administration/add-users.md)
-- [Set up auto enrollment](../device-enrollment/windows/enable-automatic-mdm.md)
-- [Learn about Conditional Access and Intune](../device-security/conditional-access-integration/overview.md)
-
-## Windows Autopilot
-
-Windows Autopilot is a cloud-native service that **sets up and preconfigures devices**, getting them ready for use. It can also reset and repurpose existing devices. Windows Autopilot is designed to simplify the lifecycle of Windows devices from initial deployment through end of life, which benefits IT and end users.
-
-Use Windows Autopilot to preconfigure devices, automatically join devices to Microsoft Entra, automatically enroll the devices in Intune, customize the out of box experience (OOBE), and more. You can also integrate Windows Autopilot with Configuration Manager and co-management for more device configurations.
-
-If you constantly provision new devices or repurpose existing devices, then use Windows Autopilot.
-
-For more information, go to:
-
-- [Get an overview of Windows Autopilot](/autopilot/overview)
-- [Enroll Windows devices in Intune](/autopilot/enrollment-autopilot)
-
-## Microsoft Copilot in Intune
-
-[Microsoft Copilot in Intune](../copilot/index.md) is a **cloud-native service that uses AI to get information quickly**. Intune has capabilities that are powered by [Microsoft Copilot for Security](/copilot/security/microsoft-security-copilot). These capabilities access your Intune data, and can:
-
-- Help you manage your policies and settings.
-- Understand your security posture.
-- Troubleshoot device issues.
-- Create Kusto Query Language (KQL) queries.
-
-For more information, go to [Microsoft Copilot in Intune](../copilot/index.md).
-
-## Windows 365
-
-Windows 365 Cloud PCs are **virtual machines that are hosted in the cloud-native Windows 365 service**. They're accessible from anywhere and from any device that has internet access. Cloud PCs include a Windows desktop experience and are associated with a user.
-
-You enroll and manage these devices with Intune, just like any other device. On these Cloud PCs, you can use Intune to deploy apps, configure settings, install updates, and more.
-
-If you have remote workers, want to provide a secure way for your users to access corporate resources, and/or looking for a way to provide a Windows desktop experience, then Windows 365 is a great solution.
-
-For more information, go to:
-
-- [Windows 365 Cloud PC overview - Enterprise](/windows-365/enterprise/overview)
-- [Windows 365 Cloud PC overview - Business](/windows-365/business/)
-
-## Windows Autopatch
-
-Windows Autopatch is a cloud-native service that **automates patching** of Windows devices and Microsoft 365 apps, including Microsoft Teams & Microsoft Edge. To use Windows Autopatch, devices must be enrolled in Intune or managed using co-management (Intune + Configuration Manager).
-
-When you're planning your update strategy, you can use the update policies in Intune, or use Windows Autopatch. Intune gives more granular control, including when updates are installed. Windows Autopatch automatically applies updates as soon as they're available and lets admins focus on other tasks.
-
-For more information, go to:
-
-- [Windows Autopatch overview](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)
-- [Windows Autopatch prerequisites](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites)
-- [Windows Autopatch FAQ](/windows/deployment/windows-autopatch/overview/windows-autopatch-faq)
-
-## Endpoint analytics
-
-Endpoint analytics is a cloud-native service that provides **metrics and recommendations on the health and performance** of your Windows client devices. If you use Configuration Manager, you can benefit from Endpoint Analytics insights by connecting to the cloud.
-
-You can get data on:
-
-- Startup performance
-- Device restart frequencies
-- A list of apps that affect end-user productivity
-- Recommendations on how to improve performance
-
-This information and more is shown in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-You can use Endpoint Analytics on devices that are managed with Intune or Configuration Manager connected to the cloud.
-
-For more information, go to:
-
-- [Endpoint analytics overview](../endpoint-analytics/index.md)
-- [Endpoint analytics scores, baselines, and insights](../endpoint-analytics/scores.md)
-- [Tutorial: Walkthrough the Microsoft Intune admin center](./tutorial-admin-center-walkthrough.md)
-- [Quickstart - Enroll Configuration Manager devices](../endpoint-analytics/configure.md)
-
-## Learn more
-
-- [Learn more about cloud-native endpoints](../solutions/cloud-native-endpoints/overview.md)
-- [Compare Microsoft 365 features and licensing](https://www.microsoft.com/licensing/product-licensing/microsoft-365-enterprise)
-- [Learn more about Microsoft Intune licensing](../fundamentals/licensing/index.md)
-- [Get started with Microsoft Intune](./get-started.md)
diff --git a/intune/fundamentals/filters/overview.md b/intune/fundamentals/filters/overview.md
index 6f3aac9eabc..528264e74b4 100644
--- a/intune/fundamentals/filters/overview.md
+++ b/intune/fundamentals/filters/overview.md
@@ -1,7 +1,7 @@
---
title: Create assignment filters in Microsoft Intune
description: Create assignment filters in Microsoft Intune to target policies based on device properties like OS version or manufacturer. Learn to create, update, and delete filters for managed devices and apps.
-ms.date: 02/10/2026
+ms.date: 05/19/2026
ms.topic: how-to
ms.reviewer: mattcall
ms.collection:
@@ -69,6 +69,18 @@ Before you apply a policy to an app or device, assignment filters dynamically ev
4. You see the assignment filter results based on the evaluation. For example, the app or policy applies, or it doesn't apply.
+### Assignment filters vs. dynamic groups
+
+If you're deciding between assignment filters and dynamic groups for device targeting, consider the following:
+
+- **Use assignment filters** when you're targeting Intune policies or apps based on device properties (OS, model, manufacturer, ownership, category). Filters evaluate at check-in with no further evaluation delay.
+- **Use dynamic groups** when you need cross-workload targeting (Conditional Access, licensing), Autopilot profile assignment, or user-based grouping.
+
+Many organizations use both: dynamic groups for cross-workload scenarios and assignment filters for Intune-specific device targeting.
+
+> [!NOTE]
+> Because assignment filters don't require group membership processing, policy targeting isn't affected by group size, rule complexity, or membership evaluation timing. For performance recommendations when working with groups and filters, go to [Performance recommendations for grouping, targeting, and filtering in large Microsoft Intune environments](./performance-recommendations.md).
+
### Restrictions
There are some general restrictions when creating assignment filters:
diff --git a/intune/fundamentals/filters/performance-recommendations.md b/intune/fundamentals/filters/performance-recommendations.md
index 14d0d0421c6..bbc794be7dc 100644
--- a/intune/fundamentals/filters/performance-recommendations.md
+++ b/intune/fundamentals/filters/performance-recommendations.md
@@ -1,7 +1,7 @@
---
title: Assignment Filter Performance Tips for Intune
description: Optimize Microsoft Intune performance with assignment filters. Learn to use virtual groups, reuse groups, and apply filters effectively. Improve policy deployment speed with incremental group changes, and use assignment filters to include and exclude.
-ms.date: 11/19/2025
+ms.date: 05/19/2026
ms.topic: article
ms.reviewer: mattcall
ms.collection:
@@ -127,6 +127,25 @@ This recommendation exists due to the timing/latency characteristic of dynamic g
Instead of mixed exclusions, we recommend assigning to a user group. Then, use assignment filters to dynamically include or exclude the appropriate devices.
+### Use assignment filters instead of dynamic groups for device property targeting
+
+| DO | DON'T |
+| --- | --- |
+| ✅ Use filters for simple device properties (OS type, manufacturer, model, ownership, device category). | ❌ Don't use dynamic groups for simple device properties when the group is only used by Intune. |
+
+Dynamic device groups that use simple property rules (like `device.deviceOSType -eq "Windows"` or `device.deviceOwnership -eq "Company"`) introduce additional processing steps without benefit when the group is only consumed by Intune. Assignment filters evaluate the same properties at device check-in — directly, without requiring group membership evaluation.
+
+For example, instead of creating a dynamic group with the rule `device.deviceOSType -eq "Windows"` and assigning a policy to that group, you can assign the policy to *All devices* and apply a filter with the rule `operatingSystemSKU -eq "Windows"`. The result is the same — but the filter is evaluated at check-in without depending on group membership processing.
+
+Consider migrating dynamic device groups to assignment filters when:
+
+- The group is **only used for Intune policy or app assignments** (not Conditional Access, licensing, or other services).
+- The group rule uses device properties that assignment filters [support](ref-device-properties.md), like OS version, manufacturer, model, ownership, or category.
+- You want to **simplify your targeting architecture** and reduce dependencies on group membership evaluation.
+
+> [!NOTE]
+> Dynamic groups remain necessary for Autopilot profile targeting, cross-workload scenarios (Conditional Access, licensing), and user-based grouping. For guidance on dynamic groups, go to [Create simpler, more efficient rules for dynamic groups in Microsoft Entra ID](/azure/active-directory/enterprise-users/groups-dynamic-rule-more-efficient).
+
## Summary
When creating and managing assignments in Intune, incorporate some of these recommendations. Use groups or virtual groups, and apply assignment filters to help refine the targeting scope. Keep the best practices in mind:
diff --git a/intune/fundamentals/free-trial-sign-up.md b/intune/fundamentals/free-trial-sign-up.md
index dbaabab7dab..eb847838527 100644
--- a/intune/fundamentals/free-trial-sign-up.md
+++ b/intune/fundamentals/free-trial-sign-up.md
@@ -18,7 +18,7 @@ Sign up for a Microsoft Intune free trial to evaluate mobile device management f
When you complete the signup process, you automatically create a new tenant. A tenant is a dedicated instance of Microsoft Entra ID that hosts your Intune subscription. After creating the tenant, you can add users and groups, and assign licenses to users.
-The free trial is an Enterprise Mobility + Security (EMS) subscription, which includes Microsoft Entra ID P1 or P2 and Microsoft Intune. After the free trial is configured, you can [confirm your free trial licenses](./licensing/index.md#confirm-your-licenses).
+The free trial is an Enterprise Mobility + Security (EMS) subscription, which includes Microsoft Entra ID P1 or P2 and Microsoft Intune. After the free trial is configured, you can [confirm your free trial licenses](./licensing.md#confirm-your-licenses).
You also get access to the following admin centers, which are used by Intune admins:
diff --git a/intune/fundamentals/get-started.md b/intune/fundamentals/get-started.md
index 8d46622dab5..5bf5aa738ce 100644
--- a/intune/fundamentals/get-started.md
+++ b/intune/fundamentals/get-started.md
@@ -37,7 +37,7 @@ This article provides an overview of the steps to start your Intune deployment.
- Determine your license needs and any other prerequisites for your Intune deployment. The following list provides some of the most common prerequisites:
- - **[Intune subscription](./licensing/index.md)**: Included with some Microsoft 365 subscriptions. You also get access to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), which is a web-based console for managing your devices, apps, and users.
+ - **[Intune subscription](./licensing.md)**: Included with some Microsoft 365 subscriptions. You also get access to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), which is a web-based console for managing your devices, apps, and users.
- **[Microsoft 365 apps](https://www.microsoft.com/licensing/product-licensing/microsoft-365-apps)**: Included with Microsoft 365 and is used for productivity apps, including Outlook and Teams.
- **[Microsoft Entra ID](https://www.microsoft.com/security/business/microsoft-entra-pricing)**: Microsoft Entra ID is used for the identity management for users, groups, and devices. It comes with your Intune subscription and possibly your Microsoft 365 subscription.
diff --git a/intune/fundamentals/government-service.md b/intune/fundamentals/government-service.md
index eb789a0e857..d39e5748917 100644
--- a/intune/fundamentals/government-service.md
+++ b/intune/fundamentals/government-service.md
@@ -75,7 +75,7 @@ The following features are available and supported in Microsoft GCC High and/or
| Platform support | ✅
You can use the same operating systems - Android, Android Open Source Project (AOSP), iOS/iPadOS, Linux, macOS, and Windows.
- **Android (AOSP)**: There are some device restrictions. For more information, go to [Supported operating systems and browsers in Intune - AOSP](ref-supported-platforms.md#android). - **Linux**: Generally available (GA) in February 2024.|
| Windows Autopilot device preparation | ✅
Some features are available now, such as user-driven deployments, and some are still [in the planning phase](#in-the-planning-phase). For more information on the recent changes to Windows Autopilot device preparation, go to [Blog: Windows deployment with the next generation of Windows Autopilot](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/windows-deployment-with-the-next-generation-of-windows-autopilot/ba-p/4148169).
To get started with Windows Autopilot device preparation, go to [Windows Autopilot Device Preparation overview](/autopilot/device-preparation/overview). |
| Log Analytics | ✅
You can send Intune log data to Azure Storage, Event Hubs, or Log Analytics.
For more information on this feature, go to [Send log data to storage, event hubs, or log analytics from Intune](../governance/integrate-azure-monitor.md). |
-| Microsoft Intune Plan 2 and Microsoft Intune Suite | For more information on these plans, go to [Use Intune Suite add-on capabilities](add-ons.md).
The following Plan 2 features support the GCC High and DoD environments: - [Microsoft Tunnel for Mobile Application Management](../device-security/microsoft-tunnel/mam.md) - [Firmware-over-the-air update](../device-updates/android/manage-fota.md) - [Specialty devices management](../device-management/specialty-devices.md) The following Microsoft Intune Suite features support the GCC High and DoD environments: - [Endpoint Privilege Management](../epm/overview.md) - [Advanced Analytics](../advanced-analytics/index.md)|
+| Microsoft Intune Plan 2 and Microsoft Intune Suite | For more information on these plans, go to [Microsoft Intune advanced capabilities](advanced-capabilities.md).
The following Plan 2 features support the GCC High and DoD environments: - [Microsoft Tunnel for Mobile Application Management](../device-security/microsoft-tunnel/mam.md) - [Firmware-over-the-air update](../device-updates/android/manage-fota.md) - [Specialty devices management](../device-management/specialty-devices.md) The following Microsoft Intune Suite features support the GCC High and DoD environments: - [Endpoint Privilege Management](../epm/overview.md) - [Advanced Analytics](../advanced-analytics/index.md)|
### In the planning phase
diff --git a/intune/fundamentals/includes/mfa-console.md b/intune/fundamentals/includes/mfa-console.md
index 07cd08d878b..25a48560d46 100644
--- a/intune/fundamentals/includes/mfa-console.md
+++ b/intune/fundamentals/includes/mfa-console.md
@@ -7,13 +7,13 @@ ms.author: brenduns
> [!IMPORTANT]
>
-> On October 15, 2024, Microsoft began enforcement of the Azure sign-in requirement to use multifactor authentication (MFA). When enforced, MFA is required for all users who sign-in to Intune admin center regardless of any roles they have or don’t have. The MFA requirements also apply to services that you access through the admin center, like Windows 365 Cloud PC, and to use of the Microsoft Azure portal and Microsoft Entra admin center. MFA requirements don’t apply to end users who access applications, websites, or services hosted on Azure where those users don’t sign-in to the admin center.
+> On October 15, 2024, Microsoft began enforcement of the Azure sign-in requirement to use multifactor authentication (MFA). When enforced, MFA is required for all users who sign-in to Intune admin center regardless of any roles they have or don't have. The MFA requirements also apply to services that you access through the admin center, like Windows 365 Cloud PC, and to use of the Microsoft Azure portal and Microsoft Entra admin center. MFA requirements don't apply to end users who access applications, websites, or services hosted on Azure where those users don't sign-in to the admin center.
>
-> The requirement to sign-in using MFA applies to all Intune subscriptions, including Plan 1 subscriptions with or without add-ons, and free trial subscriptions. The prerequisites and process required to configure MFA depend on the MFA method you choose to use for your tenant. Shortly after MFA is enabled for a tenant, subsequent sign-in attempts require the user to complete setup for using the configured MFA solution.
+> The requirement to sign-in using MFA applies to all Intune subscriptions, including free trial subscriptions. The prerequisites and process required to configure MFA depend on the MFA method you choose to use for your tenant. Shortly after MFA is enabled for a tenant, subsequent sign-in attempts require the user to complete setup for using the configured MFA solution.
>
> To learn more about the MFA requirement, see [Planning for mandatory multifactor authentication for Azure and admin portals](/entra/identity/authentication/concept-mandatory-multifactor-authentication) in the Microsoft Entra documentation.
>
-> In the Microsoft Entra planning article, you’ll find guidance and resources to help you [Prepare for multifactor authentication](/entra/identity/authentication/concept-mandatory-multifactor-authentication#prepare-for-multifactor-authentication), including methods to configure MFA including but not limited to:
+> In the Microsoft Entra planning article, you'll find guidance and resources to help you [Prepare for multifactor authentication](/entra/identity/authentication/concept-mandatory-multifactor-authentication#prepare-for-multifactor-authentication), including methods to configure MFA including but not limited to:
>
> - Conditional Access policies
> - The *MFA Wizard for Microsoft Entra ID* from the Microsoft 365 admin center
diff --git a/intune/fundamentals/index.yml b/intune/fundamentals/index.yml
index 3b9eab75584..8de38abeffc 100644
--- a/intune/fundamentals/index.yml
+++ b/intune/fundamentals/index.yml
@@ -55,7 +55,7 @@ landingContent:
- linkListType: concept
links:
- text: Identity management
- url: tenant-administration/identities.md
+ url: core-concepts.md#identities
- title: Plan and deploy
linkLists:
@@ -76,20 +76,20 @@ landingContent:
- text: Set up migration
url: setup-migration.md
- - title: Licensing and add-ons
+ - title: Plans and licensing
linkLists:
- linkListType: overview
links:
- text: Microsoft Intune licensing
- url: licensing/index.md
- - text: Intune Suite add-on capabilities
- url: add-ons.md
+ url: licensing.md
+ - text: Microsoft Intune advanced capabilities
+ url: advanced-capabilities.md
- linkListType: how-to-guide
links:
- text: Assign licenses to users
- url: licensing/assign-licenses.md
- - text: Allow unlicensed admins
- url: licensing/unlicensed-admins.md
+ url: assign-licenses.md
+ - text: Unlicensed admins access
+ url: licensing.md#unlicensed-admin-access
- title: Role-based access control
linkLists:
diff --git a/intune/fundamentals/licensing.md b/intune/fundamentals/licensing.md
new file mode 100644
index 00000000000..b35f815efb6
--- /dev/null
+++ b/intune/fundamentals/licensing.md
@@ -0,0 +1,135 @@
+---
+title: Microsoft Intune Licensing Plans and Options
+description: Microsoft Intune licensing options, plans, and the capabilities included with each Intune plan and Microsoft 365 license tier.
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer: paoloma
+ms.date: 05/13/2026
+ms.topic: overview
+ms.collection: M365-identity-device-management
+---
+
+# Microsoft Intune licensing
+
+Microsoft Intune is licensed through three plans and is included in several Microsoft 365 bundles. This article describes the plans, license requirements for users and administrators, and how to confirm your licenses.
+
+## Microsoft Intune plans
+
+Intune capabilities are organized into three plans. The Intune documentation and the Microsoft Intune admin center use these names to indicate which capabilities require which plan:
+
+- **Microsoft Intune Plan 1**: the base service.\
+ Cloud-based unified endpoint management for devices and apps.
+- **Microsoft Intune Plan 2**: additive to Plan 1.\
+ Advanced endpoint management capabilities, including Remote Help and Advanced Analytics.
+- **Microsoft Intune Suite**: additive to Plan 1.\
+ Unifies advanced endpoint management and security capabilities. Includes Plan 2.
+
+Most organizations get Intune as part of a Microsoft 365 bundle (such as Microsoft 365 E3, E5, or E7) rather than buying these plans directly. For what each bundle includes, current pricing, and how to buy, see:
+
+- [Microsoft Intune plans and pricing](https://www.microsoft.com/security/business/microsoft-intune-pricing)
+- [Licensing options available with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans)
+
+Administrators don't always need an Intune license. For more information, see [Unlicensed admin access](#unlicensed-admin-access).
+
+## License requirements
+
+An Intune license is required for any user or device that benefits directly or indirectly from the Microsoft Intune service, including access through a [Microsoft API](/legal/microsoft-apis/terms-of-use). Intune is included only with the licenses listed on the [Microsoft Intune plans and pricing](https://www.microsoft.com/security/business/microsoft-intune-pricing) page.
+
+## Microsoft Intune for Education
+
+Intune Plan 1 for Education is included in the following licenses:
+
+- Microsoft 365 Education A5
+- Microsoft 365 Education A3
+
+For licensing information about Intune for Education, see [Microsoft 365 Education](/office365/servicedescriptions/office-365-platform-service-description/microsoft-365-education).
+
+## Device-only licenses
+
+Intune offers a *device-only subscription* for managing devices that aren't affiliated with specific users, such as kiosks, dedicated devices, phone-room devices, IoT, and other single-use devices.
+
+Assign device licenses based on your estimated usage. Device licenses apply when a device is enrolled through any of the following methods:
+
+- [Windows Autopilot Self-Deploying mode](/autopilot/self-deploying)
+- [Apple Device Enrollment Program without user affinity](../device-enrollment/apple/setup-automated-ios.md)
+- [Apple School Manager without user affinity](../device-enrollment/apple/school-manager.md)
+- [Apple Configurator without user affinity](../device-enrollment/apple/setup-configurator-ios.md)
+- [Android Enterprise dedicated](../device-enrollment/android/setup-dedicated.md)
+- [Using a device enrollment manager account](../device-enrollment/setup-enrollment-manager.md)
+
+### Device-only license limitations
+
+When a device is enrolled by using a device license, the following Intune functions aren't supported:
+
+- [Intune app protection policies](../app-management/protection/overview.md)
+- [Conditional Access](../device-security/conditional-access-integration/overview.md)
+- User-based management features, such as email and calendaring
+
+## Unlicensed admin access
+
+Administrators can sign in to and manage Microsoft Intune without an assigned Intune license. This access is enabled by default for tenants created after July 2021 and applies to all administrator roles, including Intune administrators and Microsoft Entra administrators. Tenants created before July 2021 can enable this option manually.
+
+Unlicensed admin access grants sign-in and management access to the Microsoft Intune admin center. It doesn't replace license requirements for other features and services. For example, features that depend on Microsoft Entra ID P1 or P2 still require the appropriate license.
+
+Whether you need to enable this setting depends on when your tenant was created:
+
+- **Tenants created after July 2021**: Unlicensed administrator access is supported by default. No action is required.
+- **Tenants created before July 2021**: Administrators require an Intune license unless the **Allow access to unlicensed admins** setting is enabled. This setting can't be undone after it's turned on.
+
+> [!IMPORTANT]
+> - Intune supports up to 1000 unlicensed admins per security group. If more than 1000 administrators are needed for a role assignment, use multiple security groups.
+> - Members of nested security groups aren't included in unlicensed admins access. If you keep nested security groups, admins in those nested groups still require an Intune license even when the unlicensed admins access is enabled.
+> - It can take up to 48 hours for access changes to take effect.
+
+### Enable unlicensed admin access for pre-July 2021 tenants
+
+Tenants created after July 2021 already have unlicensed admin access enabled by default. The following steps apply only to tenants created before July 2021.
+
+To enable this setting, use an account assigned the [Intune Administrator](/entra/identity/role-based-access-control/permissions-reference#intune-administrator) Microsoft Entra role. Because this role is privileged, use it only when necessary.
+
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Tenant administration** > **Roles** > **Administrator Licensing**.
+1. Select **Allow access to unlicensed admins**.
+1. Select **Yes** to allow access to unlicensed admins.
+
+After you enable this setting, users who sign in to the Microsoft Intune admin center don't require an Intune license. Roles assigned to users define their scope of access.
+
+## Co-management with Configuration Manager
+
+Most licenses that include Microsoft Intune also grant the rights to use Microsoft Configuration Manager, as long as the subscription remains active.
+
+To enroll existing Configuration Manager-managed devices into Intune at scale without user interaction, co-management uses a Microsoft Entra feature called auto-enrollment. This scenario requires:
+
+- **Microsoft Entra ID P1 or P2** assigned to each user.
+- **Microsoft Intune Plan 1**: included automatically with Microsoft Intune. You no longer need to assign individual Intune licenses for this scenario.
+
+You still need to assign Intune licenses for other enrollment scenarios.
+
+## Confirm your licenses
+
+A Microsoft Intune license is created for you when you sign up for the Intune free trial. As part of this trial, you also get a trial Enterprise Mobility + Security (EMS) subscription, which includes both Microsoft Entra ID P1 or P2 and Microsoft Intune.
+
+> [!NOTE]
+> If you don't have an Intune license, sign up for the [Intune free trial](./free-trial-sign-up.md).
+
+To confirm your Microsoft Intune license or trial:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Tenant administration** > **Tenant status**. Under the **Tenant details** tab, you can see the **MDM authority**, the **Total licensed users**, and the **Total Intune licenses**.
+1. Select **Tenant administration** > **Roles** > **My permissions**.
+1. Confirm that you're an **administrator** with **full** permissions to **all** Intune resources.
+
+To confirm your Microsoft Entra ID P1 or P2 license:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select **Microsoft Entra ID**.
+1. Select **Overview**. On the **Overview** pane, select the **Overview** tab if it isn't already selected.
+1. Under **Basic information**, view your license.
+
+If you don't have a license for Microsoft Entra ID P1 or P2, see [Sign up for Microsoft Entra ID P1 or P2 editions](/azure/active-directory/fundamentals/active-directory-get-started-premium).
+
+## Related content
+
+- [Assign Intune licenses to your user accounts](assign-licenses.md)
+- [Microsoft Intune advanced capabilities](./advanced-capabilities.md)
+- [Set up Microsoft Intune (training module)](/training/modules/set-up-microsoft-intune?azure-portal=true)
+- [Microsoft Licensing portal](https://www.microsoft.com/licensing/default): latest information about product editions, licensing updates, and volume licensing plans.
\ No newline at end of file
diff --git a/intune/fundamentals/licensing/index.md b/intune/fundamentals/licensing/index.md
deleted file mode 100644
index 5ee6f0b9378..00000000000
--- a/intune/fundamentals/licensing/index.md
+++ /dev/null
@@ -1,131 +0,0 @@
----
-title: Licenses available for Microsoft Intune
-description: Intune is available with these licenses
-ms.date: 05/09/2024
-ms.topic: overview
-ms.collection:
-- M365-identity-device-management
----
-
-# Microsoft Intune licensing
-
-Microsoft Intune is available for different customer needs and organization sizes, from a simple-to-use management experience for schools and small businesses, to more advanced functionality required by enterprise customers. Most licenses that include Microsoft Intune also grant the rights to use Microsoft Configuration Manager, as long as the subscription remains active. An admin must have a license assigned to them to administer Intune unless [unlicensed admin access](unlicensed-admins.md) is available. Tenants created after July 2021 support unlicensed admins by default.
-
-## Microsoft Intune
-
-The following plans are available for Microsoft Intune.
-
-> [!IMPORTANT]
-> In addition to the plans described in this topic, see the following information about plans and pricing:
-> - [Discover Microsoft Intune Plans and Pricing](https://www.microsoft.com/security/business/microsoft-intune-pricing)
-> - [Licensing options available with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans)
- - Download the full Microsoft subscription comparison table and locate the plans that include Microsoft Intune
-
-### Microsoft Intune Plan 1
-
-A cloud-based unified endpoint management solution that is included in the following licenses:
-
-- Microsoft 365 E5
-- Microsoft 365 E3
-- Enterprise Mobility + Security E5
-- Enterprise Mobility + Security E3
-- Microsoft 365 Business Premium
-- Microsoft 365 F1
-- Microsoft 365 F3
-- Microsoft 365 Government G5
-- Microsoft 365 Government G3
-- Microsoft Intune for Education
-
-> [!NOTE]
-> For additional licensing information about Intune for Education, see [Microsoft 365 Education](/office365/servicedescriptions/office-365-platform-service-description/microsoft-365-education).
-
-### Microsoft Intune Plan 2
-
-An add-on to Microsoft Intune Plan 1 that offers advanced endpoint management capabilities. Intune Plan 2 is included in Microsoft Intune Suite.
-
-For information about trial and purchasing, see [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md).
-
-### Microsoft Intune Suite
-
-An add-on to Microsoft Intune Plan 1 that unifies mission-critical advanced endpoint management and security solutions.
-
-For information about trial and purchasing, see [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md).
-
-## Microsoft Intune for Education
-
-Intune Plan 1 for Education is included in the following licenses:
-
-- Microsoft 365 Education A5
-- Microsoft 365 Education A3
-
-## Licensing for Configuration Manager-managed devices in Intune
-
-For existing Configuration Manager-managed devices to enroll into Intune for co-management at scale without user interaction, co-management uses a Microsoft Entra feature called auto-enrollment. Auto-enrollment with co-management requires licenses for both Microsoft Entra ID P1 or P2 (AADP1) and Microsoft Intune Plan 1. Starting on December 1, 2019, you no longer need to assign individual Intune licenses for this scenario. Microsoft Intune now includes the Intune licenses for co-management. The separate AADP1 licensing requirement remains the same for this scenario to work. You still need to assign Intune licenses for other enrollment scenarios.
-
-## Additional information
-
-- A Microsoft Intune user and device subscription is available as a standalone, in addition to the bundles listed above.
-- A Microsoft Intune device-only subscription is available to manage kiosks, dedicated devices, phone-room devices, IoT, and other single-use devices that don't require user-based security and management features. For more information, see [Device-only licenses](#device-only-licenses).
-- The appropriate Microsoft Intune license is required if a user or device benefits directly or indirectly from the Microsoft Intune service, including access to the Microsoft Intune service through a [Microsoft API](/legal/microsoft-apis/terms-of-use).
-- Intune isn't included in licenses not in the previous tables.
-
-## Unlicensed admins
-
-For more information about giving administrators access to the Microsoft Intune admin center without them having an Intune license, see [Unlicensed admins](unlicensed-admins.md).
-
-## Device-only licenses
-
-Microsoft Intune offers a device-only subscription service that helps organizations manage devices that aren't affiliated with specific users.
-
-You can purchase device licenses based on your estimated usage. Microsoft Intune device licenses are applicable when a device is enrolled through any of the following methods:
-
-- [Windows Autopilot Self-Deploying mode](/autopilot/self-deploying)
-- [Apple Device Enrollment Program without user affinity](../../device-enrollment/apple/setup-automated-ios.md)
-- [Apple School Manager without user affinity](../../device-enrollment/apple/school-manager.md)
-- [Apple Configurator without user affinity](../../device-enrollment/apple/setup-configurator-ios.md)
-- [Android Enterprise dedicated](../../device-enrollment/android/setup-dedicated.md)
-- [Using a device enrollment manager account](../../device-enrollment/setup-enrollment-manager.md)
-
-> [!NOTE]
-> Visit the [Microsoft Licensing](https://www.microsoft.com/licensing/default) page, or contact your account representative if you have any questions or you would like to receive the latest information about product editions, product licensing updates, volume licensing plans, and other information related to your specific use cases.
-
-### Device-only license limitations
-
-When a device is enrolled by using a device license, the following Intune functions aren't supported:
-
-- [Intune app protection policies](../../app-management/protection/overview.md)
-- [Conditional Access](../../device-security/conditional-access-integration/overview.md)
-- User-based management features, such as email and calendaring
-
-## Confirm your licenses
-
-A Microsoft Intune license is created for you when you sign up for the Intune free trial. As part of this trial, you'll also have a trial Enterprise Mobility + Security (EMS) subscription. An Enterprise Mobility + Security (EMS) subscription includes both Microsoft Entra ID P1 or P2 and Microsoft Intune.
-
-> [!NOTE]
-> If you are unable to access this portal using the step below, or if you don't have an Intune license, you can sign up now for the [Intune free trial](../../fundamentals/free-trial-sign-up.md). When setting up Intune, you can give an administrators access to the Microsoft Intune admin center [without them requiring an Intune license](./unlicensed-admins.md).
-
-To confirm your Microsoft Intune license or trial, use the following steps:
-
-1. Sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Select **Tenant administration** > **Tenant status**.
- Under the **Tenant details** tab, you will see the **MDM authority**, the **Total licenses users**, and the **Total Intune licenses**.
-3. Select **Tenant administration** > **Roles** > **My permissions**.
-4. Confirm you are an **administrator** with **full** permissions to **all** Intune resources.
-
-> [!NOTE]
-> For more in-depth information about Microsoft Intune, see the learning module: [Set up Microsoft Intune](/training/modules/set-up-microsoft-intune?azure-portal=true).
-
-To check on your Microsoft Entra ID P1 or P2 license, use the following steps:
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **Microsoft Entra ID**.
-3. Select **Overview**. On the **Overview** pane, select the **Overview** tab if it isn't already selected.
-4. Under **Basic information**, view your license.
-
-If you don't have a license for Microsoft Entra ID P1 or P2, see [Sign up for Microsoft Entra ID P1 or P2 editions](/azure/active-directory/fundamentals/active-directory-get-started-premium).
-
-## Next steps
-
-For the latest information about product editions, product licensing updates, volume licensing plans, and other information related to your specific use cases, see the [Microsoft Licensing](https://www.microsoft.com/licensing/default) page.
-
-For information about how user and device licenses affect access to services, as well as how to assign a license to a user, see the [Assign Intune licenses to your user accounts article](assign-licenses.md).
diff --git a/intune/fundamentals/licensing/media/unlicensed-admins/unlicensed-admins-01.png b/intune/fundamentals/licensing/media/unlicensed-admins/unlicensed-admins-01.png
deleted file mode 100644
index 879dac4952f..00000000000
Binary files a/intune/fundamentals/licensing/media/unlicensed-admins/unlicensed-admins-01.png and /dev/null differ
diff --git a/intune/fundamentals/licensing/toc.yml b/intune/fundamentals/licensing/toc.yml
deleted file mode 100644
index 963e2eb3d54..00000000000
--- a/intune/fundamentals/licensing/toc.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-items:
-- name: Manage Intune licenses
- items:
- - name: Determine license needs
- href: ./index.md
- - name: Assign licenses
- href: ./assign-licenses.md
- - name: Allow access to unlicensed admins
- href: ./unlicensed-admins.md
diff --git a/intune/fundamentals/licensing/unlicensed-admins.md b/intune/fundamentals/licensing/unlicensed-admins.md
deleted file mode 100644
index d0bf3e9e113..00000000000
--- a/intune/fundamentals/licensing/unlicensed-admins.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-title: Unlicensed administrator access to Microsoft Intune
-description: Learn about unlicensed administrator access in Microsoft Intune, including default behavior for newer tenants and how to enable it for older tenants.
-ms.date: 04/29/2026
-ms.topic: how-to
-ai-usage: ai-assisted
-ms.collection:
-- M365-identity-device-management
----
-
-# Unlicensed administrator access to Microsoft Intune
-
-Administrators can sign in to and manage Microsoft Intune without an assigned Intune license. This access is enabled by default for tenants created after July 2021 and applies to all administrator roles, including Intune administrators and Microsoft Entra administrators. Tenants created before July 2021 can enable this access manually.
-
-Unlicensed admin access grants sign-in and management access to the Microsoft Intune admin center. It doesn't replace license requirements for other features and services. For example, features that depend on Microsoft Entra ID P1 or P2 still require the appropriate license.
-
-Whether you need to enable this setting depends on when your tenant was created:
-
-- **Tenants created after July 2021**: Unlicensed administrator access is supported by default. No action is required.
-- **Tenants created before July 2021**: Administrators require an Intune license unless the **Allow access to unlicensed admins** setting is enabled. This setting can't be undone after it's turned on.
-
-## Prerequisites
-
-:::row:::
-:::column span="1":::
-[!INCLUDE [rbac](../../includes/requirements/rbac.md)]
-
-:::column-end:::
-:::column span="3":::
-> To enable this setting, use an account assigned the [Intune Administrator](/entra/identity/role-based-access-control/permissions-reference#intune-administrator) :::image type="icon" source="../../media/icons/16/privileged-label.svg" border="false"::: Microsoft Entra role. Because this role is privileged, use it only when necessary.
-:::column-end:::
-:::row-end:::
-
-> [!IMPORTANT]
-> - Intune supports up to 1000 unlicensed admins per security group. If more than 1000 administrators are needed for a role assignment, you can use multiple security groups.
-- Members of nested security groups aren't included in the unlicensed admins feature. If you prefer to retain nested security groups, admins in those nested groups still require an Intune license even when unlicensed admins setting is enabled.
-- It can take up to 48 hours for access changes to take effect.
-
-
-## Enable the setting for pre-July 2021 tenants
-
-Tenants created after July 2021 already have unlicensed admin access enabled by default. The following steps apply only to tenants created before July 2021.
-
-1. In the [Microsoft Intune admin center], select **Tenant administration** > **Roles** > **Administrator Licensing**.
-1. Select **Allow access to unlicensed admins**.
-
- > [!WARNING]
- > You can't undo this setting after selecting **Yes**.
-
-1. Select **Yes** to allow access to unlicensed admins.
-
- :::image type="content" alt-text="Screenshot of administrator licensing to allow unlicensed admins." source="./media/unlicensed-admins/unlicensed-admins-01.png" :::
-
-After you enable this setting, users who sign in to the Microsoft Intune admin center don't require an Intune license. Roles assigned to users define their scope of access.
-
-## Related content
-
-- [Role-based access control (RBAC) with Microsoft Intune](../../fundamentals/role-based-access-control/overview.md)
-- [Microsoft Intune licensing](../../fundamentals/licensing/index.md)
-
-
-
-[Microsoft Intune admin center]: https://go.microsoft.com/fwlink/?linkid=2109431
-[Intune role administrator]: ../../fundamentals/role-based-access-control-reference.md
-[Custom role]: ../../fundamentals/create-custom-role.md
diff --git a/intune/fundamentals/manage-apps.md b/intune/fundamentals/manage-apps.md
deleted file mode 100644
index f9096ed1a9a..00000000000
--- a/intune/fundamentals/manage-apps.md
+++ /dev/null
@@ -1,162 +0,0 @@
----
-title: Manage and secure apps overview
-description: Get an overview of the concepts and features you should know when managing apps that access organization resources in Microsoft Intune. You can deploy apps used by your organization, including Microsoft Edge and Microsoft 365. You can also configure apps, protect apps on organizations owned and BYOD personal devices, and update apps that you deploy.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 02/19/2025
-ms.topic: article
-ms.collection:
-- M365-identity-device-management
----
-
-# Learn about managing your apps and app data in Microsoft Intune
-
-Managing and protecting apps and their data is a significant part of any endpoint management strategy and solution. In most environments, users can install public retail apps and possibly access organization data from these apps. Many organizations also have their own private apps and line-of-business apps that need to be deployed & managed. They must make sure this app data stays within the organization.
-
-App management can be challenging and Intune can help. [Microsoft Intune is a cloud-based service](what-is-intune.md) that can manage many apps types. Using Intune, admins can deploy, configure, protect, and update apps that access your organization resources.
-
-:::image type="content" source="./media/manage-apps/manage-apps-with-intune.png" alt-text="Diagram that shows app management in the Microsoft Intune admin center, including deploying apps, and using app configuration policies & app protection policies for managed apps & personal apps." lightbox="./media/manage-apps/manage-apps-with-intune.png":::
-
-Microsoft Intune can manage apps on Android, iOS/iPadOS, macOS, and Windows client devices. So, you can use Intune's app management features across your many devices.
-
-From a service perspective, Intune uses Microsoft Entra ID for identity management. To use some apps, these Microsoft Entra user identities must have licenses assigned to them. The Microsoft Intune admin center can also help you manage licensing.
-
-This article discusses concepts and features you should consider when managing and securing apps.
-
-## Deploy apps your organization uses
-
-Organizations use many different types of apps, including store apps, line-of-business (LOB) apps, web apps, and more. You can add apps to Intune and then use its app policy management to deploy these apps to your devices.
-
-The app features in the Intune admin center make it easier to deploy these different kinds of apps.
-
-### ✅ Android devices
-
-The Intune admin center automatically connects to the public Play Store and gives you the ability to search for apps. You can also sync with your Managed Google Play account to access your Android Enterprise apps, including private apps.
-
-On Android devices, you can deploy:
-
-- Public and retail apps from the public Play Store
-- Managed Google Play apps to Android Enterprise devices
-- Web links to web apps
-- Built-in apps, which are apps automatically included and available in the Intune admin center
-- Custom line-of-business apps your organization creates
-- Android Enterprise system apps, which are apps typically included on Android devices
-
-If you use [Google Mobile Services (GMS)](https://www.android.com/gms/) (opens Android's web site), you can purchase licenses to GMS, which typically happens when you purchase Android devices. GMS gives users access to the public Play Store and its public apps.
-
-If your organization doesn't use [Google Mobile Services (GMS)](https://www.android.com/gms/) (opens Android's web site), then Intune can also manage devices using the Android Open Source Project (AOSP) platform.
-
-For more specific information, go to:
-
-- [How to use Intune in environments without Google Mobile Services](../app-management/manage-without-gms.md)
-- [Add Managed Google Play apps to Android Enterprise devices](../app-management/deployment/add-managed-google-play.md)
-- [Manage private Android apps in Google Play](https://support.google.com/a/answer/2494992) (opens Google's web site)
-- [Add built-in apps](../app-management/deployment/add-built-in.md)
-
-### ✅ iOS/iPadOS devices
-
-The Intune admin center automatically connects to the public App Store and gives you the ability to search for apps. You can also sync with your Apple Business Manager or Apple School Manager account to access your volume-licensed apps. When you sync, the apps you purchase (your licensed apps) are automatically shown in the Intune admin center.
-
-On iOS/iPadOS devices, you can deploy:
-
-- Public and retail apps from the public App Store
-- Volume-licensed apps using Apple Business Manager or Apple School Manager
-- Web clips, which are shortcuts to web site links that you can add to the home screen
-- Web links to web apps
-- Built-in apps, which are apps automatically included and available in the Intune admin center
-- Custom line-of-business apps your organization creates
-
-For more specific information, go to:
-
-- [Add iOS store apps](../app-management/deployment/add-store-ios.md)
-- [Manage iOS/iPadOS and macOS apps purchased through Apple Business Manager](../app-management/deployment/manage-vpp-apple.md)
-- [Add iOS/iPadOS LOB apps](../app-management/deployment/add-lob-ios.md)
-- [Add built-in apps](../app-management/deployment/add-built-in.md)
-
-### ✅ macOS devices
-
-The Intune admin center has built-in features that include apps commonly deployed to macOS, including Microsoft Edge and Microsoft 365 apps. You can also sync with your Apple Business Manager or Apple School Manager account to access your volume-licensed apps. When you sync, the apps you purchase (your licensed apps) are automatically shown in the Intune admin center.
-
-On macOS devices, you can deploy:
-
-- Volume-licensed apps using Apple Business Manager or Apple School Manager
-- Microsoft 365 apps, which include Word, Excel, PowerPoint, Outlook, OneNote, Teams, and OneDrive
-- Microsoft Edge version 77 and newer, which is the modern chromium version
-- Microsoft Defender for Endpoint, which is a cloud service that detects malicious intent and can help remediate security threats
-- Web links to web apps
-- Custom line-of-business apps your organization creates
-- Apple disk image (DMG) apps, which is a file that includes one or more apps to deploy
-- Unmanaged PKG Files (custom packages, unsigned packages, packages without a payload)
-
-For more specific information, go to:
-
-- [Manage iOS/iPadOS and macOS apps purchased through Apple Business Manager](../app-management/deployment/manage-vpp-apple.md)
-- [Assign Microsoft 365 to macOS devices](../app-management/deployment/add-microsoft-365-macos.md)
-- [Add macOS LOB apps](../app-management/deployment/add-lob-macos.md)
-- [Add macOS PKG apps](../app-management/deployment/add-unmanaged-pkg-macos.md)
-- [Add Microsoft Store apps to Microsoft Intune](../app-management/deployment/add-microsoft-store.md)
-
-### ✅ Windows devices
-
-The Intune admin center automatically connects to the public Microsoft Store and gives you the ability to search for apps.
-
-On Windows devices, you can deploy:
-
-- Public and retail apps from the Microsoft Store
-- Microsoft 365 apps, which include Word, Excel, PowerPoint, Outlook, OneNote, Teams, and OneDrive
-- Microsoft Edge version 77 and newer, which is the modern chromium version
-- Web links to web apps
-- Custom line-of-business apps your organization creates
-- Win32 apps
-
-For more specific information, go to:
-
-- [Add Microsoft 365 apps to Windows client devices](../app-management/deployment/add-microsoft-365-windows.md)
-- [Win32 app management](../app-management/deployment/win32.md)
-- [Add Microsoft Store apps to Microsoft Intune](../app-management/deployment/add-microsoft-store.md)
-
-## Configure apps before they're installed
-
-When an Android or iOS/iPadOS app is deployed to your users and devices, your users can be prompted for configuration information. Users might not know what to enter or you might have organization settings you want configured a certain way.
-
-App configuration policies give you these features. You can create app configuration policies that automatically configure apps. Depending on your policy settings, users might not need to enter any configuration information when they open the app.
-
-For example, in an app configuration policy, you can enter the app language, add your organization's logo, block apps from using personal accounts, and more.
-
-Your app configuration policies can be deployed at any time. If you want to configure apps before users open them the first time, then include the app configuration policy when users enroll their devices. During enrollment, your app configuration policies are automatically deployed and the apps include your configuration settings.
-
-For more specific information, go to [App configuration policies in Intune](../app-management/configuration/overview.md).
-
-## Protect apps on organization owned and personal devices
-
-App protection policies are a key part to protecting data in apps that access organization data. If user-owned personal devices are accessing your organization data, then you need app protection policies. Use these policies to protect email, protect shared files, protect access to meetings, and more.
-
-You can use Intune to create, configure, and deploy app protection policies to your users and your devices, including personally owned devices and devices managed by another MDM provider. Typically, organization owned devices are managed by your organization. If there are apps on these managed devices that require extra security, then you can also use app protection policies on these devices.
-
-App protection policies also help separate personal data from organization data. For example, you can create policies that block copy-and-paste between apps, require a PIN when opening an app, block backups to personal cloud services, and more.
-
-For more specific information, go to:
-
-- [App protection policies overview and benefits](../app-management/protection/overview.md)
-- [How to create and assign app protection policies](../app-management/protection/create-policy.md)
-
-## Update apps to the latest version
-
-Apps are often updated to include bug fixes, feature improvements, security updates, and more. When apps are deployed using Intune, most apps are automatically updated when there's an app update available. So, it's recommended to use Intune to deploy apps used by your organization.
-
-You can also use Windows Autopatch for automatic patching of Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams.
-
-If users install apps themselves, including from a public app store, then these apps need updated manually. In this situation, you can use app protection policies to enforce a minimum app version, and even wipe organization data on devices that don't meet your standards.
-
-For more information, go to:
-
-- [Add and update apps](../app-management/deployment/index.md)
-- [Windows Autopatch overview](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)
-- [Wipe corporate data from Intune-managed apps](../app-management/protection/wipe-corporate-data.md)
-- [Selectively wipe data using app protection policy conditional launch actions](../app-management/protection/configure-conditional-launch.md)
-
-## Related articles
-
-- [Learn about managing identities in Intune](tenant-administration/identities.md)
-- [Learn about managing devices in Intune](manage-devices.md)
-- [Frequently asked questions about application management and app protection](../app-management/protection/mam-faq.yml)
diff --git a/intune/fundamentals/manage-devices.md b/intune/fundamentals/manage-devices.md
deleted file mode 100644
index a965a874d4e..00000000000
--- a/intune/fundamentals/manage-devices.md
+++ /dev/null
@@ -1,137 +0,0 @@
----
-title: Manage and secure devices overview
-description: Get an overview of the concepts and features you should know when managing devices that access organization resources in Microsoft Intune. You can manage new and existing devices, including BYOD personal devices, check health compliance and view reports, configure device features, and secure devices using mobile threat solutions.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 02/20/2025
-ms.topic: article
-ms.collection:
-- M365-identity-device-management
----
-
-# Learn about managing and securing your devices in Microsoft Intune
-
-Managing devices is a significant part of any endpoint management strategy and solution. Organizations have to manage desktops, laptops, tablets, mobile phones, wearables, and more. It can be a large task, especially if you're not sure where to start.
-
-Microsoft Intune can help. [Intune is a cloud-based service](what-is-intune.md) that can control devices through policy, including security policies.
-
-The goal of any organization that's managing devices is to secure devices and the data they access.
-
-:::image type="content" source="./media/manage-devices/manage-devices-with-intune.png" alt-text="Diagram that shows organization owned and personal devices in the Microsoft Intune admin center and using compliance policies and Conditional Access for resource access." lightbox="./media/manage-devices/manage-devices-with-intune.png":::
-
-Device management involves:
-
-- Configuring features built into the device, like enabling Bluetooth and preventing automatic connections to Wi-Fi hotspots
-- Securing the devices and preventing unauthorized access to organization resources from the devices, like using mobile threat defense and encrypting hard disks
-- Creating compliance rules that maintain device integrity, like setting a minimum OS version and preventing simple passwords
-- Being responsible for organization owned devices and personally owned devices that access your organization resources
-
-From a service perspective, Intune uses Microsoft Entra ID for device storage and permissions. Using the [Microsoft Intune admin center](tutorial-admin-center-walkthrough.md), you can manage device tasks and policies in a central location designed for endpoint management.
-
-This article discusses concepts and features you should consider when managing your devices.
-
-## Manage organization owned and personal devices
-
-Many organizations allow personally owned devices to access organization resources, including email and meetings. There are different options available and these options depend on how strict your organization is.
-
-You can require personal devices be enrolled in your organization's device management services. On these personal devices, your admins can deploy policies, set rules, and configure device features. Or, you can use app protection policies that focus on protecting app data, such as Outlook, Teams, and Sharepoint. You can also use a combination of device enrollment and app protection policies.
-
-Devices owned by your organization should be enrolled in your MDM service, like Intune. When enrolled, your admins create policies and set rules that protect data. Don't rely on end users to manage these devices.
-
-For more information and guidance, go to:
-
-- [Microsoft Intune planning guide](planning-guide.md)
-- [Deployment guide: Setup or move to Microsoft Intune](setup-migration.md)
-
-## Use your existing devices and use new devices
-
-You can manage new devices and existing devices. Intune supports Android, iOS/iPadOS, Linux, macOS, and Windows devices.
-
-There are some things you should know. For example, if another MDM provider manages your existing devices, then these devices might need to be factory reset. If the devices are using an older OS version, they might not be supported.
-
-If your organization is investing in new devices, then we recommend you start with a cloud approach using Intune.
-
-For more information and guidance, go to:
-
-- [Microsoft Intune planning guide](planning-guide.md)
-- [Deployment guide: Setup or move to Microsoft Intune](setup-migration.md)
-
-For more specific information by platform, go to:
-
-- [Android platform deployment guide](platform-guide-android.md)
-- [iOS/iPadOS platform deployment guide](platform-guide-ios-ipados.md)
-- [Linux enrollment deployment guide](../device-enrollment/guide-linux.md)
-- [macOS platform deployment guide](platform-guide-macos.md)
-- [Windows enrollment deployment guide](../device-enrollment/windows/guide.md)
-
-## Check the compliance health of your devices
-
-Device compliance is a significant part of managing devices. Your organization should set password/PIN rules and check for security features on these devices. You want to know which devices don't meet your rules. This task is where compliance comes in.
-
-You can create compliance policies that block simple passwords, require a firewall, set the minimum OS version, and more. You can use these policies and built-in reporting to see noncompliant devices and see the noncompliant settings on these devices. This information gives you an idea of the overall health of the devices accessing your organization resources.
-
-Conditional Access is a feature of Microsoft Entra ID. With Conditional Access, you can enforce compliance. For example, if a device doesn't meet your compliance rules, then you can block access to organization resources, including Outlook, SharePoint, and Teams. Conditional Access helps your organization secure your data and protect your devices.
-
-For more information, go to:
-
-- [Use compliance policies to set rules for devices you manage](../device-security/compliance/overview.md)
-- [Monitor results of your device compliance policies](../device-security/compliance/monitor-policy.md)
-- [Learn about Conditional Access and Intune](../device-security/conditional-access-integration/overview.md)
-
-## Control device features and assign policies to device groups
-
-All devices have features that you can control and manage using policies. For example, you can block the built-in camera, allow Bluetooth pairing, and manage the power button.
-
-For many organizations, it's common to create device groups. Device groups are Microsoft Entra groups that only include devices. They don't include user identities.
-
-When you have device groups, you create policies that focus on the device experience or task, like running a single app or scanning bar codes. You can also create policies that include settings that you want to always be on the device, regardless of who's using the device.
-
-You can group devices by OS platform, by function, by location, and other features you prefer.
-
-Device groups can also include devices that are shared with many users or aren't associated with a specific user. These dedicated or kiosk devices are typically used by frontline workers (FLW) and can also be managed by Intune.
-
-When the groups are ready, you can assign your policies to these device groups.
-
-For more information, go to:
-
-- [FLW device management in Intune](../solutions/frontline-worker/index.md)
-- [Get started with Microsoft 365 for frontline workers](/microsoft-365/frontline/flw-overview)
-- [Windows device settings to run as a dedicated kiosk using Intune](../device-configuration/templates/configure-kiosk.md)
-- [Control access, accounts, and power features on shared PC or multi-user devices using Intune](../device-configuration/templates/configure-shared-device.md)
-
-## Secure your devices
-
-To help secure your devices, you can install antivirus, scan & react to malicious activity, and enable security features.
-
-In Intune, some common security tasks include:
-
-- **Integrate with Mobile Threat Defense** (MTD) partners to help protect organization owned devices and personally owned devices. These MTD services scan the devices and can help remediate vulnerabilities.
-
- The MTD partners support different platforms, including Android, iOS/iPadOS, macOS, and Windows.
-
- For more specific information, go to [Mobile Threat Defense integration with Intune](../device-security/mobile-threat-defense/overview.md)
-
-- **Use security baselines** on your Windows devices. Security baselines are preconfigured settings that you can deploy to your devices. These baseline settings focus on security at a granular level and can also be changed to meet any organization specific requirements.
-
- If you're not sure where to start, then look at security baselines.
-
- For more specific information, go to:
-
- - [Use security baselines to configure Windows devices in Intune](../device-security/security-baselines/overview.md)
-
-- **Manage software updates, encrypt hard disks, configure built-in firewalls**, and more using built-in policy settings. You can also use Windows Autopatch for automatic patching of Windows, including Windows quality updates and Windows feature updates.
-
- For more information, go to:
-
- - [Manage endpoint security in Microsoft Intune](../device-security/endpoint-security-policies.md)
- - [Manage device security with endpoint security policies in Microsoft Intune](../device-configuration/endpoint-security/manage-policies.md)
- - [Windows Autopatch overview](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)
-
-- **Manage devices remotely** using the Intune admin center. You can remotely lock, restart, locate a lost device, and restore a device to its factory settings. These tasks are helpful if a device is lost or stolen, or if you're remotely troubleshooting a device.
-
- For more information, go to [Remote actions in Intune](../device-management/actions/index.md).
-
-## Related articles
-
-- [Learn about managing identities in Intune](tenant-administration/identities.md)
-- [Learn about managing apps in Intune](manage-apps.md)
diff --git a/intune/fundamentals/media/architecture/cloud-control-plane-on.png b/intune/fundamentals/media/architecture/cloud-control-plane-on.png
new file mode 100644
index 00000000000..94bd1cb61b4
Binary files /dev/null and b/intune/fundamentals/media/architecture/cloud-control-plane-on.png differ
diff --git a/intune/fundamentals/media/architecture/cloud-control-plane.png b/intune/fundamentals/media/architecture/cloud-control-plane.png
new file mode 100644
index 00000000000..6819005a640
Binary files /dev/null and b/intune/fundamentals/media/architecture/cloud-control-plane.png differ
diff --git a/intune/fundamentals/media/architecture/connectors-and-extensions-on.png b/intune/fundamentals/media/architecture/connectors-and-extensions-on.png
new file mode 100644
index 00000000000..419b386ef6a
Binary files /dev/null and b/intune/fundamentals/media/architecture/connectors-and-extensions-on.png differ
diff --git a/intune/fundamentals/media/architecture/connectors-and-extensions.png b/intune/fundamentals/media/architecture/connectors-and-extensions.png
new file mode 100644
index 00000000000..c97085c9989
Binary files /dev/null and b/intune/fundamentals/media/architecture/connectors-and-extensions.png differ
diff --git a/intune/fundamentals/media/architecture/endpoint-family-services-on.png b/intune/fundamentals/media/architecture/endpoint-family-services-on.png
new file mode 100644
index 00000000000..c89a5b0390b
Binary files /dev/null and b/intune/fundamentals/media/architecture/endpoint-family-services-on.png differ
diff --git a/intune/fundamentals/media/architecture/endpoint-family-services.png b/intune/fundamentals/media/architecture/endpoint-family-services.png
new file mode 100644
index 00000000000..62302ceaf51
Binary files /dev/null and b/intune/fundamentals/media/architecture/endpoint-family-services.png differ
diff --git a/intune/fundamentals/media/architecture/intune-reference-architecture.png b/intune/fundamentals/media/architecture/intune-reference-architecture.png
new file mode 100644
index 00000000000..a557379b1ca
Binary files /dev/null and b/intune/fundamentals/media/architecture/intune-reference-architecture.png differ
diff --git a/intune/fundamentals/media/architecture/intunearchitecture_wh.png b/intune/fundamentals/media/architecture/intunearchitecture_wh.png
deleted file mode 100644
index f75ec978d86..00000000000
Binary files a/intune/fundamentals/media/architecture/intunearchitecture_wh.png and /dev/null differ
diff --git a/intune/fundamentals/media/architecture/managed-endpoints-on.png b/intune/fundamentals/media/architecture/managed-endpoints-on.png
new file mode 100644
index 00000000000..9bddc3b6117
Binary files /dev/null and b/intune/fundamentals/media/architecture/managed-endpoints-on.png differ
diff --git a/intune/fundamentals/media/architecture/managed-endpoints.png b/intune/fundamentals/media/architecture/managed-endpoints.png
new file mode 100644
index 00000000000..91d85ac149f
Binary files /dev/null and b/intune/fundamentals/media/architecture/managed-endpoints.png differ
diff --git a/intune/fundamentals/media/architecture/on-premises-services-on.png b/intune/fundamentals/media/architecture/on-premises-services-on.png
new file mode 100644
index 00000000000..d5e032fef39
Binary files /dev/null and b/intune/fundamentals/media/architecture/on-premises-services-on.png differ
diff --git a/intune/fundamentals/media/architecture/on-premises-services.png b/intune/fundamentals/media/architecture/on-premises-services.png
new file mode 100644
index 00000000000..80a6db79da7
Binary files /dev/null and b/intune/fundamentals/media/architecture/on-premises-services.png differ
diff --git a/intune/fundamentals/media/architecture/partner-ecosystem-on.png b/intune/fundamentals/media/architecture/partner-ecosystem-on.png
new file mode 100644
index 00000000000..2ddafd1e54e
Binary files /dev/null and b/intune/fundamentals/media/architecture/partner-ecosystem-on.png differ
diff --git a/intune/fundamentals/media/architecture/partner-ecosystem.png b/intune/fundamentals/media/architecture/partner-ecosystem.png
new file mode 100644
index 00000000000..947f7a0ca6f
Binary files /dev/null and b/intune/fundamentals/media/architecture/partner-ecosystem.png differ
diff --git a/intune/fundamentals/media/architecture/peer-integrations-on.png b/intune/fundamentals/media/architecture/peer-integrations-on.png
new file mode 100644
index 00000000000..65c5d7fde3d
Binary files /dev/null and b/intune/fundamentals/media/architecture/peer-integrations-on.png differ
diff --git a/intune/fundamentals/media/architecture/peer-integrations.png b/intune/fundamentals/media/architecture/peer-integrations.png
new file mode 100644
index 00000000000..f776fbdae07
Binary files /dev/null and b/intune/fundamentals/media/architecture/peer-integrations.png differ
diff --git a/intune/fundamentals/licensing/media/assign-licenses/i4e-sds-profile-setup-setting.png b/intune/fundamentals/media/assign-licenses/i4e-sds-profile-setup-setting.png
similarity index 100%
rename from intune/fundamentals/licensing/media/assign-licenses/i4e-sds-profile-setup-setting.png
rename to intune/fundamentals/media/assign-licenses/i4e-sds-profile-setup-setting.png
diff --git a/intune/fundamentals/licensing/media/assign-licenses/i4e-set-licenses.png b/intune/fundamentals/media/assign-licenses/i4e-set-licenses.png
similarity index 100%
rename from intune/fundamentals/licensing/media/assign-licenses/i4e-set-licenses.png
rename to intune/fundamentals/media/assign-licenses/i4e-set-licenses.png
diff --git a/intune/fundamentals/licensing/media/assign-licenses/posh-addlic-verify.png b/intune/fundamentals/media/assign-licenses/posh-addlic-verify.png
similarity index 100%
rename from intune/fundamentals/licensing/media/assign-licenses/posh-addlic-verify.png
rename to intune/fundamentals/media/assign-licenses/posh-addlic-verify.png
diff --git a/intune/fundamentals/media/device-lifecycle/device-lifecycle.png b/intune/fundamentals/media/device-lifecycle/device-lifecycle.png
deleted file mode 100644
index 9efed5908b6..00000000000
Binary files a/intune/fundamentals/media/device-lifecycle/device-lifecycle.png and /dev/null differ
diff --git a/intune/fundamentals/media/endpoint-management-microsoft.png b/intune/fundamentals/media/endpoint-management-microsoft.png
deleted file mode 100644
index 852e5ca957a..00000000000
Binary files a/intune/fundamentals/media/endpoint-management-microsoft.png and /dev/null differ
diff --git a/intune/fundamentals/media/manage-apps/manage-apps-with-intune.png b/intune/fundamentals/media/manage-apps/manage-apps-with-intune.png
deleted file mode 100644
index 384601684cf..00000000000
Binary files a/intune/fundamentals/media/manage-apps/manage-apps-with-intune.png and /dev/null differ
diff --git a/intune/fundamentals/media/manage-devices/manage-devices-with-intune.png b/intune/fundamentals/media/manage-devices/manage-devices-with-intune.png
deleted file mode 100644
index 9387ce65d43..00000000000
Binary files a/intune/fundamentals/media/manage-devices/manage-devices-with-intune.png and /dev/null differ
diff --git a/intune/fundamentals/media/shared/intune-overview.png b/intune/fundamentals/media/shared/intune-overview.png
new file mode 100644
index 00000000000..2f4ea9303d8
Binary files /dev/null and b/intune/fundamentals/media/shared/intune-overview.png differ
diff --git a/intune/fundamentals/media/docs-feedback.png b/intune/fundamentals/media/use-docs/docs-feedback.png
similarity index 100%
rename from intune/fundamentals/media/docs-feedback.png
rename to intune/fundamentals/media/use-docs/docs-feedback.png
diff --git a/intune/fundamentals/media/docs-filter-toc.gif b/intune/fundamentals/media/use-docs/docs-filter-toc.gif
similarity index 100%
rename from intune/fundamentals/media/docs-filter-toc.gif
rename to intune/fundamentals/media/use-docs/docs-filter-toc.gif
diff --git a/intune/fundamentals/media/docs-github-edit.png b/intune/fundamentals/media/use-docs/docs-github-edit.png
similarity index 100%
rename from intune/fundamentals/media/docs-github-edit.png
rename to intune/fundamentals/media/use-docs/docs-github-edit.png
diff --git a/intune/fundamentals/media/docs-search-engine.png b/intune/fundamentals/media/use-docs/docs-search-engine.png
similarity index 100%
rename from intune/fundamentals/media/docs-search-engine.png
rename to intune/fundamentals/media/use-docs/docs-search-engine.png
diff --git a/intune/fundamentals/media/docs-search-field.png b/intune/fundamentals/media/use-docs/docs-search-field.png
similarity index 100%
rename from intune/fundamentals/media/docs-search-field.png
rename to intune/fundamentals/media/use-docs/docs-search-field.png
diff --git a/intune/fundamentals/media/docs-search-rss.png b/intune/fundamentals/media/use-docs/docs-search-rss.png
similarity index 100%
rename from intune/fundamentals/media/docs-search-rss.png
rename to intune/fundamentals/media/use-docs/docs-search-rss.png
diff --git a/intune/fundamentals/media/what-is-device-management/device-management-features-mdm-mam.png b/intune/fundamentals/media/what-is-device-management/device-management-features-mdm-mam.png
deleted file mode 100644
index 33d758d5765..00000000000
Binary files a/intune/fundamentals/media/what-is-device-management/device-management-features-mdm-mam.png and /dev/null differ
diff --git a/intune/fundamentals/media/what-is-intune/what-is-intune.png b/intune/fundamentals/media/what-is-intune/what-is-intune.png
deleted file mode 100644
index 7176e9c30a5..00000000000
Binary files a/intune/fundamentals/media/what-is-intune/what-is-intune.png and /dev/null differ
diff --git a/intune/fundamentals/migrate-from-other-mdm.md b/intune/fundamentals/migrate-from-other-mdm.md
index b7723a3f0ae..bc4ce55e859 100644
--- a/intune/fundamentals/migrate-from-other-mdm.md
+++ b/intune/fundamentals/migrate-from-other-mdm.md
@@ -58,7 +58,7 @@ This article helps you move your mobile device management (MDM) from Microsoft 3
Before you move from Basic Mobility and Security device management to Intune device management:
-1. Make sure you have enough [Intune licenses](./licensing/index.md) to cover all your users managed by Basic Mobility and Security. If you don't have enough licenses, group your users by priority and assign licenses in stages.
+1. Make sure you have enough [Intune licenses](./licensing.md) to cover all your users managed by Basic Mobility and Security. If you don't have enough licenses, group your users by priority and assign licenses in stages.
1. Review the existing Basic Mobility and Security policies and [remove any policies](/microsoft-365/admin/security-and-compliance/m365b-devices-basic-mobility-security-turn-off) that you no longer need. Deleting unneeded policies reduces the number of new Intune policies you create.
The following articles list and describe the Basic Mobility and Security policies:
@@ -120,7 +120,7 @@ Next, assign the Intune policies to the groups you choose. Keep the following po
- Assign licenses to **Users**. For more information, see [Assign licenses to users](/microsoft-365/admin/manage/assign-licenses-to-users).
- Assign licenses to **Groups**. For more information, see [Assign licenses to a group](/microsoft-365/admin/manage/manage-group-licenses).
- For more information on assigning licenses in Intune, see [Assign licenses to users so they can enroll devices in Intune](./licensing/assign-licenses.md).
+ For more information on assigning licenses in Intune, see [Assign licenses to users so they can enroll devices in Intune](./assign-licenses.md).
At the next [Intune device refresh cycle](../device-configuration/troubleshoot-device-profiles.md#policy-refresh-intervals), the devices automatically switch to Intune management and the new policies start affecting user devices.
diff --git a/intune/fundamentals/planning-guide.md b/intune/fundamentals/planning-guide.md
index e6813fe42e4..dd6acaa2b1b 100644
--- a/intune/fundamentals/planning-guide.md
+++ b/intune/fundamentals/planning-guide.md
@@ -1,9 +1,9 @@
---
title: Planning guide to move to Microsoft Intune
description: Plan, design, implement, adopt, and move to Microsoft Intune. Get guidance and advice to determine goals, use-case scenarios and requirements, and create rollout and communication plans, support, testing, and validation plans.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 08/21/2025
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/13/2026
ms.topic: upgrade-and-migration-article
ms.reviewer: davguy
ms.collection:
@@ -29,11 +29,6 @@ This guide:
Use this guide to plan your move or migration to Intune.
-> [!TIP]
->
-> - Want to print or save this guide as a PDF? In your web browser, use the **Print** option, **Save as PDF**.
-> - [!INCLUDE [tips-guidance-plan-deploy-guides](../device-enrollment/includes/tips-guidance-plan-deploy-guides.md)]
-
## Step 1 - Determine your objectives
Organizations use mobile device management (MDM) and mobile application management (MAM) to control organization data securely, and with minimal disruption to users. When evaluating an MDM/MAM solution, like Microsoft Intune, look at what the goal is, and what you want to achieve.
@@ -125,11 +120,14 @@ In Intune, distributed IT benefits from the following features:
- When you use **[device enrollment categories](../device-management/create-device-categories.md)**, devices are automatically added to groups based on categories you create. This feature used Microsoft Entra dynamic groups, and helps make managing devices easier.
+ > [!TIP]
+ > If your goal is to target Intune policies based on device category, you can also use [assignment filters](filters/overview.md) with the `deviceCategory` property. Filters evaluate at check-in without depending on group membership processing.
+
When users enroll their device, they choose a category, like Sales, IT admin, point-of-sale device, and so on. When the devices are added to a category, these device groups are ready to receive your policies.
- When admins create policies, you can require **[multiple admin approval](role-based-access-control/multi-admin-approval.md)** for specific policies, including policies that run scripts or deploy apps.
-- **[Endpoint Privilege Management](../epm/overview.md)** allows standard non-admin user complete tasks that require elevated privileges, like installing apps and updating device drivers. Endpoint Privilege Management is part of the [Intune Suite](add-ons.md).
+- **[Endpoint Privilege Management](../epm/overview.md)** allows standard non-admin user complete tasks that require elevated privileges, like installing apps and updating device drivers. Endpoint Privilege Management is part of the [Intune Suite](advanced-capabilities.md).
✅ **Task: Determine how you want to distribute your rules and settings**
@@ -314,14 +312,20 @@ Managing devices is a relationship with different services. Intune includes the
Copilot in Intune is licensed through Microsoft Security Copilot. For more information, go to [Get started with Microsoft Security Copilot](/copilot/security/get-started-security-copilot).
-- **[Intune Suite](add-ons.md)** provides advanced endpoint management and security features, like remote help, Microsoft Cloud PKI, Endpoint Privilege Management, and more. The Intune Suite is available as a separate license.
+- **[Intune Suite](advanced-capabilities.md)** provides advanced endpoint management and security features, like remote help, Microsoft Cloud PKI, Endpoint Privilege Management, and more.
+
+**Starting July 2026, Suite capabilities are distributed across Microsoft 365 license tiers:**
+
+- **Microsoft 365 E3** includes Plan 2, Remote Help, and Advanced Analytics.
+- **Microsoft 365 E5 and E7** include everything in E3, plus Endpoint Privilege Management, Microsoft Cloud PKI, and Enterprise Application Management.
+- For customers on other plans, Suite is available as a separate subscription.
For more information, go to:
-- [Microsoft Intune licensing](./licensing/index.md)
+- [Microsoft Intune licensing](./licensing.md)
- [Microsoft 365 for business](https://www.microsoft.com/licensing/product-licensing/microsoft-365-business)
- [Microsoft 365 enterprise licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans)
-- [Microsoft Intune Suite](add-ons.md)
+- [Microsoft Intune advanced capabilities](advanced-capabilities.md)
✅ **Task: Determine the licensed services your organization needs**
@@ -331,7 +335,7 @@ Some considerations:
- Intune
- Intune is available with different subscriptions, including as a stand-alone service. For more information, go to [Microsoft Intune licensing](./licensing/index.md).
+ Intune is available with different subscriptions, including as a stand-alone service. For more information, go to [Microsoft Intune licensing](./licensing.md).
You currently use Configuration Manager, and want to set up co-management for your devices. Intune is already included in your Configuration Manager license. If you want Intune to fully manage new devices or existing co-managed devices, then you need a separate Intune license.
diff --git a/intune/fundamentals/platform-guide-android.md b/intune/fundamentals/platform-guide-android.md
index 215d7ea5e4a..c7ac9850929 100644
--- a/intune/fundamentals/platform-guide-android.md
+++ b/intune/fundamentals/platform-guide-android.md
@@ -19,7 +19,7 @@ Intune supports the mobile device management (MDM) of Android devices to give pe
Before you begin, complete these prerequisites to enable Android device management in Intune. For more detailed information about how to set up, onboard, or move to Intune, see the [Intune setup deployment guide](setup-migration.md).
* [Add users](tenant-administration/add-users.md) and [groups](tenant-administration/add-groups.md)
-* [Assign licenses to users](./licensing/assign-licenses.md)
+* [Assign licenses to users](./assign-licenses.md)
* [Set mobile device management authority](setup-mdm-authority.md)
We recommend you use the least privileged role that's needed to complete tasks. For example, the least privileged role that can complete device enrollment tasks is the built-in **Policy and Profile Manager** Intune role.
diff --git a/intune/fundamentals/platform-guide-ios-ipados.md b/intune/fundamentals/platform-guide-ios-ipados.md
index 5ec728dda29..bcf3125217b 100644
--- a/intune/fundamentals/platform-guide-ios-ipados.md
+++ b/intune/fundamentals/platform-guide-ios-ipados.md
@@ -21,7 +21,7 @@ Intune supports mobile device management (MDM) of iPads and iPhones to give user
Before you begin, complete these prerequisites to enable iOS/iPadOS device management in Intune. For more detailed information about how to set up, onboard, or move to Intune, see the [Intune setup deployment guide](setup-migration.md).
* [Add users](tenant-administration/add-users.md) and [groups](tenant-administration/add-groups.md)
-* [Assign licenses to users](./licensing/assign-licenses.md)
+* [Assign licenses to users](./assign-licenses.md)
* [Set mobile device management authority](setup-mdm-authority.md)
* [Set up Apple MDM push (APNs) certificate](../device-enrollment/apple/create-mdm-push-certificate.md)
diff --git a/intune/fundamentals/platform-guide-linux.md b/intune/fundamentals/platform-guide-linux.md
index 2188ce280db..faf65b60054 100644
--- a/intune/fundamentals/platform-guide-linux.md
+++ b/intune/fundamentals/platform-guide-linux.md
@@ -29,7 +29,7 @@ For each section in this guide, review the associated tasks. Some tasks are requ
Complete the following prerequisites as an Intune administrator to enable your tenant's endpoint management capabilities:
* [Add users](tenant-administration/add-users.md) and [groups](tenant-administration/add-groups.md)
-* [Assign licenses to users](./licensing/assign-licenses.md)
+* [Assign licenses to users](./assign-licenses.md)
* [Set mobile device management authority](setup-mdm-authority.md)
We recommend you use the least privileged role that's needed to complete tasks. For example, the least privileged role that can complete device enrollment tasks is the built-in **Policy and Profile Manager** Intune role.
diff --git a/intune/fundamentals/platform-guide-macos.md b/intune/fundamentals/platform-guide-macos.md
index bcc1f54067b..714bcc7469f 100644
--- a/intune/fundamentals/platform-guide-macos.md
+++ b/intune/fundamentals/platform-guide-macos.md
@@ -20,7 +20,7 @@ Secure access to work email, data, and apps on macOS devices. This article guide
Complete the following prerequisites to enable macOS device management in Intune:
* [Add users](tenant-administration/add-users.md) and [groups](tenant-administration/add-groups.md)
-* [Assign licenses to users](./licensing/assign-licenses.md)
+* [Assign licenses to users](./assign-licenses.md)
* [Set mobile device management authority](setup-mdm-authority.md)
* [Set up Apple MDM push (APNs) certificate](../device-enrollment/apple/create-mdm-push-certificate.md)
diff --git a/intune/fundamentals/platform-guide-windows.md b/intune/fundamentals/platform-guide-windows.md
index daea73f9fcf..44278065743 100644
--- a/intune/fundamentals/platform-guide-windows.md
+++ b/intune/fundamentals/platform-guide-windows.md
@@ -21,7 +21,7 @@ For each section in this guide, review the associated tasks. Some tasks are requ
Complete the following prerequisites to enable your tenant's endpoint management capabilities:
* [Add users](tenant-administration/add-users.md) and [groups](tenant-administration/add-groups.md)
-* [Assign licenses to users](./licensing/assign-licenses.md)
+* [Assign licenses to users](./assign-licenses.md)
* [Set mobile device management authority](setup-mdm-authority.md)
We recommend you use the least privileged role that's needed to complete tasks. For example, the least privileged role that can complete device enrollment tasks is the built-in **Policy and Profile Manager** Intune role.
diff --git a/intune/fundamentals/protection-configuration-levels.md b/intune/fundamentals/protection-configuration-levels.md
index 616c7639412..7b7b45d377f 100644
--- a/intune/fundamentals/protection-configuration-levels.md
+++ b/intune/fundamentals/protection-configuration-levels.md
@@ -218,10 +218,7 @@ This level focuses on enterprise-level services and features, and it can require
- Expand password-less authentication to other services in your organization, including certificate-based authentication, single sign-on for apps, multifactor authentication (MFA), and the Microsoft Tunnel VPN gateway.
- Use multifactor authentication (MFA) for an extra layer of security. MFA can help protect your organization from phishing attacks.
-- Expand Microsoft Tunnel by deploying Microsoft Tunnel for Mobile Application Management (Tunnel for MAM), which extends Tunnel support to iOS/iPadOS and Android devices that aren't enrolled with Intune. Tunnel for MAM is available as an Intune add-on.
-
- For information, see [Use Intune Suite add-on capabilities](./add-ons.md).
-
+- Expand Microsoft Tunnel by deploying Microsoft Tunnel for Mobile Application Management (Tunnel for MAM), which extends Tunnel support to iOS/iPadOS and Android devices that aren't enrolled with Intune. Tunnel for MAM is an advanced capability of Intune. For more information, see [Microsoft Intune advanced capabilities](./advanced-capabilities.md).
- Use Intune policy for Local Administrator Password Solution (LAPS) on macOS and Windows devices. LAPS policies help secure the local administrator account on your managed devices.
For information, see:
@@ -231,7 +228,7 @@ This level focuses on enterprise-level services and features, and it can require
- Protect Windows devices using Endpoint Privilege Management (EPM). EPM helps you run your organization's users as standard users (without administrator rights) and enables those same users to complete tasks that require elevated privileges.
- EPM is available as an Intune add-on. For information, see [Use Intune Suite add-on capabilities](./add-ons.md).
+ EPM is an advanced capability of Intune. For information, see [Microsoft Intune advanced capabilities](./advanced-capabilities.md).
- Configure device features that apply to the Windows firmware layer. Use Android common criteria mode.
- Configure specialized devices like kiosks and shared devices.
diff --git a/intune/fundamentals/role-based-access-control/assign-role.md b/intune/fundamentals/role-based-access-control/assign-role.md
index 42509f45f12..5fb5cb0017e 100644
--- a/intune/fundamentals/role-based-access-control/assign-role.md
+++ b/intune/fundamentals/role-based-access-control/assign-role.md
@@ -63,7 +63,7 @@ Before you deploy Intune roles, be familiar with [About Intune role assignments]
> When you assign a role to a group, every member of that group receives the permissions granted by that role. Only assign roles to groups for which you know the membership, and which don't include users that shouldn't receive the administrative privileges provided by the role.
> [!NOTE]
- > If your tenant allows [unlicensed admins](../licensing/unlicensed-admins.md), Intune role assignments only apply to direct members of the assigned security group. Members of nested groups do not receive these assignments by default. However, if a user in a nested group has an Intune license, that user will receive the Intune role.
+ > If your tenant allows [unlicensed admins](../licensing.md#unlicensed-admin-access), Intune role assignments only apply to direct members of the assigned security group. Members of nested groups do not receive these assignments by default. However, if a user in a nested group has an Intune license, that user will receive the Intune role.
Select **Next**.
diff --git a/intune/fundamentals/role-based-access-control/multi-admin-approval.md b/intune/fundamentals/role-based-access-control/multi-admin-approval.md
index 1d801870892..384658a4b55 100644
--- a/intune/fundamentals/role-based-access-control/multi-admin-approval.md
+++ b/intune/fundamentals/role-based-access-control/multi-admin-approval.md
@@ -42,7 +42,7 @@ By default, the administrators who participate in the MAA workflow must have an
> [!CAUTION]
> **This setting is irreversible.** Once enabled, you can't turn it off. Make sure your organization understands this limitation before proceeding.
-Before enabling this setting, review [Unlicensed admins](../licensing/unlicensed-admins.md) for important limits and behavior details, including group membership caps and how long access changes take to take effect.
+Before enabling this setting, review [Unlicensed admins](../licensing.md#unlicensed-admin-access) for important limits and behavior details, including group membership caps and how long access changes take to take effect.
### Role 1: Access policy manager
diff --git a/intune/fundamentals/role-based-access-control/overview.md b/intune/fundamentals/role-based-access-control/overview.md
index f4f45fb2073..411df6cf9a9 100644
--- a/intune/fundamentals/role-based-access-control/overview.md
+++ b/intune/fundamentals/role-based-access-control/overview.md
@@ -28,7 +28,7 @@ To view a role in the **Intune admin center**, go to **Tenant administration** >
- **Assignments**: Select an [assignment for a role](assign-role.md) to view details about it including the groups and scopes that the assignment includes. A role can have multiple assignments, and a user can receive multiple assignments.
> [!NOTE]
-> In June 2021, Intune began supporting [unlicensed admins](../licensing/unlicensed-admins.md). User accounts created after this change can administer Intune without an assigned license. Accounts created before this change and administrator accounts in a nested security group assigned to a role still require a license to manage Intune.
+> In June 2021, Intune began supporting [unlicensed admins](../licensing.md#unlicensed-admin-access). User accounts created after this change can administer Intune without an assigned license. Accounts created before this change and administrator accounts in a nested security group assigned to a role still require a license to manage Intune.
### Built-in roles
diff --git a/intune/fundamentals/service-description.md b/intune/fundamentals/service-description.md
deleted file mode 100644
index 668969c7612..00000000000
--- a/intune/fundamentals/service-description.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: Microsoft Intune Service Description
-description: Microsoft Intune is a cloud-based service that helps you manage Windows, iOS/iPadOS, macOS, and Android devices.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 02/03/2026
-ms.topic: article
-ms.reviewer: mmikkelson, cacamp
-ms.collection:
-- M365-identity-device-management
-- triage
----
-
-# Microsoft Intune service description
-
-Intune is a cloud-based endpoint management service that helps you manage and secure your organization's devices, apps, and data. By using Intune, you can:
-
-* Manage the mobile devices your workforce uses to access organization data.
-* Manage the client apps your workforce uses, including Microsoft 365 apps and many third-party partner apps.
-* Protect your organization information and data by managing the way your workforce accesses and shares it.
-* Ensure devices and apps are compliant with organization security requirements.
-
-Intune integrates closely with Microsoft Entra ID for identity and access control, and native and partner services for data & endpoint protection. You can also integrate Intune with Configuration Manager to extend your management capabilities.
-
-To learn more about how you can manage devices, apps, and protect corporate data with Intune, see [Microsoft Intune securely manages identities, apps, and devices](what-is-intune.md).
-
-## 30-day free trial
-
-You can start to use Intune with a 30-day free trial. To start your free trial, [go to the Intune Sign up page](https://admin.microsoft.com/Signup/Signup.aspx?OfferId=40BE278A-DFD1-470a-9EF7-9F2596EA7FF9&dl=INTUNE_A&ali=1#0%20). If your organization has an Enterprise Agreement or equivalent volume licensing agreement, contact your Microsoft representative to set up your free trial.
-
-If your organization has a Microsoft Online Services work or school account, and you might continue with this Intune subscription in production after the trial period ends, select the **Sign in** option on that page and authenticate by using the Microsoft Entra Global Administrator account for your organization. This action ensures that your Intune trial links to your existing work or school account.
-
-> [!IMPORTANT]
-> [!INCLUDE [global-admin](../includes/global-admin.md)]
-
-## Intune Onboarding benefit
-
-Microsoft offers the Intune Onboarding benefit for eligible services in eligible plans. The Onboarding benefit lets you work remotely with Microsoft specialists to get your Intune environment ready for use. For more about this benefit, see [Microsoft Intune Onboarding Benefit Description](/microsoft-365/fasttrack/introduction).
-
-## Learn how Intune service updates affect you
-
-Because the mobile device management ecosystem changes frequently with operating system updates and mobile app releases, Microsoft regularly updates Intune. You can learn about changes in the Intune service through the following sources:
-
-* [What's new in Microsoft Intune](../whats-new/index.md) is updated monthly and can be updated weekly when, for example, apps such as the Company Portal app are updated.
-
-* The [Microsoft Intune admin center](https://intune.microsoft.com) and the [Microsoft 365 admin center](https://admin.microsoft.com/) message centers announce service change notices and service health notices, including any issues in your environment that require action.
-
- - [**Microsoft 365 admin center**](https://admin.microsoft.com) Message Center notices are shown at **Health** > **Message center**.
- - [**Microsoft Intune admin center**](https://intune.microsoft.com) notices are shown at **Tenant administration** > **Tenant status** > **Service health and message center**.
-
- A few helpful hints:
-
- * The messages are typically targeted. So, if your organization doesn't have an Intune for Education offer, you won't receive messages about Intune for Education.
-
- * Messages expire. For example, the notification that your service is updated with a link to the What's new page likely expires before the next service update notification. Otherwise, you'd have a large backlog of posts that might no longer be relevant.
-
- * Install the [Microsoft 365 Admin mobile app](/microsoft-365/admin/admin-overview/admin-mobile-app) to receive notifications on your mobile device. You can search through all the messages and forward the notification to share it with others in your organization.
-
- * Under **Edit message center preferences**, you might see an **Intune** toggle so you can look at those messages posted to an Intune subscription. If you see **Mobile Device Management for Microsoft 365**, that service is different, not Intune.
-
- * Learn more about how to work with the [Microsoft 365 Message Center](/microsoft-365/admin/manage/message-center).
-
-* The following blogs share new features, capabilities, and best practices for Microsoft Intune:
-
- * [Microsoft Intune Blog](https://aka.ms/IntuneBlog)
- * [Intune Customer Success Blog](https://aka.ms/IntuneCustomerSuccess)
-
-> [!NOTE]
-> You can monitor Intune service health in the [Microsoft 365 admin center](https://admin.microsoft.com). Choose **Service Health** in the left pane. You can also use the [Microsoft 365 Admin mobile app](/microsoft-365/admin/admin-overview/admin-mobile-app) to view service health.
-
-## Types of notices Microsoft provides about the Intune service
-
-To help you plan for service changes, Microsoft notifies you at least 7-90 days prior to the service change, depending on the impact of the change. These changes might include any of the following types of change:
-
-- Changes to the end-user experience that you might want to share with your helpdesk staff or your end users. Microsoft typically provides 7 to 30 days' notice of those changes. For something like a spelling error fix, Microsoft typically doesn't call out the change in documentation. For a change in the end-user enrollment experience that's significant enough in the UI, Microsoft posts a message to customers. So, you're notified of what's changing and have time to evaluate and update your end-user guidance before the changes roll out in production.
-
- Changes that require you to take action are called **Plan for Change** and typically provide about 30 days' notice. In the Intune and Microsoft 365 message centers, the category specifically says **Plan for Change**. If Microsoft has an exact date for when the change is in production, there's an **Act By** date. That date gives you a visual queue and an explanation mark.
-
-- For most deprecations, Microsoft prefers to provide 90 days' notice of that deprecation. For example, if Microsoft is no longer going to support a feature, the goal is to provide 90 days' notice. Deprecations get complicated when it's another company announcing the deprecation. So, Microsoft lets customers know we're removing support as soon as possible, but the Microsoft notification to customers might be under the 90-day period.
-
-- In the event of Intune service retirement, you are notified 12 months in advance.
-
-- In the rare event there's any post-incident action needed to get your service back to normal or a large change that Microsoft deems potentially disruptive based on customer feedback, Microsoft emails the service administrators using your [Microsoft 365 communication preferences](/microsoft-365/admin/manage/change-address-contact-and-more). Be sure your preferences include a valid work email address.
-
-## Language support
-
-Intune runs in the Azure portal, which supports the following languages: Chinese (Simplified), Chinese (Traditional), Czech, Dutch, English, French, German, Hungarian, Indonesian, Italian, Japanese, Korean, Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, and Turkish.
-
-In addition to all the languages that the Azure portal supports, the Microsoft Intune admin center and the user-facing mobile experiences support Danish, Greek, Finnish, Norwegian, and Romanian.
-
-## Related content
-
-- [Service information for Microsoft Intune release updates](servicing-information.md)
-- [What is Microsoft Intune](what-is-intune.md)
diff --git a/intune/fundamentals/servicing-information.md b/intune/fundamentals/servicing-information.md
index e8316231b4e..797d1045e12 100644
--- a/intune/fundamentals/servicing-information.md
+++ b/intune/fundamentals/servicing-information.md
@@ -39,7 +39,7 @@ In the following example, the tenant has the 2311 (November 2023) service releas
## Keep current with release features
-Keeping up to date about releases and changes is an important part of your Intune deployment. Intune provides several ways to stay current about latest updates:
+Microsoft updates Intune frequently to keep up with operating system updates and mobile app releases. Keeping up to date about releases and changes is an important part of your Intune deployment. Intune provides several ways to stay current about latest updates:
- **[What's new in Intune](../whats-new/index.md)**: Learn what's new in a Microsoft Intune release. When a feature is released, some information about that feature is added to this article. It also includes an overview of the current release, any notices, information about earlier releases, and other information.
@@ -55,13 +55,30 @@ Keeping up to date about releases and changes is an important part of your Intun
2. Go to **Tenant administration** > **Tenant status** > **Service health and message center**.
3. Under **Message center**, select any message to read it.
+- **[Microsoft 365 Admin mobile app](/microsoft-365/admin/admin-overview/admin-mobile-app)**: Receive service notifications on your mobile device.
- **Social media**: Get the latest announcements on X at `@IntuneSuppTeam`.
-For more information from the Intune support team, go to the following blog posts:
+For more information from the Intune support team and the broader Intune community, see the following blogs:
+- [Microsoft Intune Blog](https://aka.ms/IntuneBlog)
+- [Intune Customer Success Blog](https://aka.ms/IntuneCustomerSuccess)
- [Staying up to date on Intune new features, service changes, and service health](https://aka.ms/MEMServiceChangeBlog)
- [Tips and tricks for managing Intune](https://aka.ms/mem-tipsandtricks-blog)
+> [!NOTE]
+> Monitor Intune service health in the [Microsoft 365 admin center](https://admin.microsoft.com) under **Service Health**.
+
+## Advance notice for service changes
+
+| Type of change | Notice |
+|---|---|
+| End-user experience changes | 7–30 days |
+| **Plan for Change** notices that require admin action | About 30 days, with an **Act By** date when applicable |
+| Deprecations | Up to 90 days where possible (less when a third party announces the change) |
+| Service retirement | 12 months |
+
+For post-incident actions, Microsoft emails service administrators using the email address in your [Microsoft 365 communication preferences](/microsoft-365/admin/manage/change-address-contact-and-more).
+
## Privacy and personal data in Intune
You should understand how Intune collects, stores, retains, processes, secures, shares, audits, and exports personal data. Microsoft Intune doesn't use any personal data collected as part of providing the service for profiling, advertising, or marketing purposes.
@@ -79,3 +96,4 @@ The following resources can help you understand privacy and personal data in Int
- [Get started with Microsoft Intune](get-started.md)
- [Planning guide to move to Microsoft Intune](planning-guide.md)
- [Staying up to date on Intune new features, service changes, and service health](https://aka.ms/Intune/ServiceChangeBlog) *- Blog*
+- [Service information for Microsoft Intune release updates](servicing-information.md)
diff --git a/intune/fundamentals/setup-mdm-authority.md b/intune/fundamentals/setup-mdm-authority.md
index c3654a11636..47721d8e7f5 100644
--- a/intune/fundamentals/setup-mdm-authority.md
+++ b/intune/fundamentals/setup-mdm-authority.md
@@ -78,7 +78,7 @@ There are three major steps to enable coexistence:
Before enabling coexistence with Basic Mobility and Security, consider the following points:
-- Make sure you have sufficient [Intune licenses](./licensing/index.md) for the users you intend to manage through Intune.
+- Make sure you have sufficient [Intune licenses](./licensing.md) for the users you intend to manage through Intune.
- Review which users are assigned Intune licenses. After you enable coexistence, any user already assigned an Intune license will have their devices switch to Intune. To avoid unexpected device switches, we recommend not assigning any Intune licenses until you've enabled coexistence.
- Create and deploy Intune policies to replace device security policies that were originally deployed through the Office 365 Security & Compliance portal. This replacement should be done for any users you expect to move from Basic Mobility and Security to Intune. If there are no Intune policies assigned to those users, enabling coexistence may cause them to lose Basic Mobility and Security settings. These settings are lost without replacement, like managed email profiles. Even when replacing device security policies with Intune policies, users may be prompted to re-authenticate their email profiles after the device is moved to Intune management.
- You can't unprovision Basic Mobility and Security after you've set it up. However, there are steps you can take to turn off the policies. For more information, see [Turn off Basic Mobility and Security](/microsoft-365/admin/basic-mobility-security/turn-off).
diff --git a/intune/fundamentals/setup-migration.md b/intune/fundamentals/setup-migration.md
index 02ec0606668..ca7aad78c1b 100644
--- a/intune/fundamentals/setup-migration.md
+++ b/intune/fundamentals/setup-migration.md
@@ -26,9 +26,7 @@ Use this guide to determine the best migration approach, and get some guidance &
> [!TIP]
>
-> - [!INCLUDE [tips-guidance-plan-deploy-guides](../device-enrollment/includes/tips-guidance-plan-deploy-guides.md)]
->
-> - As a companion to this article, the Microsoft 365 admin center also has some setup guidance. The guide customizes your experience based on your environment. To access this deployment guide, go to the [Microsoft Intune setup guide in the Microsoft 365 admin center](https://go.microsoft.com/fwlink/?linkid=2224812), and sign in with the **Global Reader** (at a minimum). For more information on these deployment guides and the roles needed, go to [Advanced deployment guides for Microsoft 365 and Office 365 products](/microsoft-365/enterprise/setup-guides-for-microsoft-365).
+> As a companion to this article, the Microsoft 365 admin center also has some setup guidance. The guide customizes your experience based on your environment. To access this deployment guide, go to the [Microsoft Intune setup guide in the Microsoft 365 admin center](https://go.microsoft.com/fwlink/?linkid=2224812), and sign in with the **Global Reader** (at a minimum). For more information on these deployment guides and the roles needed, go to [Advanced deployment guides for Microsoft 365 and Office 365 products](/microsoft-365/enterprise/setup-guides-for-microsoft-365).
## Before you begin
diff --git a/intune/fundamentals/tenant-administration/add-groups.md b/intune/fundamentals/tenant-administration/add-groups.md
index b4426c052b7..7cefa72f129 100644
--- a/intune/fundamentals/tenant-administration/add-groups.md
+++ b/intune/fundamentals/tenant-administration/add-groups.md
@@ -3,9 +3,9 @@ title: Add groups to organize users and devices for Microsoft Intune
description: Create Microsoft Entra groups to organize users and devices for use with Microsoft Intune.
author: paolomatarazzo
ms.author: paoloma
-ms.date: 06/23/2025
+ms.date: 05/19/2026
ms.topic: how-to
-ms.reviewer: scottduf
+ms.reviewer: mattcall
ms.collection:
- M365-identity-device-management
---
@@ -57,7 +57,13 @@ These virtual groups provide an easy way to target all applicable users or devic
For example, you might deploy an Intune compliance policy to the *all devices* group to establish a minimum level of compliance requirements that all devices in your organization must meet. Later, you can deploy more requirements to specific Entra groups to apply extra requirements you might have for specific groups of devices or users.
> [!TIP]
-> Consider the use of **Filters** for groups within Intune. You can use Filters within Intune when assigning apps, policies, and profiles in Microsoft Intune to large groups like *All users* and *All devices*. Filters can help you dynamically control which devices or users receive the deployment. For information about using Filters, see:
+> Consider the use of **assignment filters** instead of dynamic device groups when your targeting is based on device properties like OS type, manufacturer, model, device ownership, or device category. Assignment filters evaluate directly at device check-in without depending on group membership processing, and can be combined with broad groups like *All devices* to narrow scope precisely.
+>
+> For example, instead of creating a dynamic group with the rule `device.deviceOSType -eq "Windows"`, you can assign a policy to *All devices* and apply a filter for Windows devices. The result is the same — but the filter is evaluated at check-in without requiring group membership evaluation.
+>
+> Dynamic groups remain the right choice when you need cross-workload targeting (Conditional Access, licensing), Autopilot profile assignment, or user-based grouping.
+>
+> For more information, see:
> - [Use filters when assigning your apps, policies, and profiles in Microsoft Intune](../filters/overview.md)
> - [Performance recommendations for Grouping, Targeting, and Filtering in large Microsoft Intune environments](../filters/performance-recommendations.md)
@@ -109,6 +115,9 @@ To create groups in the Microsoft Intune admin center:
> [!TIP]
> No specific Entra ID license is required for members of dynamic device groups.
+ > [!NOTE]
+ > Before creating a dynamic device group for Intune policy targeting, consider whether an [assignment filter](../filters/overview.md) can achieve the same result. If your rule targets device properties like OS type, manufacturer, model, ownership, or device category, an assignment filter evaluates at check-in without depending on group membership processing. For more information, go to [Performance recommendations for grouping, targeting, and filtering in large Microsoft Intune environments](../filters/performance-recommendations.md).
+
5. The *Owners* configuration is optional. By default, the user that creates a group is an owner. To add other owners, select **No owners selected** and then the **Users** tab, where you can then select one or more users to add as owners of this group.
3. Select **Create** to add the new group. Your group is shown in the list.
@@ -139,5 +148,5 @@ Use the following steps to delete an existing group:
## Related content
-- [Assign users licenses to Intune](../licensing/assign-licenses.md)
+- [Assign users licenses to Intune](../assign-licenses.md)
- [Assign Microsoft Intune roles to groups of users for role-based access control](../role-based-access-control/assign-role.md)
\ No newline at end of file
diff --git a/intune/fundamentals/tenant-administration/add-users.md b/intune/fundamentals/tenant-administration/add-users.md
index 849c6721a96..2f9e3de79cd 100644
--- a/intune/fundamentals/tenant-administration/add-users.md
+++ b/intune/fundamentals/tenant-administration/add-users.md
@@ -16,7 +16,7 @@ Microsoft Entra ID, part of Microsoft Entra, is the identity service for Microso
Intune also supports use of user accounts that synchronize from Active Directory to any cloud-based service that shares the tenant with Intune and your Entra tenant.
-After a user is added or synchronized to Entra and [assigned a license to Intune](../licensing/assign-licenses.md), that user can enroll devices with Intune and begin to access company resources. Intune administrators can also [assign Intune RBAC roles](../role-based-access-control/assign-role.md) and permissions to discreet groups of users to enable those users to help administer your Intune subscription.
+After a user is added or synchronized to Entra and [assigned a license to Intune](../assign-licenses.md), that user can enroll devices with Intune and begin to access company resources. Intune administrators can also [assign Intune RBAC roles](../role-based-access-control/assign-role.md) and permissions to discreet groups of users to enable those users to help administer your Intune subscription.
The remainder of this article focuses on using the Intune admin center to manage user accounts.
@@ -34,7 +34,7 @@ The following Microsoft Entra built-in RBAC role is the least privileged built-i
- [**User Administrator**](/entra/identity/role-based-access-control/permissions-reference#user-administrator) – This role provides permissions sufficient to add and edit user accounts from within the admin centers for Microsoft Intune, Microsoft Entra, and Microsoft 365.
> [!TIP]
-> The Microsoft Entra *User Administrator* role also provides sufficient permissions to assign licenses to Intune and other products to users. However, license management is a task that can only be managed when using the Microsoft 365 admin center. For more information, see [Assign Intune licenses to users](../licensing/assign-licenses.md).
+> The Microsoft Entra *User Administrator* role also provides sufficient permissions to assign licenses to Intune and other products to users. However, license management is a task that can only be managed when using the Microsoft 365 admin center. For more information, see [Assign Intune licenses to users](../assign-licenses.md).
## Add users to Intune
@@ -165,4 +165,4 @@ To delete users from Entra, your administrative account must have permissions eq
## Related content
- [Add groups to organize users and devices](../tenant-administration/add-groups.md)
-- [Assign users licenses to Intune](../licensing/assign-licenses.md)
+- [Assign users licenses to Intune](../assign-licenses.md)
diff --git a/intune/fundamentals/tenant-administration/identities.md b/intune/fundamentals/tenant-administration/identities.md
deleted file mode 100644
index fd5857760a2..00000000000
--- a/intune/fundamentals/tenant-administration/identities.md
+++ /dev/null
@@ -1,147 +0,0 @@
----
-title: Manage and secure user and group identities overview
-description: Get an overview of the concepts and features you should know when managing identities in Microsoft Intune. Use existing users and groups, control access using RBAC, establish user affinity, and secure and authenticate users.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 02/19/2025
-ms.topic: article
-ms.collection:
-- M365-identity-device-management
----
-
-# Learn about managing user and group identities in Microsoft Intune
-
-Managing and protecting user identities is a significant part of any endpoint management strategy and solution. Identity management includes the user accounts and groups that access your organization resources.
-
-:::image type="content" source="./media/identities/identities-different-user-types.png" alt-text="Diagram that shows adding users to the Microsoft Intune admin center and assigning policies to different user and device types in Microsoft Intune." lightbox="./media/identities/identities-different-user-types.png":::
-
-Admins have to manage account membership, authorize and authenticate access to resources, manage settings that affect user identities, and secure & protect the identities from malicious intent.
-
-Microsoft Intune can do all these tasks, and more. [Intune is a cloud-based service](../what-is-intune.md) that can manage user identities through policy, including security and authentication policies.
-
-From a service perspective, Intune uses Microsoft Entra ID for identity storage and permissions. Using the [Microsoft Intune admin center](../tutorial-admin-center-walkthrough.md), you can manage these tasks in a central location designed for endpoint management.
-
-This article discusses concepts and features you should consider when managing your identities.
-
-> [!IMPORTANT]
-> [!INCLUDE [windows-10-support](../../includes/windows-10-support.md)]
-
-## Use your existing users and groups
-
-A large part of managing endpoints is managing users and groups. If you have existing users and groups or will create new users and groups, Intune can help.
-
-In on-premises environments, user accounts and groups are created and managed in on-premises Active Directory. You can update these users and groups using any domain controller in the domain.
-
-It's a similar concept in Intune.
-
-The Intune admin center includes a central location to manage users and groups. The admin center is web-based and can be accessed from any device that has an internet connection. Admins just need to sign into the admin center with their Intune administrator account.
-
-An important decision is to determine how to get the user accounts and groups into Intune. Your options:
-
-- If you **currently use Microsoft 365** and have your users and groups in the Microsoft 365 admin center, then these users and groups are also available in the Intune admin center.
-
- Microsoft Entra ID and Intune use a **tenant**, which is your organization, like Contoso or Microsoft. If you have multiple tenants, sign into the Intune admin center in the same Microsoft 365 tenant as your existing users and groups. Your users and groups are automatically shown and available.
-
- For more information on what a tenant is, go to [Quickstart: Set up a tenant](/azure/active-directory/develop/quickstart-create-new-tenant).
-
-- If you **currently use on-premises Active Directory**, then you can use Microsoft Entra Connect to synchronize your on-premises AD accounts to Microsoft Entra ID. When these accounts are in Microsoft Entra ID, then they're also available in the Intune admin center.
-
- For more specific information, go to [What is Microsoft Entra Connect Sync?](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
-
-- You can also **import existing users and groups** from a CSV file into the Intune admin center, or create the users and groups from scratch. When adding groups, you can add users and devices to these groups to organize them by location, department, hardware, and more.
-
- For more information on group management in Intune, go to [Add groups to organize users and devices](add-groups.md).
-
-By default, Intune automatically creates the **All users** and **All devices** groups. When your users and groups are available to Intune, then you can assign your policies to these users and groups.
-
-### Move from machine accounts
-
-When a Windows endpoint, like a Windows device, joins an on-premises Active Directory (AD) domain, a computer account is automatically created. The computer/machine account can be used to authenticate on-premises programs, services, and apps.
-
-These machine accounts are local to the on-premises environment and can't be used on devices that are joined to Microsoft Entra ID. In this situation, you need to switch to user-based authentication to authenticate to on-premises programs, services, and apps.
-
-For more information and guidance, go to [Known issues and limitations with cloud-native endpoints](../../solutions/cloud-native-endpoints/troubleshoot.md).
-
-## Roles and permissions control access
-
-For the different admin-type of tasks, Intune uses role-based access control (RBAC). The roles you assign determine the resources an admin can access in the Intune admin center, and what they can do with those resources. There are some built-in roles that focus on endpoint management, like Application Manager, and Policy and Profile Manager.
-
-Since Intune uses Microsoft Entra ID, you also have access to the built-in Microsoft Entra roles, like the Intune Service Administrator.
-
-Each role has its own create, read, update, or delete permissions as needed. You can also create custom roles if your admins need a specific permission. When you add or create your administrator-type of users and groups, you can assign these accounts to the different roles. The Intune admin center has this information in a central location and can be easily updated.
-
-For more information, go to [Role-based access control (RBAC) with Microsoft Intune](../role-based-access-control/overview.md)
-
-## Create user affinity when devices enroll
-
-When users sign into their devices the first time, the device becomes associated with that user. This feature is called **user affinity**.
-
-Any policies assigned or deployed to the user identity go with the user to all of their devices. When a user is associated with the device, they can access their email accounts, their files, their apps, and more.
-
-When you don't associate a user with a device, then the device is considered user-less. This scenario is common for kiosks devices dedicated to a specific task, and devices that are shared with multiple users.
-
-In Intune, you can create policies for both scenarios on Android, iOS/iPadOS, macOS, and Windows. When getting ready to manage these devices, be sure you know the intended purpose of the device. This information helps in the decision making process when devices are being enrolled.
-
-For more specific information, go to the enrollment guides for your platforms:
-
-- [Enrollment guide: Enroll Android devices in Microsoft Intune](../../device-enrollment/android/guide.md)
-- [Enrollment guide: Enroll iOS and iPadOS devices in Microsoft Intune](../../device-enrollment/apple/guide-ios-ipados.md)
-- [Enrollment guide: Enroll Linux desktop devices in Microsoft Intune](../../device-enrollment/guide-linux.md)
-- [Enrollment guide: Enroll macOS devices in Microsoft Intune](../../device-enrollment/apple/guide-macos.md)
-- [Enrollment guide: Enroll Windows devices in Microsoft Intune](../../device-enrollment/windows/guide.md)
-
-## Assign policies to users and groups
-
-On-premises, you work with domain accounts and local accounts, and then deploy group policies and permissions to these accounts at the local, site, domain, or OU level (LSDOU). An OU policy overwrites a domain policy, a domain policy overwrites a site policy, and so on.
-
-Intune is cloud-based. Policies created in Intune include settings that control device features, security rules, and more. These policies are assigned to your users and groups. There isn't a traditional hierarchy like LSDOU.
-
-The settings catalog in Intune includes thousands of settings to manage iOS/iPadOS, macOS, and Windows devices. If you currently use on-premises Group Policy Objects (GPOs), then using the settings catalog is a natural transition to cloud-based policies.
-
-For more information on policies in Intune, go to:
-
-- [Use the settings catalog to configure settings on Windows, iOS/iPadOS, and macOS devices](../../device-configuration/settings-catalog/index.md)
-- [Common questions and answers with device policies and profiles in Microsoft Intune](../../device-configuration/troubleshoot-device-profiles.md)
-
-## Secure your user identities
-
-Your user and group accounts access organization resources. You need to keep these identities secure and prevent malicious access to the identities. Here are some things to consider:
-
-- **Windows Hello for Business** replaces username and password sign-in and is part of a password-less strategy.
-
- Passwords are entered on a device and then transmitted over the network to the server. They can be intercepted and used by anyone and anywhere. A server breach can reveal stored credentials.
-
- With Windows Hello for Business, users sign in and authenticate with a PIN or biometric, like facial and fingerprint recognition. This information is stored locally on the device and isn't sent to external devices or servers.
-
- When Windows Hello for Business is deployed to your environment, you can use Intune to create Windows Hello for Business policies for your devices. These policies can configure PIN settings, allowing biometric authentication, use security keys, and more.
-
- For more information, go to:
-
- - [Windows Hello for Business Overview](/windows/security/identity-protection/hello-for-business/hello-overview)
- - [Manage Windows Hello for Business on devices when devices enroll with Intune](../../device-security/identity-protection/configure-tenant-wide-policy.md)
-
- To manage Windows Hello for Business, you use one of the following options:
-
- - [During device enrollment](../../device-security/identity-protection/configure-tenant-wide-policy.md): Configure tenant-wide policy that applies Windows Hello settings to devices at the time the device enrolls with Intune.
- - [Security baselines](../../device-security/security-baselines/overview.md): Some settings for Windows Hello can be managed through Intune's security baselines, like the **Microsoft Defender for Endpoint security** or **Security Baseline for Windows 10 and later** baselines.
- - [Settings catalog](../../device-configuration/settings-catalog/index.md): The settings from endpoint security account protection profiles are available in the Intune settings catalog.
-
-- **Certificate-based authentication** is also a part of a password-less strategy. You can use certificates to authenticate your users to applications and organization resources through a VPN, a Wi-Fi connection, or email profiles. With certificates, users don't need to enter usernames and passwords, and certificates can make access to these resources easier.
-
- For more information, go to [Use certificates for authentication in Microsoft Intune](../../fundamentals/certificates/overview.md).
-
-- **Multifactor authentication (MFA)** is a feature available with Microsoft Entra ID. For users to successfully authenticate, at least two different verification methods are required. When MFA is deployed to your environment, you can also require MFA when devices are enrolling into Intune.
-
- For more information, go to:
-
- - [Plan a Microsoft Entra multifactor authentication deployment](/azure/active-directory/authentication/howto-mfa-getstarted)
- - [Require multifactor authentication for Intune device enrollments](../../device-enrollment/configure-multifactor-authentication.md)
-
-- **Zero Trust** verifies all endpoints, including devices and apps. The idea is to help keep organization data in the organization, and prevent data leaks from accidental or malicious intent. It includes different feature areas, including Windows Hello for Business, using MFA, and more.
-
- For more information, see [Zero Trust with Microsoft Intune](../zero-trust.md).
-
-## Related articles
-
-- [Learn about managing devices in Intune](../manage-devices.md)
-- [Learn about managing apps in Intune](../manage-apps.md)
diff --git a/intune/fundamentals/tenant-administration/media/identities/identities-different-user-types.png b/intune/fundamentals/tenant-administration/media/identities/identities-different-user-types.png
deleted file mode 100644
index d9daf7a04b3..00000000000
Binary files a/intune/fundamentals/tenant-administration/media/identities/identities-different-user-types.png and /dev/null differ
diff --git a/intune/fundamentals/toc.yml b/intune/fundamentals/toc.yml
index dfccefad22f..00fda548088 100644
--- a/intune/fundamentals/toc.yml
+++ b/intune/fundamentals/toc.yml
@@ -5,28 +5,21 @@ items:
- name: What is Microsoft Intune
displayName: what is intune, mdm, mam, android, ios, ipados, macos, windows
href: ./what-is-intune.md
- - name: What is device management?
- href: ./what-is-device-management.md
- - name: Service description
- href: ./service-description.md
+ - name: Core concepts
+ href: ./core-concepts.md
+ displayName: identities, devices, apps, pillars, user affinity, RBAC, scope tags, MDM, MAM, MAM-WE, BYOD, app lifecycle, device groups, conditional access, zero trust
- name: Architecture
href: ./architecture.md
- displayName: architecture, diagram, components, design, svg, family, products,
- suite, on-premises, tunnel
- - name: Manage and secure identities
- displayName: what is intune, mdm, mam, android, ios, ipados, macos, windows
- href: ./tenant-administration/identities.md
- - name: Manage and secure devices
- displayName: what is intune, mdm, mam, android, ios, ipados, macos, windows
- href: ./manage-devices.md
- - name: Manage apps and protect data
- displayName: what is intune, mdm, mam, android, ios, ipados, macos, windows
- href: ./manage-apps.md
- - name: Endpoint management at Microsoft
- href: ./endpoint-management.md
- - name: Intune Suite add-ons
- href: ./add-ons.md
- displayName: intune suite, add-ons, premium
+ displayName: architecture, diagram, components, design, family, products,
+ suite, on-premises
+ - name: Intune advanced capabilities
+ href: ./advanced-capabilities.md
+ displayName: plans, intune suite, add-ons, premium, trial,
+ service description, advanced capabilities
+ - name: Microsoft Intune licensing
+ href: ./licensing.md
+ displayName: licensing, plans, pricing, EMS, education, configuration manager,
+ device-only, unlicensed admins, confirm license, language support
- name: Evaluate and try
items:
@@ -187,8 +180,8 @@ items:
href: ./tenant-administration/add-users.md
- name: Add groups
href: ./tenant-administration/add-groups.md
- - name: Manage Intune licenses
- href: ./licensing/toc.yml
+ - name: Assign licenses
+ href: ./assign-licenses.md
- name: Set the MDM authority
href: ./setup-mdm-authority.md
diff --git a/intune/fundamentals/tutorial-admin-center-walkthrough.md b/intune/fundamentals/tutorial-admin-center-walkthrough.md
index 7e06b1f7d68..dd5bbf5a483 100644
--- a/intune/fundamentals/tutorial-admin-center-walkthrough.md
+++ b/intune/fundamentals/tutorial-admin-center-walkthrough.md
@@ -31,13 +31,6 @@ Before setting up Microsoft Intune, review the following requirements:
- [Supported operating systems and browsers](ref-supported-platforms.md)
- [Network endpoints for Microsoft Intune](endpoints.md)
-## Sign up for a Microsoft Intune free trial
-
-Trying out Intune is free for 30 days. If you already have a work or school account, **sign in** with that account and add Intune to your subscription. Otherwise, you can [sign up for a free trial account](free-trial-sign-up.md) to use Intune for your organization.
-
-> [!IMPORTANT]
-> You can't combine an existing work or school account after you sign up for a new account.
-
## Tour Microsoft Intune in the Microsoft Intune admin center
Follow the steps below to better understand Intune in the Microsoft Intune admin center. Once you complete the tour, you'll have a better understanding of some of the major areas of Intune.
@@ -56,7 +49,7 @@ Follow the steps below to better understand Intune in the Microsoft Intune admin
Intune lets you manage your workforce's devices and apps, including how they access your company data. To use this mobile device management (MDM) service, the devices must first be enrolled in Intune. When a device is enrolled, it is issued an MDM certificate. This certificate is used to communicate with the Intune service.
- There are several methods to enroll your workforce's devices into Intune. Each method depends on the device's ownership (personal or corporate), device type (iOS/iPadOS, Windows, Android), and management requirements (resets, affinity, locking). However, before you can enable device enrollment, you must set up your Intune infrastructure. In particular, device enrollment requires that you [set your MDM authority](setup-mdm-authority.md). For more information about getting your Intune environment (tenant) ready, see [Set up Intune](deploy-setup-step-1.md). Once you have your Intune tenant ready, you can enroll devices. For more information about device enrollment, see [What is device enrollment?](/intune/fundamentals/deployment-guide-enrollment)
+ There are several methods to enroll your workforce's devices into Intune. Each method depends on the device's ownership (personal or corporate), platform (iOS/iPadOS, Windows, Android), and management requirements (resets, affinity, locking). However, before you can enable device enrollment, you must set up your Intune infrastructure. In particular, device enrollment requires that you [set your MDM authority](setup-mdm-authority.md). For more information about getting your Intune environment (tenant) ready, see [Set up Intune](deploy-setup-step-1.md). Once you have your Intune tenant ready, you can enroll devices. For more information about device enrollment, see [Enroll devices in Microsoft Intune](../device-enrollment/enroll-devices.md).
3. From the navigation pane, select **Devices** to display details about the enrolled devices in your Intune tenant.
@@ -230,9 +223,13 @@ The Microsoft Intune portal settings can be modified. On the **Microsoft Intune
:::image type="content" alt-text="Screenshot of the Microsoft Intune admin center - Portal settings." source="./media/tutorial-admin-center-walkthrough/tutorial-walkthrough-mem-17.png" lightbox="./media/tutorial-admin-center-walkthrough/tutorial-walkthrough-mem-17.png":::
+### Available languages
+
+The Microsoft Intune admin center and the user-facing mobile experiences are available in: Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, English, Finnish, French, German, Greek, Hungarian, Indonesian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Spanish, Swedish, and Turkish.
+
## Next steps
-To get running quickly on Microsoft Intune, step through the Intune Quickstarts by first setting up a free Intune account.
+After exploring the admin center, try the step-by-step Intune tasks to enroll a device, deploy a configuration profile, and assign an app.
> [!div class="nextstepaction"]
-> [Quickstart: Try Microsoft Intune for free](free-trial-sign-up.md)
+> [Try Intune tasks](try-overview.md)
diff --git a/intune/fundamentals/use-docs.md b/intune/fundamentals/use-docs.md
index 83b9cc056e6..a3f29570d3f 100644
--- a/intune/fundamentals/use-docs.md
+++ b/intune/fundamentals/use-docs.md
@@ -48,11 +48,11 @@ Use the following search tips to help you find the information that you need:
- **Search** in the upper right corner. To search all articles, enter terms in this field. Articles in this content library automatically include one of the following search scopes: `ConfigMgr`, `Intune`, or `Autopilot`.
- :::image type="content" source="media/docs-search-field.png" alt-text="Docs search field in header.":::
+ :::image type="content" source="media/use-docs/docs-search-field.png" alt-text="Docs search field in header.":::
- **Filter by title** above the left table of contents. To search the current table of contents, enter terms in this field. This field only matches terms that appear in the article titles for the current node. For example, **Configuration Manager Core Infrastructure** (`learn.microsoft.com/mem/configmgr/core`) or **Intune Apps** (`https://learn.microsoft.com/mem/intune/apps/`). The last item in the search results gives you the option to search for the terms in the entire content library.
- :::image type="content" source="media/docs-filter-toc.gif" alt-text="Animation of using the table of contents filter.":::
+ :::image type="content" source="media/use-docs/docs-filter-toc.gif" alt-text="Animation of using the table of contents filter.":::
Having problems finding something? [File feedback!](#about-feedback) When you file an issue about search results, provide the search engine you're using, the keywords you tried, and the target article. This feedback helps Microsoft optimize the content for better search.
@@ -79,7 +79,7 @@ With many modern web browsers, you can create a custom search engine. Use this f
>
> The Microsoft technical documentation search engine requires a locale in the address. For example, `en-us`. You can change your entry to use a different locale.
- :::image type="content" source="media/docs-search-engine.png" alt-text="Add to Microsoft Edge a custom search engine for Microsoft technical documentation.":::
+ :::image type="content" source="media/use-docs/docs-search-engine.png" alt-text="Add to Microsoft Edge a custom search engine for Microsoft technical documentation.":::
After you add this search engine, type your keyword in the browser address bar, press `Tab`, then type your search terms, and press `Enter`. It will automatically search Microsoft technical documentation for your specified terms using the defined scope.
@@ -87,7 +87,7 @@ After you add this search engine, type your keyword in the browser address bar,
Select the **Feedback** link in the upper right of any article or go to the Feedback section at the bottom.
-:::image type="content" source="media/docs-feedback.png" alt-text="Screenshot of the feedback section of a Microsoft Learn article.":::
+:::image type="content" source="media/use-docs/docs-feedback.png" alt-text="Screenshot of the feedback section of a Microsoft Learn article.":::
### Types of feedback
@@ -122,7 +122,7 @@ To receive notifications when content changes in the documentation library, use
1. At the bottom of the list of results, select the **RSS** link.
- :::image type="content" source="media/docs-search-rss.png" alt-text="Screenshot of search results and RSS link.":::
+ :::image type="content" source="media/use-docs/docs-search-rss.png" alt-text="Screenshot of search results and RSS link.":::
1. Use this feed in an RSS application to receive notifications when there's a change to any of the search results. Refer to the RSS application's documentation on how to configure and tune it.
@@ -141,7 +141,7 @@ The Microsoft Intune product family documentation library, like most Microsoft t
1. To edit the source file, select the pencil icon.
- :::image type="content" source="media/docs-github-edit.png" alt-text="Screenshot of GitHub source file header.":::
+ :::image type="content" source="media/use-docs/docs-github-edit.png" alt-text="Screenshot of GitHub source file header.":::
1. Make changes in the markdown source. For more information, see [How to use Markdown in Microsoft Learn articles](/contribute/markdown-reference).
diff --git a/intune/fundamentals/what-is-device-management.md b/intune/fundamentals/what-is-device-management.md
deleted file mode 100644
index 9d645f6ddb4..00000000000
--- a/intune/fundamentals/what-is-device-management.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-title: What is device management?
-description: Learn more about what device management means and how it can help organizations, including Microsoft 365 small & medium business, and enterprise. See a list of features and benefits, including mobile device management (MDM) and mobile application management (MAM), and learn about Microsoft Intune.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 02/26/2025
-ms.topic: overview
-ms.reviewer: davguy
-ms.collection:
-- M365-identity-device-management
----
-
-# What does device management mean for organizations?
-
-**Device management** enables organizations to administer and maintain devices, including virtual machines, physical computers, mobile devices, and IoT devices. Device management is a critical component of any organization's security strategy. It helps admins ensure that devices are secure, up-to-date, and compliant with organizational policies, with the goal of protecting the corporate network and data from unauthorized access.
-
-As organizations support remote and hybrid workforces, it's more important than ever to have a solid device management strategy. Organizations must protect and secure their resources and data on any device.
-
-:::image type="content" source="./media/what-is-device-management/device-management-features-mdm-mam.png" alt-text="Diagram that shows the features and benefits of modern device management using MDM and MAM with Microsoft Intune." lightbox="./media/what-is-device-management/device-management-features-mdm-mam.png":::
-
-This article describes the features and benefits of device management, and how it can help organizations, including Microsoft 365 small & medium business, and enterprise. It also describes the different approaches to device management, including mobile device management (MDM) and mobile application management (MAM), and how Microsoft Intune can help.
-
-## Features and benefits
-
-Device management solutions have the following features and benefits:
-
-> [!div class="checklist"]
->
-> * The toolset to manage devices, including the ability to deploy and update software, configure settings, enforce policies, and monitor with data and reports
-> * The ability to administer and manage virtual and physical devices, regardless of their physical location
-> * Maintain a network of devices running common operating systems, including Windows, macOS, iOS/iPadOS, Linux, and Android
-> * Automate policy management and deployment for apps, device features, security, and compliance
-> * Optimize device features for business use
-> * Provide a single point of management for devices, including the ability to manage devices from a central console
-> * Secure and protect data on devices, including safeguards and measures to prevent unauthorized access
-
-With device management solutions, organizations can make sure that only authorized people and devices get access to proprietary information. Similarly, device users can feel at ease accessing work data from their phone, because they know their device meets their organization's security requirements.
-
-As an organization, you might ask - **What should we use to protect our resources?**.
-
-## Microsoft Intune is a world class device management solution
-
-Many organizations, including Microsoft, use Intune to secure proprietary data that users access from their company-owned and personally-owned devices. Intune includes device and app policies, software update policies, and installation statuses (charts, tables, and reports). These resources help you secure and monitor data access.
-
-With Intune, you can manage multiple devices per person, and the different platforms that run on each device, including Android, iOS/iPadOS, Linux, macOS, and Windows. Intune separates policies and settings by device platform. So it's easy to manage and view devices of a specific platform.
-
-For more information about Intune and its benefits, go to:
-
-- [Microsoft Intune planning guide](planning-guide.md)
-- [What is Intune?](what-is-intune.md)
-- [Get started with Microsoft Intune](get-started.md)
-
-### Cloud attach your on-premises Configuration Manager
-
-Many organizations use on-premises Configuration Manager to manage devices, including desktops and servers. You can cloud-attach your on-premises Configuration Manager to Microsoft Intune. When you cloud-attach, you get the benefits of Intune and the cloud, including [Conditional Access](../configmgr/comanage/quickstart-conditional-access.md), [running remote actions](../configmgr/comanage/quickstart-remote-actions.md), [using Windows Autopilot](../configmgr/comanage/quickstart-autopilot.md), and more.
-
-For more information, go to:
-
-- [What is co-management](../configmgr/comanage/overview.md)
-- [Configuration Manager tenant attach](../configmgr/tenant-attach/device-sync-actions.md)
-
-## Choose the device management solution that's right for you
-
-There are a couple of ways to approach device management.
-
-✅ **Mobile device management (MDM)**
-
-First, you can manage different aspects of devices using the features built in to Intune. This approach is called mobile device management (MDM).
-
-Users "enroll" their devices, and use certificates to communicate with Intune. As an IT administrator, you push apps on devices, restrict devices to a specific operating system, block personal devices, and more. If a device is ever lost or stolen, you can also remove all data from the device.
-
-✅ **Mobile application management (MAM)**
-
-In the second approach, you manage apps on devices. This approach is called mobile application management (MAM).
-
-Users can use their personal devices to access organizational resources. When users open an app, such as Outlook or Teams, they can be prompted to authenticate. If a device is ever lost or stolen, you can remove all organization data from the Intune managed applications.
-
-You can also use a combination of MDM and MAM together.
-
-For more information, go to:
-
-- [What is Intune?](what-is-intune.md)
-- [Microsoft Intune planning guide](planning-guide.md)
-
-## Related articles
-
-- [Microsoft Intune planning guide](planning-guide.md)
-- [Manage user and group identities in Microsoft Intune](tenant-administration/identities.md)
-- [Manage your devices and control device features in Microsoft Intune](manage-devices.md)
-- [Manage your apps and app data in Microsoft Intune](manage-apps.md)
diff --git a/intune/fundamentals/what-is-intune.md b/intune/fundamentals/what-is-intune.md
index b6090e9f50c..3b179a0406a 100644
--- a/intune/fundamentals/what-is-intune.md
+++ b/intune/fundamentals/what-is-intune.md
@@ -1,323 +1,77 @@
---
-title: What is Microsoft Intune
-description: Microsoft Intune manages users and devices, simplifies app management and automated policy deployment, and integrates with mobile threat defense. It connects to Managed Google Play, Apple tokens and certificates, and Teamviewer for remote assistance. Can use MDM or MAM to protect data, configure devices, and simplify access to company resources.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 04/30/2025
+title: What is Microsoft Intune?
+description: Microsoft Intune is a cloud-based endpoint management service that secures and manages devices and apps. Learn what it does and how it works.
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/06/2026
ms.topic: overview
-ms.reviewer: davguy
-ms.collection:
-- essentials-overview
-- M365-identity-device-management
---
-# Microsoft Intune securely manages identities, manages apps, and manages devices
+# What is Microsoft Intune?
-As organizations support hybrid and remote workforces, they're challenged with managing the different devices that access organization resources. Employees and students need to collaborate, work from anywhere, and securely access and connect to these resources. Admins need to protect organization data, manage end user access, and support users from wherever they work.
+Microsoft Intune is a cloud-based endpoint management service that secures and manages your organization's devices and apps. Use Intune to enroll, configure, secure, and update devices, deploy and protect apps, and control which users and devices can access organization resources.
-✅ To help with these challenges and tasks, use Microsoft Intune.
+Supported platforms include Android, iOS/iPadOS, Linux, macOS, tvOS, visionOS, and Windows. The service runs entirely in the cloud, with no on-premises infrastructure required, and supports the [Zero Trust security model](zero-trust.md).
-Microsoft Intune is a **cloud-based endpoint management solution**. It manages user access to organizational resources and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints.
+## What Intune does
-:::image type="content" source="./media/what-is-intune/what-is-intune.png" alt-text="Diagram that shows features and benefits of Microsoft Intune.":::
+Intune covers the full lifecycle of a managed device and the apps that run on it: enrolling devices, configuring settings, securing endpoints, deploying and protecting apps, and keeping everything up to date. You manage all of it from the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), a web-based console. Every admin center action is backed by a [Microsoft Graph API](/graph/intune-concept-overview) call, so you can automate the same operations through a public programming interface.
-You can protect access and data on organization-owned and users personal devices. And, Intune has compliance and reporting features that support the [Zero Trust security model](zero-trust.md).
+Intune is built around three pillars: the **identities** that sign in, the **devices** they sign in from, and the **apps** they use to get work done. Identity runs on Microsoft Entra ID. Device and app posture flow back to Microsoft Entra Conditional Access, which gates access to corporate resources based on real, up-to-date signals.
-> [!VIDEO https://learn-video.azurefd.net/vod/player?id=dbd45acc-fa88-41aa-a9ac-7a751378d603]
+For a deeper walkthrough of how the pillars fit together, see [Microsoft Intune core concepts](core-concepts.md). For a guided tour of the admin center, see [Walkthrough: Microsoft Intune admin center](tutorial-admin-center-walkthrough.md).
-This article lists some features and benefits of Microsoft Intune.
+:::image type="content" source="./media/shared/intune-overview.png" alt-text="Diagram showing Microsoft Intune managing identities, devices, and apps, with signals from Endpoint security in Microsoft Defender. Intune is extended by advanced capabilities, automated by Copilot, and uses Microsoft Entra ID for Conditional Access to corporate resources." lightbox="./media/shared/intune-overview.png" border="false":::
-> [!TIP]
->
-> - To get Intune, go to [Licenses available for Microsoft Intune](./licensing/index.md) and [Intune 30-day trial](free-trial-sign-up.md).
-> - For more information on the Intune licensing plans, go to [Microsoft Intune capabilities and plans](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune).
-> - For information on what it means to be cloud-native, go to [Learn more about cloud-native endpoints](../solutions/cloud-native-endpoints/overview.md).
+## How Intune is used: MDM, MAM, or both
-## Key features and benefits
+Intune supports two management modes that you can use independently or together.
-Some key features and benefits of Intune include:
+- **Mobile device management (MDM)**: Devices are enrolled, either by a user through the Company Portal or automatically through Windows Autopilot, Apple Automated Device Enrollment, or Android Enterprise. Intune then manages the whole device, including settings, security, and apps. If a device is lost or stolen, you can wipe it.
+- **Mobile application management (MAM)**: Intune manages only the work apps and the data inside them, not the rest of the device. MAM is typical for personal devices in bring-your-own-device (BYOD) scenarios, but it also runs alongside MDM on corporate-owned devices. The user keeps control of personal apps and content, while you protect the data inside Outlook, Microsoft Teams, and other managed apps. When the user leaves, you can selectively wipe organization data without touching personal content.
-✅ **Manage users and devices**
+You can combine the two. For example, an enrolled corporate phone (MDM) can also have app protection policies (MAM) on apps that handle especially sensitive data.
-With Intune, you can manage devices owned by your organization and devices owned by your end users. Microsoft Intune supports Android, Android Open Source Project (AOSP), iOS/iPadOS, Linux Ubuntu Desktop, macOS, and Windows client devices. With Intune, you can use these devices to securely access organization resources with policies you create.
+For details, see [Device enrollment in Microsoft Intune](../device-enrollment/guide.md) and [App protection policies overview](../app-management/protection/overview.md).
-For more information, go to:
+## How Intune works with Microsoft Entra
-- [Manage identities using Microsoft Intune](tenant-administration/identities.md)
-- [Manage devices using Microsoft Intune](manage-devices.md)
-- [Supported operating systems in Microsoft Intune](ref-supported-platforms.md)
+Intune doesn't store user identities or perform authentication. It relies on **Microsoft Entra ID** for three things:
-> [!NOTE]
-> If you manage on-premises Windows Server, you can use Configuration Manager.
+- **Authentication**: Users sign in to managed devices using Entra credentials, with single sign-on, multifactor authentication, or passwordless options.
+- **Users and groups**: Entra security groups are the foundation for assigning policies, profiles, and apps in Intune. You target a group of users, devices, or both, and Intune applies the configuration on check-in.
+ - Entra users and groups are also used to assign Intune [licenses](licensing.md). Each managed user or device needs an Intune license, but [administrators can manage Intune without one](licensing.md#unlicensed-admin-access).
+- **Conditional Access**: Intune sends device compliance state to Entra, and Conditional Access combines it with the user, app, location, and Defender risk signals to allow or block access to corporate resources.
-✅ **Simplify app management**
+This approach closes the Zero Trust loop: access decisions are based on real, up-to-date device posture, not on whether the device is on the corporate network.
-Intune has a built-in app experience, including app deployment, updates, and removal. You can:
+For the end-to-end access flow and how the pieces fit together, see [Microsoft Intune core concepts](core-concepts.md#how-the-pillars-fit-together). For details about Conditional Access, see [Use Conditional Access with Microsoft Intune](../device-security/conditional-access-integration/overview.md).
-- Connect to and distribute apps from your private app stores.
-- Enable Microsoft 365 apps, including Microsoft Teams.
-- Deploy Win32 and line-of-business (LOB) apps.
-- Create app protection policies that protect data within an app.
-- Manage access to apps & their data.
+## Advanced capabilities
-For more information, go to [Manage apps using Microsoft Intune](manage-apps.md).
+Beyond the core service, Intune offers advanced capabilities that add depth across endpoint security, app management, certificates, remote support, analytics, device updates, secure remote access, and specialty-device management. You can access these capabilities through Microsoft 365 plans, Microsoft Intune Suite, or as standalone subscriptions.
-✅ **Automate policy deployment**
+For details, see [Microsoft Intune advanced capabilities](advanced-capabilities.md).
-You can create policies for apps, security, device configuration, compliance, Conditional Access, and more. When the policies are ready, you can deploy these policies to your user groups and device groups. To receive these policies, the devices only need internet access.
+## Copilot in Intune
-For more information, go to [Assign policies in Microsoft Intune](../device-configuration/assign-device-profile.md).
+Copilot in Intune is an AI assistant built into the admin center, powered by Microsoft Security Copilot. Copilot can:
-✅ **Use the self-service features**
+- Summarize what an existing policy does and flag conflicts.
+- Explain what a setting controls and recommend values.
+- Surface device details and help triage problems.
+- Run specialized AI agents that triage Multi Admin Approval requests, generate policy from baselines, and prioritize vulnerability remediation.
-Employees and students can use the Company Portal app and website to reset a PIN/password, install apps, join groups, and more. You can customize the Company Portal to help reduce support calls.
+For details, see [Microsoft Copilot in Intune](../copilot/index.md).
-For more information, go to [Configure the Intune Company Portal apps, Company Portal website, and Intune app](../app-management/configuration/configure-company-portal.md).
+## Try Intune
-✅ **Integrate with mobile threat defense**
+- Sign up for a [free 30-day trial](free-trial-sign-up.md) to evaluate Intune in your environment.
+- Compare plans and pricing in [Microsoft Intune licensing](licensing.md).
+- After your trial, see [Sign up or sign in to Intune](account-sign-up.md) to set up your organization's subscription.
-Intune integrates with Microsoft Defender for Endpoint and third party partner services. With these services, the focus is on endpoint security. You can create policies that respond to threats, do real-time risk analysis, and automate remediation.
+## Related content
-For more information, go to [Mobile Threat Defense integration with Intune](../device-security/mobile-threat-defense/overview.md).
-
-✅ **Use a web-based admin center**
-
-The Intune admin center focuses on endpoint management, including data-driven reporting. Admins can sign into the admin center from any device that has internet access.
-
-For more information, go to [Walkthrough the Intune admin center](tutorial-admin-center-walkthrough.md). To sign in to the admin center, go to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-This admin center uses [Microsoft Graph](/graph/overview) REST APIs to programmatically access the Intune service. Every action in the admin center is a Microsoft Graph call. If you're not familiar with Graph, and want to learn more, go to [Graph integrates with Microsoft Intune](/graph/intune-concept-overview).
-
-✅ **Advanced endpoint management and security**
-
-The Microsoft Intune Suite offers different features, like Remote Help, Endpoint Privilege Management, Microsoft Tunnel for MAM, and more.
-
-For more information, go to [Intune Suite add-on features](add-ons.md).
-
-> [!TIP]
-> Step through a training module to learn how you can [benefit from modern endpoint management](/training/modules/benefits-microsoft-endpoint-manager?azure-portal=true) with Microsoft Intune.
-
-✅ **Use Microsoft Copilot in Intune for AI-generated analysis**
-
-Copilot in Intune is available and has capabilities that are powered by Security Copilot.
-
-Copilot can summarize existing policies, give you more setting information, including recommended values and potential conflicts. You can also get device details and troubleshoot a device.
-
-For more information, go to [Microsoft Copilot in Intune](../copilot/index.md).
-
-## Integrates with other Microsoft services and apps
-
-Microsoft Intune integrates with other Microsoft products and services that focus on endpoint management, including:
-
-- **[Configuration Manager](../configmgr/core/understand/introduction.md)** for on-premises endpoint management and Windows Server, including deploying software updates and managing data centers
-
- You can use Intune and Configuration Manager together in a co-management scenario, use tenant attach, or use both. With these options, you get the benefits of the web-based admin center and can use other cloud-based features available in Intune.
-
- For more specific information, go to:
-
- - [What is co-management](../configmgr/comanage/overview.md)
- - [Frequently asked questions about co-management](../configmgr/comanage/faq.yml)
- - [How to enable tenant attach](../configmgr/tenant-attach/device-sync-actions.md)
-
-- **[Windows Autopilot](/autopilot/overview)** for modern OS deployment and provisioning
-
- With Windows Autopilot, you can provision new devices and send these devices directly to users from an OEM or device provider. For existing devices, you can reimage these devices to use Windows Autopilot and deploy the latest Windows version.
-
- For more specific information, go to:
-
- - [Windows Autopilot overview](/autopilot/overview)
- - [Windows Autopilot deployment for existing devices](/autopilot/existing-devices)
-
-- **[Endpoint analytics](../endpoint-analytics/index.md)** for visibility and reporting on end user experiences, including device performance and reliability
-
- You can use Endpoint analytics to help identify policies or hardware issues that slow down devices. It also provides guidance that can help you proactively improve end user experiences and reduce help desk tickets.
-
- For more specific information, go to:
-
- - [Endpoint Analytics Overview](../endpoint-analytics/index.md)
- - [Enroll Intune devices into Endpoint analytics](../endpoint-analytics/configure.md)
-
-- **[Microsoft 365](/deployoffice/about-microsoft-365-apps)** for end user productivity Office apps, including Outlook, Teams, Sharepoint, OneDrive, and more
-
- Using Intune, you can deploy Microsoft 365 apps to users and devices in your organization. You can also deploy these apps when users sign in for the first time.
-
- For more specific information, go to:
-
- - [Add Microsoft 365 Apps to Windows devices with Microsoft Intune](../app-management/deployment/add-microsoft-365-windows.md)
- - [Microsoft 365 docs: Manage devices with Intune](/microsoft-365/solutions/manage-devices-with-intune-overview)
-
-- **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)** to help enterprises prevent, detect, investigate, and respond to threats
-
- In Intune, you can create a service-to-service connection between Intune and Microsoft Defender for Endpoint. When they're connected, you can create policies that scan files, detect threats, and report threat levels to Microsoft Defender for Endpoint. You can also create compliance policies that set an allowable level of risk. When combined with Conditional Access, you can block access to organization resources for devices that are noncompliant.
-
- For more specific information, go to:
-
- - [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](../device-security/microsoft-defender/overview.md)
- - [Configure Microsoft Defender for Endpoint in Intune](../device-security/microsoft-defender/configure-integration.md)
-
-- **[Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)** for automatic patching of Windows, Microsoft 365 apps for enterprise, Microsoft Edge, and Microsoft Teams
-
- Windows Autopatch is a cloud based service. It keeps software current, gives users the latest productivity tools, minimizes on-premises infrastructure, and helps free up your IT admins to focus on other projects. Windows Autopatch uses Microsoft Intune to manage patching for Intune-enrolled devices or devices using co-management (Intune + Configuration Manager).
-
- For more specific information, go to:
-
- - [What is Windows Autopatch?](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)
- - [Frequently Asked Questions about Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-faq)
-
-## Integrates with third party partner devices and apps
-
-The Intune admin center makes it easy to connect to different partner services, including:
-
-- **Managed Google Play for Android apps**: When you connect to your Managed Google Play account, admins can access your organization's private store for Android apps, and deploy these apps to your devices.
-
- For more information, go to [Add Managed Google Play apps to Android Enterprise devices with Intune](../app-management/deployment/add-managed-google-play.md).
-
-- **Apple tokens and certificates for enrollment and apps**: When they're added, your iOS/iPadOS and macOS devices can enroll in Intune and receive policies from Intune. Admins can access your volume purchased iOS/iPad and macOS app licenses, and deploy these apps to your devices.
-
- For more information, go to:
-
- - [Get an Apple MDM push certificate](../device-enrollment/apple/create-mdm-push-certificate.md)
- - [Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment](../device-enrollment/apple/setup-automated-ios.md)
- - [Manage iOS and macOS apps purchased through Apple Business with Microsoft Intune](../app-management/deployment/manage-vpp-apple.md)
-
-- **TeamViewer for remote assist**: When you connect to your TeamViewer account, you can use TeamViewer to remotely assist devices.
-
- For more information, go to [Use TeamViewer to remotely administer Intune devices](../device-management/tools/teamviewer-legacy.md).
-
-With these services, Intune:
-
-- Gives admins simplified access to third party partner app services.
-- Can manage hundreds of third party partner apps.
-- Supports public retail store apps, line of business (LOB) apps, private apps not available in the public store, custom apps, and more.
-
-For more platform-specific requirements to enroll third party partner devices in Intune, go to:
-
-- [Deployment guide: Enroll Android devices in Microsoft Intune](../device-enrollment/android/guide.md)
-- [Deployment guide: Enroll iOS and iPadOS devices in Microsoft Intune](../device-enrollment/apple/guide-ios-ipados.md)
-- [Deployment guide: Enroll Linux devices in Microsoft Intune](../device-enrollment/guide-linux.md)
-- [Deployment guide: Enroll macOS devices in Microsoft Intune](../device-enrollment/apple/guide-macos.md)
-
-## Enroll in device management, application management, or both
-
-✅ Organization-owned devices are enrolled in Intune for **mobile device management (MDM)**. MDM is device centric, so device features are configured based on who needs them. For example, you can configure a device to allow access to Wi-Fi, but only if the signed-in user is an organization account.
-
-In Intune, you create policies that configure features & settings and provide security & protection. Your admin team fully manages the devices, including the user identities that sign in, the apps that are installed, and the data that's accessed.
-
-When devices enroll, you can deploy your policies during the enrollment process. When enrollment completes, the device is ready to use.
-
-✅ For personal devices in bring-your-own-device (BYOD) scenarios, you can use Intune for **mobile application management (MAM)**. MAM is user centric, so the app data is protected regardless of the device used to access this data. There's a focus on apps, including securely accessing apps and protecting data within the apps.
-
-With MAM, you can:
-
-- Publish mobile apps to users.
-- Configure apps and automatically update apps.
-- View data reports that focus on app inventory and app usage.
-
-✅ You can also use MDM and MAM together. If your devices are enrolled and there are apps that need extra security, then you can also use MAM app protection policies.
-
-For more information, go to:
-
-- [Device enrollment in Intune?](../device-enrollment/guide.md)
-- [App protection policies overview](../app-management/protection/overview.md)
-
-## Protect data on any device
-
-With Intune, you can **protect data on managed devices** (enrolled in Intune) and **protect data on unmanaged devices** (not enrolled in Intune). Intune can isolate organization data from personal data. The idea is to protect your company information using policies that you configure and deploy.
-
-For organization-owned devices, you want full control over the devices, especially security. When devices enroll, they receive your security rules and settings.
-
-On devices enrolled in Intune, you can:
-
-- Create and deploy policies that configure security settings, set password requirements, deploy certificates, and more.
-- Use mobile threat defense services to scan devices, detect threats, and remediate threats.
-- View data and reports that measure compliance with your security settings and rules.
-- Use Conditional Access to only allow managed and compliant devices access to organization resources, apps, and data.
-- Remove organization data if a device is lost or stolen.
-
-For personal devices, users might not want their IT admins to have full control. To support a hybrid work environment, give users options. For example, users enroll their devices if they want full access to your organization's resources. Or, if these users only want access to Outlook or Microsoft Teams, then use app protection policies that require multifactor authentication (MFA).
-
-On devices using application management, you can:
-
-- Use mobile threat defense services to protect app data. The service can scan devices, detect threats, and assess risk.
-- Prevent organization data from being copied and pasted into personal apps.
-- Use app protection policies on apps and on unmanaged devices enrolled in a third party or partner MDM.
-- Use Conditional Access to restrict the apps that can access organization email and files.
-- Remove organization data within apps.
-
-For more information, go to:
-
-- [Protect data and devices with Microsoft Intune](../device-security/overview.md)
-- [Mobile Threat Defense integration with Intune](../device-security/mobile-threat-defense/overview.md)
-
-## Simplify access
-
-Intune helps organizations support employees who can work from anywhere. There are features you can configure that allow users to connect to an organization, wherever they might be.
-
-This section includes some common features that you can configure in Intune.
-
-### Use Windows Hello for Business instead of passwords
-
-Windows Hello for Business helps protect against phishing attacks and other security threats. It also helps users sign in to their devices and apps more quickly and easily.
-
-Windows Hello for Business replaces passwords with a PIN or biometric, such as fingerprint or facial recognition. This biometric information is stored locally on the devices and is never sent to external devices or servers.
-
-For more information, go to:
-
-- [Get an overview Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview)
-- [Manage Windows Hello for Business on devices when they enroll in Intune](../device-security/identity-protection/configure-tenant-wide-policy.md)
-- [Manage identities using Microsoft Intune](tenant-administration/identities.md)
-
-### Create a VPN connection for remote users
-
-VPN policies give users secure remote access to your organization network.
-
-Using common VPN connection partners, including Check Point, Cisco, Microsoft Tunnel, NetMotion, Pulse Secure, and more, you can create a VPN policy with your network settings. When the policy is ready, you deploy this policy to your users and devices that need to connect to your network remotely.
-
-In the VPN policy, you can use certificates to authenticate the VPN connection. When you use certificates, your end users don't need to enter usernames and passwords.
-
-For more information, go to:
-
-- [Create VPN profiles to connect to VPN servers in Intune](../device-configuration/templates/configure-vpn.md)
-- [Use certificates for authentication in Intune](./certificates/overview.md)
-- [Learn more about Microsoft Tunnel for Intune](../device-security/microsoft-tunnel/overview.md)
-- [Use Microsoft Tunnel for MAM](../device-security/microsoft-tunnel/mam.md)
-
-### Create a Wi-Fi connection for on-premises users
-
-For users who need to connect to your organization network on-premises, you can create a Wi-Fi policy with your network settings. You can connect to a specific SSID, select an authentication method, use a proxy, and more. You can also configure the policy to automatically connect to Wi-Fi when the device is in range.
-
-In the Wi-Fi policy, you can use certificates to authenticate the Wi-Fi connection. When you use certificates, your end users don't need to enter usernames and passwords.
-
-When the policy is ready, you deploy this policy to your on-premises users and devices that need to connect to your on-premises network.
-
-For more information, go to:
-
-- [Create Wi-Fi policy to connect to Wi-Fi networks in Intune](../device-configuration/templates/configure-wifi.md)
-- [Use certificates for authentication in Microsoft Intune](./certificates/overview.md)
-
-### Enable single sign-on (SSO) to your apps and services
-
-When you enable SSO, users can automatically sign in to apps and services using their Microsoft Entra organization account, including some mobile threat defense partner apps.
-
-Specifically:
-
-- On Windows devices, SSO is automatically built in and used to sign in to apps and websites that use Microsoft Entra ID for authentication, including Microsoft 365 apps. You can also enable SSO on VPN and Wi-Fi policies.
-
-- On iOS/iPadOS and macOS devices, you can use the Microsoft Enterprise SSO plug-in to automatically sign in to apps and websites that use Microsoft Entra ID for authentication, including Microsoft 365 apps.
-
- For more information, go to [Single sign-on (SSO) overview and options for Apple devices in Microsoft Intune](../device-configuration/enterprise-sso-plugin.md).
-
-- On Android devices, you can use the Microsoft Authentication Library (MSAL) to enable SSO to Android apps.
-
- For more information, go to:
-
- - [How SSO to on-premises resources works on Microsoft Entra joined devices](/azure/active-directory/devices/azuread-join-sso)
- - [Use the Microsoft Enterprise SSO plug-in on iOS/iPadOS and macOS devices in Microsoft Intune](../device-configuration/enterprise-sso-plugin.md)
- - [Enable cross-app SSO on Android using MSAL](/azure/active-directory/develop/msal-android-single-sign-on)
-
-## Related articles
-
-- [Manage identities using Microsoft Intune](tenant-administration/identities.md)
-- [Manage devices using Microsoft Intune](manage-devices.md)
-- [Manage apps using Microsoft Intune](manage-apps.md)
-- [Troubleshoot Microsoft Intune](/troubleshoot/mem/intune/welcome-intune)
+- [Microsoft Intune core concepts](core-concepts.md)
+- [Microsoft Intune architecture](architecture.md)
+- [Microsoft Intune advanced capabilities](advanced-capabilities.md)
diff --git a/intune/fundamentals/zero-trust.md b/intune/fundamentals/zero-trust.md
index c45717582f8..34060f5d224 100644
--- a/intune/fundamentals/zero-trust.md
+++ b/intune/fundamentals/zero-trust.md
@@ -52,8 +52,6 @@ For detailed deployment guidance including prerequisites, licensing requirements
## Related articles
-- [Learn about managing identities in Intune](tenant-administration/identities.md)
-- [Learn about managing devices in Intune](manage-devices.md)
-- [Learn about managing apps in Intune](manage-apps.md)
+- [Learn about Intune core concepts](core-concepts.md)
- [Zero Trust deployment approach with Microsoft Intune](zero-trust-deployment.md)
- [Zero Trust Guidance Center](/security/zero-trust)
diff --git a/intune/includes/intune-plan2-suite-note.md b/intune/includes/intune-plan2-suite-note.md
deleted file mode 100644
index 23bda4f745d..00000000000
--- a/intune/includes/intune-plan2-suite-note.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-author: MandiOhlinger
-ms.topic: include
-ms.date: 02/06/2025
-ms.author: mandia
----
-> [!NOTE]
-> This capability is available when you add Microsoft Intune Plan 2 or Microsoft Intune Suite as an add-on license. For more information, see [Use Intune Suite add-on capabilities](../fundamentals/add-ons.md).
diff --git a/intune/includes/licensing/additional-licensing-plan2.md b/intune/includes/licensing/additional-licensing-plan2.md
new file mode 100644
index 00000000000..6ff5ec736ae
--- /dev/null
+++ b/intune/includes/licensing/additional-licensing-plan2.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms-topic: include
+ms.date: 05/21/2026
+---
+
+This feature requires Microsoft Intune Plan 2 or an additional subscription. For licensing options, see [Microsoft Intune plans and pricing](https://www.microsoft.com/security/business/microsoft-intune-pricing) and [Microsoft 365 Security Enterprise Plans](https://www.microsoft.com/security/pricing/enterprise-plans).
diff --git a/intune/includes/licensing/additional-licensing.md b/intune/includes/licensing/additional-licensing.md
new file mode 100644
index 00000000000..8692cb50043
--- /dev/null
+++ b/intune/includes/licensing/additional-licensing.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms-topic: include
+ms.date: 05/21/2026
+---
+
+This feature requires a subscription in addition to Microsoft Intune Plan 1 or Plan 2. For licensing options, see [Microsoft Intune plans and pricing](https://www.microsoft.com/security/business/microsoft-intune-pricing) and [Microsoft 365 Security Enterprise Plans](https://www.microsoft.com/security/pricing/enterprise-plans).
diff --git a/intune/index.yml b/intune/index.yml
index 92d85469590..4b6e3ce4d23 100644
--- a/intune/index.yml
+++ b/intune/index.yml
@@ -21,9 +21,9 @@ highlightedContent:
- title: Features in development
itemType: whats-new
url: ./whats-new/in-development.md
- - title: Microsoft Intune Suite add-ons
+ - title: Microsoft Intune advanced capabilities
itemType: overview
- url: ./fundamentals/add-ons.md
+ url: ./fundamentals/advanced-capabilities.md
productDirectory:
title: Set up, secure, and operate your device fleet
@@ -127,7 +127,7 @@ conceptualContent:
- url: https://aka.ms/Intune_GuidedDemo
itemType: get-started
text: Interactive demos for Intune
- - url: ./fundamentals/licensing/index.md
+ - url: ./fundamentals/licensing.md
itemType: get-started
text: Microsoft Intune licensing
- url: ./fundamentals/planning-guide.md
diff --git a/intune/media/icons/16/add-on.svg b/intune/media/icons/16/add-on.svg
new file mode 100644
index 00000000000..393da774aff
--- /dev/null
+++ b/intune/media/icons/16/add-on.svg
@@ -0,0 +1,3 @@
+
diff --git a/intune/media/icons/16/plus.svg b/intune/media/icons/16/plus.svg
new file mode 100644
index 00000000000..d93cde2f014
--- /dev/null
+++ b/intune/media/icons/16/plus.svg
@@ -0,0 +1,3 @@
+
diff --git a/intune/media/icons/24/devices.svg b/intune/media/icons/24/devices.svg
deleted file mode 100644
index 4bdd26bf755..00000000000
--- a/intune/media/icons/24/devices.svg
+++ /dev/null
@@ -1,22 +0,0 @@
-
diff --git a/intune/media/icons/24/query.svg b/intune/media/icons/24/query.svg
deleted file mode 100644
index 061e1dae8aa..00000000000
--- a/intune/media/icons/24/query.svg
+++ /dev/null
@@ -1,18 +0,0 @@
-
diff --git a/intune/media/icons/24/report.svg b/intune/media/icons/24/report.svg
deleted file mode 100644
index a6c559a48b6..00000000000
--- a/intune/media/icons/24/report.svg
+++ /dev/null
@@ -1,10 +0,0 @@
-
diff --git a/intune/remote-help/deploy.md b/intune/remote-help/deploy.md
index 867b1767180..3d3164b49de 100644
--- a/intune/remote-help/deploy.md
+++ b/intune/remote-help/deploy.md
@@ -12,10 +12,6 @@ ms.collection:
# Deploying Remote Help with Microsoft Intune
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [remote-help-overview](includes/remote-help-overview.md)]
-
This article describes the steps to deploy Remote Help with Microsoft Intune.
- [⚙️Set up your tenant](#configure-remote-help-for-your-tenant)
diff --git a/intune/remote-help/includes/remote-help-overview.md b/intune/remote-help/includes/remote-help-overview.md
deleted file mode 100644
index a8243ccbd05..00000000000
--- a/intune/remote-help/includes/remote-help-overview.md
+++ /dev/null
@@ -1,7 +0,0 @@
----
-ms.service: microsoft-intune
-ms.topic: include
-ms.date: 10/01/2025
----
-
-Remote Help is a cloud-based solution for secure help desk connections with role-based access controls. With the connection, your support staff can remote connect to the user's device. For more information, see [Remote Help Overview](../index.md). To start using Remote Help features, ensure you have met the [Prerequisites](../plan.md#prerequisites).
diff --git a/intune/remote-help/index.md b/intune/remote-help/index.md
index 89c05ae84f4..a3aebd0fd61 100644
--- a/intune/remote-help/index.md
+++ b/intune/remote-help/index.md
@@ -9,11 +9,9 @@ ms.collection:
- M365-identity-device-management
---
- # Use Remote Help with Microsoft Intune
+# Use Remote Help with Microsoft Intune
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-Microsoft Intune Remote Help is a cloud-based remote support solution that allows IT support teams to connect securely to an end-user's device for real-time assistance. It's available as a standalone add-on to Microsoft Intune, or as part of the Intune Suite, enabling organizations to provide remote troubleshooting and guidance with enterprise security controls in place. Remote Help distinguishes between helpers (support personnel) and sharers (end users sharing their screen), both of whom must sign in with corporate Entra ID accounts for each session. This requirement means Remote Help only works within your organization's tenant – helpers can't assist users in another tenant or external organization.
+Microsoft Intune Remote Help is a cloud-based remote support solution that allows IT support teams to connect securely to an end-user's device for real-time assistance. It enables organizations to provide remote troubleshooting and guidance with enterprise security controls in place. Remote Help distinguishes between helpers (support personnel) and sharers (end users sharing their screen), both of whom must sign in with corporate Entra ID accounts for each session. This requirement means Remote Help only works within your organization's tenant – helpers can't assist users in another tenant or external organization.
## Remote Help capabilities
diff --git a/intune/remote-help/plan.md b/intune/remote-help/plan.md
index 1a7d860513c..9f9f2c8ab6c 100644
--- a/intune/remote-help/plan.md
+++ b/intune/remote-help/plan.md
@@ -9,11 +9,7 @@ ms.collection:
- M365-identity-device-management
---
- # Planning for Remote Help with Microsoft Intune
-
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [remote-help-overview](includes/remote-help-overview.md)]
+# Planning for Remote Help with Microsoft Intune
In this article, users who provide help are referred to as *helpers*, and users that receive help are referred to as *sharers*, as they share their session with the helper. Both helpers and sharers sign in to your organization to use the app. It's through your Microsoft Entra ID that the proper trusts are established for the Remote Help sessions.
@@ -125,11 +121,12 @@ The following Intune built-in roles include Remote Help permissions:
Remote Help has the following requirements:
-- [Intune subscription](../fundamentals/licensing/index.md).
-- [Remote Help add on license or an Intune Suite license](../fundamentals/add-ons.md#available-add-ons) for all IT support workers (helpers) and users (sharers) that are targeted to use Remote Help and benefit from the service.
-- [Supported platforms and devices](#supported-platforms).
+- A Remote Help license for everyone targeted to use the service — both helpers (IT support workers) and sharers (users).
+- A [supported platform or device](#supported-platforms).
- Intune-enrolled devices must be registered with Microsoft Entra.
+[!INCLUDE [additional-licensing](../includes/licensing/additional-licensing.md)]
+
## Limitations
Remote Help has the following limitations:
diff --git a/intune/remote-help/start-session.md b/intune/remote-help/start-session.md
index cb120adcff4..afa6ac9a815 100644
--- a/intune/remote-help/start-session.md
+++ b/intune/remote-help/start-session.md
@@ -11,10 +11,6 @@ ms.collection:
# Using Remote Help with Microsoft Intune
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [remote-help-overview](includes/remote-help-overview.md)]
-
The use of Remote Help depends on whether you're requesting help or providing help. In this article, we cover both scenarios.
## Get help
diff --git a/intune/remote-help/troubleshoot.md b/intune/remote-help/troubleshoot.md
index 4fb54343829..a8c31a0d8de 100644
--- a/intune/remote-help/troubleshoot.md
+++ b/intune/remote-help/troubleshoot.md
@@ -11,10 +11,6 @@ ms.collection:
# Troubleshoot and Monitor Remote Help
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [remote-help-overview](includes/remote-help-overview.md)]
-
## Monitoring and reports
You can monitor the use of Remote Help from within the Microsoft Intune admin center. For unenrolled devices, reporting on Remote Help sessions is limited.
diff --git a/intune/solutions/azure-virtual-desktop-multi-session.md b/intune/solutions/azure-virtual-desktop-multi-session.md
index 6189540dea0..8ab0bbd0b95 100644
--- a/intune/solutions/azure-virtual-desktop-multi-session.md
+++ b/intune/solutions/azure-virtual-desktop-multi-session.md
@@ -53,7 +53,7 @@ This feature supports Windows Enterprise multi-session VMs, which are:
- Configured with [Active Directory group policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy), set to use Device credentials, and set to automatically enroll devices that are Microsoft Entra hybrid joined.
- [Configuration Manager co-management](/configmgr/comanage/overview).
- Microsoft Entra joined and enrolled in Microsoft Intune by enabling [Enroll the VM with Intune](/azure/virtual-desktop/deploy-azure-ad-joined-vm#deploy-azure-ad-joined-vms) in the Azure portal.
-- Licensing: The appropriate Azure Virtual Desktop and Microsoft Intune license is required if a user or device benefits directly or indirectly from the Microsoft Intune service, including access to the Microsoft Intune service through a Microsoft API. For more information, go to [Microsoft Intune licensing](../fundamentals/licensing/index.md).
+- Licensing: The appropriate Azure Virtual Desktop and Microsoft Intune license is required if a user or device benefits directly or indirectly from the Microsoft Intune service, including access to the Microsoft Intune service through a Microsoft API. For more information, go to [Microsoft Intune licensing](../fundamentals/licensing.md).
- See [Licensing Azure Virtual Desktop](/azure/virtual-desktop/licensing) for more information about Azure Virtual Desktop licensing requirements.
## Limitations
diff --git a/intune/solutions/cloud-native-endpoints/entra-join-types.md b/intune/solutions/cloud-native-endpoints/entra-join-types.md
index 73762e11de1..7ba133da19b 100644
--- a/intune/solutions/cloud-native-endpoints/entra-join-types.md
+++ b/intune/solutions/cloud-native-endpoints/entra-join-types.md
@@ -176,7 +176,7 @@ The cloud solution is to Microsoft Entra Join your endpoints. The endpoints and
## Follow the cloud-native endpoints guidance
1. [Overview: What are cloud-native endpoints?](overview.md)
-2. [Tutorial: Get started with cloud-native Windows endpoints](tutorial-cloud-native-setup.md)
+2. [Tutorial: Set up cloud-native Windows endpoints with Microsoft Intune](tutorial-cloud-native-setup.md)
3. 🡺 **Concept: Microsoft Entra joined vs. Hybrid Microsoft Entra joined** (*You are here*)
4. [Concept: Cloud-native endpoints and on-premises resources](on-premises-resources.md)
5. [High level planning guide](planning-guide.md)
diff --git a/intune/solutions/cloud-native-endpoints/on-premises-resources.md b/intune/solutions/cloud-native-endpoints/on-premises-resources.md
index 0cf733f5554..254dfee25d1 100644
--- a/intune/solutions/cloud-native-endpoints/on-premises-resources.md
+++ b/intune/solutions/cloud-native-endpoints/on-premises-resources.md
@@ -102,7 +102,7 @@ The following steps are an overview. For more specific information, including de
## Follow the cloud-native endpoints guidance
1. [Overview: What are cloud-native endpoints?](overview.md)
-2. [Tutorial: Get started with cloud-native Windows endpoints](tutorial-cloud-native-setup.md)
+2. [Tutorial: Set up cloud-native Windows endpoints with Microsoft Intune](tutorial-cloud-native-setup.md)
3. [Concept: Microsoft Entra joined vs. Hybrid Microsoft Entra joined](entra-join-types.md)
4. 🡺 **Concept: Cloud-native endpoints and on-premises resources** (*You are here*)
5. [High level planning guide](planning-guide.md)
diff --git a/intune/solutions/cloud-native-endpoints/overview.md b/intune/solutions/cloud-native-endpoints/overview.md
index e53ba409cd0..90714e260a5 100644
--- a/intune/solutions/cloud-native-endpoints/overview.md
+++ b/intune/solutions/cloud-native-endpoints/overview.md
@@ -4,8 +4,10 @@ description: Learn more about cloud-native endpoints and what they are. See a li
ms.date: 05/30/2024
ms.topic: overview
ms.reviewer: ahamil, jasandys, wicale
+ms.keywords: cloud native Windows, cloud-native Windows endpoint, Intune cloud native, Windows Autopilot cloud native, cloud native endpoint setup
ms.collection:
- M365-identity-device-management
+ - highseo
- intune-scenario
---
@@ -27,7 +29,7 @@ In this set of articles, you will:
- ✅ **Step through a tutorial** that creates a Windows device that's cloud-native:
- - [Tutorial: Get started with cloud-native Windows endpoints with Microsoft Intune](tutorial-cloud-native-setup.md)
+ - [Tutorial: Set up cloud-native Windows endpoints with Microsoft Intune](tutorial-cloud-native-setup.md)
- ✅ **Learn more about the Microsoft Entra concepts** that are part of cloud-native endpoints, including accessing on-premises resources:
@@ -127,7 +129,7 @@ The [High level planning guide to move to cloud-native endpoints](planning-guide
## Follow the cloud-native endpoints guidance
1. 🡺 **Overview: What are cloud-native endpoints?** (*You are here*)
-2. [Tutorial: Get started with cloud-native Windows endpoints](tutorial-cloud-native-setup.md)
+2. [Tutorial: Set up cloud-native Windows endpoints with Microsoft Intune](tutorial-cloud-native-setup.md)
3. [Concept: Entra joined vs. Hybrid Entra joined](entra-join-types.md)
4. [Concept: Cloud-native endpoints and on-premises resources](on-premises-resources.md)
5. [High level planning guide](planning-guide.md)
diff --git a/intune/solutions/cloud-native-endpoints/planning-guide.md b/intune/solutions/cloud-native-endpoints/planning-guide.md
index 0b870d23218..10ea4e865fe 100644
--- a/intune/solutions/cloud-native-endpoints/planning-guide.md
+++ b/intune/solutions/cloud-native-endpoints/planning-guide.md
@@ -476,7 +476,7 @@ For more information on Windows Autopilot, go to:
## Follow the cloud-native endpoints guidance
1. [Overview: What are cloud-native endpoints?](overview.md)
-2. [Tutorial: Get started with cloud-native Windows endpoints](tutorial-cloud-native-setup.md)
+2. [Tutorial: Set up cloud-native Windows endpoints with Microsoft Intune](tutorial-cloud-native-setup.md)
3. [Concept: Microsoft Entra joined vs. Hybrid Microsoft Entra joined](entra-join-types.md)
4. [Concept: Cloud-native endpoints and on-premises resources](on-premises-resources.md)
5. 🡺 **High level planning guide** (*You are here*)
diff --git a/intune/solutions/cloud-native-endpoints/troubleshoot.md b/intune/solutions/cloud-native-endpoints/troubleshoot.md
index 634f9737657..2984f3a2f0b 100644
--- a/intune/solutions/cloud-native-endpoints/troubleshoot.md
+++ b/intune/solutions/cloud-native-endpoints/troubleshoot.md
@@ -140,7 +140,7 @@ For more specific information, go to [Implement password hash synchronization wi
## Follow the cloud-native endpoints guidance
1. [Overview: What are cloud-native endpoints?](overview.md)
-2. [Tutorial: Get started with cloud-native Windows endpoints](tutorial-cloud-native-setup.md)
+2. [Tutorial: Set up cloud-native Windows endpoints with Microsoft Intune](tutorial-cloud-native-setup.md)
3. [Concept: Microsoft Entra joined vs. Hybrid Microsoft Entra joined](entra-join-types.md)
4. [Concept: Cloud-native endpoints and on-premises resources](on-premises-resources.md)
5. [High level planning guide](planning-guide.md)
diff --git a/intune/solutions/cloud-native-endpoints/tutorial-cloud-native-setup.md b/intune/solutions/cloud-native-endpoints/tutorial-cloud-native-setup.md
index 3536271a9ec..4a5dc6d2cd6 100644
--- a/intune/solutions/cloud-native-endpoints/tutorial-cloud-native-setup.md
+++ b/intune/solutions/cloud-native-endpoints/tutorial-cloud-native-setup.md
@@ -1,11 +1,11 @@
---
-
-title: Tutorial-Get started with cloud-native Windows endpoints
-description: Set up secure cloud-native Windows endpoints that are Microsoft Entra joined, enrolled in Intune, and then deploy at scale with Windows Autopilot.
+title: Tutorial - Set up cloud-native Windows endpoints with Microsoft Intune
+description: Step-by-step tutorial to set up a cloud-native Windows endpoint - Microsoft Entra joined, Intune enrolled, secured, and deployed with Windows Autopilot.
+ms.keywords: cloud native Windows, cloud-native Windows endpoint, Intune cloud native, Windows Autopilot cloud native, cloud native endpoint setup
author: scottbreenmsft
ms.author: scbree
-ms.date: 07/24/2025
-ms.topic: get-started
+ms.date: 05/19/2026
+ms.topic: tutorial
ms.reviewer: scbree;rogerso
ms.collection:
- M365-identity-device-management
@@ -15,36 +15,42 @@ ms.collection:
- graph-interactive
---
-# Tutorial: Set up and configure a cloud-native Windows endpoint with Microsoft Intune
+# Tutorial: Set up cloud-native Windows endpoints with Microsoft Intune
-> [!TIP]
-> [!INCLUDE [cloud-native-endpoints-definitions](../../includes/cloud-native-endpoints-definitions.md)]
+This step-by-step tutorial shows you how to set up a **cloud-native Windows endpoint** using Microsoft Intune and Windows Autopilot. A cloud-native Windows endpoint (sometimes written as cloud native Windows) is Microsoft Entra joined, enrolled in Microsoft Intune, and managed entirely from the cloud — no Active Directory domain join, no on-premises infrastructure required.
-This guide walks you through the steps to create a cloud-native Windows endpoint configuration for your organization. For an overview of cloud-native endpoints, and their benefits, see [What are cloud-native endpoints](overview.md).
+By the end of this tutorial, you have a fully configured Windows device that's:
-This feature applies to:
+> [!div class="checklist"]
+> * **Microsoft Entra joined** and enrolled in **Microsoft Intune**
+> * **Secured** with Microsoft Defender Antivirus, BitLocker encryption, Windows LAPS, and security baselines
+> * **Provisioned** through **Windows Autopilot** with Microsoft 365 apps, OneDrive Known Folder Move, and the Company Portal
+> * **Ready to scale** to the rest of your Windows fleet
-- Windows cloud-native endpoints
+For background, see [What are cloud-native endpoints?](overview.md) and [How to plan your Microsoft Entra join implementation](/entra/identity/devices/device-join-plan).
-## How to get started
+> [!TIP]
+> [!INCLUDE [cloud-native-endpoints-definitions](../../includes/cloud-native-endpoints-definitions.md)]
-Use the five ordered phases in this guide, which build on each other to help you prepare your cloud-native Windows endpoint configuration. By completing these phases in order, you see tangible progress and are ready to provision new devices.
+## How to get started
-**Phases**:
+Complete the five phases in order — each builds on the previous one.
:::image type="content" source="media/tutorial-cloud-native-setup/phases.png" alt-text="Five phases for setting up cloud-native Windows endpoints using Microsoft Intune and Windows Autopilot.":::
-- [Phase 1](#phase-1--set-up-your-environment) – Set up your environment
-- [Phase 2](#phase-2---build-a-cloud-native-windows-endpoint) – Build your first cloud-native Windows endpoint
-- [Phase 3](#phase-3--secure-your-cloud-native-windows-endpoint) – Secure your cloud-native Windows endpoint
-- [Phase 4](#phase-4--apply-customizations-and-review-your-on-premises-configuration) – Apply your custom settings and applications
-- [Phase 5](#phase-5--deploy-at-scale-with-windows-autopilot) – Deploy at scale with Windows Autopilot
+| Phase | Goal |
+| --- | --- |
+| [Phase 1](#phase-1--set-up-your-environment) – Set up your environment | Prepare your tenant, test device, and baseline Autopilot policies |
+| [Phase 2](#phase-2--build-a-cloud-native-windows-endpoint) – Build a cloud-native Windows endpoint | Provision your first endpoint through Autopilot |
+| [Phase 3](#phase-3--secure-your-cloud-native-windows-endpoint) – Secure your cloud-native Windows endpoint | Apply endpoint security: Defender, BitLocker, LAPS, baselines, updates |
+| [Phase 4](#phase-4--apply-customizations-and-review-your-on-premises-configuration) – Apply customizations and review your on-premises configuration | Add organization-specific apps, settings, and migrate from Group Policy |
+| [Phase 5](#phase-5--scale-your-deployment-with-windows-autopilot) – Scale your deployment with Windows Autopilot | Scale provisioning to your fleet using OEM registration, personas, and rollout rings |
-At the end of this guide, you have a cloud-native Windows endpoint ready to start testing in your environment. Before you get started, you might want to check out the Microsoft Entra join planning guide at [How to plan your Microsoft Entra join implementation](/entra/identity/devices/device-join-plan).
+After your endpoints are deployed, use the [Monitor your cloud-native Windows endpoints](#monitor-your-cloud-native-windows-endpoints) section to validate policy, app, and compliance status from the Intune admin center as part of ongoing operations.
## Phase 1 – Set up your environment
-:::image type="content" source="media/tutorial-cloud-native-setup/phase-1.png" alt-text="Image that shows phase 1, set up your environment for cloud native endpoints with Microsoft Intune":::
+:::image type="icon" source="media/tutorial-cloud-native-setup/phase-1.png":::
Before you build your first cloud-native Windows endpoint, there are some key requirements and configuration that need to be checked. This phase walks you through checking the requirements, configuring [Windows Autopilot](/autopilot/overview), and creating some settings and applications.
@@ -82,7 +88,7 @@ Enrollment restrictions allow you to control what types of devices can enroll in
- **Microsoft Entra Premium P1**
- **Microsoft Intune for Education**
- To assign licenses, go to [Assign Microsoft Intune licenses](../../fundamentals/licensing/assign-licenses.md).
+ To assign licenses, go to [Assign Microsoft Intune licenses](../../fundamentals/assign-licenses.md).
> [!NOTE]
> Both types of licenses are typically included with licensing bundles, like Microsoft 365 E3 (or A3) and higher. View comparisons of Microsoft 365 licensing [here](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
@@ -92,9 +98,9 @@ Enrollment restrictions allow you to control what types of devices can enroll in
To test the cloud-native Windows endpoint, we need to start by getting a virtual machine or physical device ready for testing. The following steps get the device details and upload them into the Windows Autopilot service, which are used later in this article.
> [!NOTE]
-> While the following steps provide a way to import a device for testing, Partners and OEMs can import devices into Windows Autopilot on your behalf as part of purchasing. There's more information about Windows Autopilot in [Phase 5](#phase-5--deploy-at-scale-with-windows-autopilot).
+> While the following steps provide a way to import a device for testing, Partners and OEMs can import devices into Windows Autopilot on your behalf as part of purchasing. There's more information about Windows Autopilot in [Phase 5](#phase-5--scale-your-deployment-with-windows-autopilot).
-1. Install Windows (preferably 20H2 or later) in a virtual machine or reset physical device so that it's waiting at the OOBE setup screen. For a virtual machine, you can optionally create a checkpoint.
+1. Install Windows in a virtual machine or reset a physical device so that it's waiting at the OOBE setup screen. For a virtual machine, you can optionally create a checkpoint.
2. Complete the necessary steps to connect to the Internet.
@@ -120,7 +126,7 @@ To test the cloud-native Windows endpoint, we need to start by getting a virtual
9. When prompted for credentials, sign in with your Intune Administrator account.
-10. Leave the computer at the out of box experience until [Phase 2](#phase-2---build-a-cloud-native-windows-endpoint).
+10. Leave the computer at the out of box experience until [Phase 2](#phase-2--build-a-cloud-native-windows-endpoint).
### Step 4 - Create Microsoft Entra dynamic group for the device
@@ -154,8 +160,11 @@ To limit the configurations from this guide to the test devices that you import
The enrollment status page (ESP) is the mechanism an IT pro uses to control the end-user experience during endpoint provisioning. See [Set up the Enrollment Status Page](../../device-enrollment/windows/setup-status-page.md). To limit the scope of the enrollment status page, you can create a new profile and target the **Autopilot Cloud-Native Windows Endpoints** group created in the previous step, *Create Microsoft Entra dynamic group for the device*.
- For the purposes of testing, we recommend the following settings, but feel free to adjust them as required:
- - **Show app and profile configuration progress** - Yes
- - **Only show page to devices provisioned by out-of-box experience (OOBE)** – Yes (*default*)
+
+ | Setting | Value |
+ | --- | --- |
+ | **Show app and profile configuration progress** | Yes |
+ | **Only show page to devices provisioned by out-of-box experience (OOBE)** | Yes (*default*) |
### Step 6 - Create and assign the Windows Autopilot profile
@@ -167,13 +176,23 @@ Now we can create the Windows Autopilot profile and assign it to our test device
3. Select **Create profile** > **Windows PC**.
-1. Enter the name **Autopilot Cloud Native Windows Endpoint**, and then select **Next**.
+4. Enter the name **Autopilot Cloud-Native Windows Endpoints**, and then select **Next**.
+
+5. In the **Out-of-box experience (OOBE)** settings, confirm the following key values and select **Next**:
+
+ | Setting | Value |
+ | --- | --- |
+ | Deployment mode | User-driven |
+ | Join to Microsoft Entra ID as | Microsoft Entra joined |
+ | User account type | **Standard** |
+ | Apply device name template | Optional. A naming template like `CloudPC-%SERIAL%` makes devices easy to identify in the admin center. |
-5. Review and leave the default settings and select **Next**.
+ > [!IMPORTANT]
+ > Setting **User account type** to **Standard** is a security best practice. It prevents users from installing unapproved software and reduces the attack surface on cloud-native endpoints.
6. Leave the scope tags and select **Next**.
-7. Assign the profile to the Microsoft Entra group you created called **Autopilot Cloud-Native Windows Endpoint**, select **Next**, and then select **Create**.
+7. Assign the profile to the Microsoft Entra group you created called **Autopilot Cloud-Native Windows Endpoints**, select **Next**, and then select **Create**.
### Step 7 - Sync Windows Autopilot devices
@@ -193,29 +212,28 @@ We've selected a few settings to configure. These settings demonstrate an optima
After you created the profile and added your settings, assign the profile to the **Autopilot Cloud-Native Windows Endpoints** group created previously.
-- **Microsoft Outlook**
- To improve the first run experience for Microsoft Outlook, the following setting automatically configures a profile when Outlook is opened for the first time.
+- **Microsoft Outlook** - To improve the first run experience for Microsoft Outlook, the following setting automatically configures a profile when Outlook is opened for the first time.
- - Microsoft Outlook 2016\Account Settings\Exchange (User setting)
- - Automatically configure only the first profile based on Active Directory primary SMTP address - **Enabled**
+ | Setting category | Setting | Value |
+ | --- | --- | --- |
+ | **Microsoft Outlook 2016\Account Settings\Exchange (User setting)** | Automatically configure only the first profile based on Active Directory primary SMTP address | **Enabled** |
-- **Microsoft Edge**
- To improve the first run experience for Microsoft Edge, the following settings configure Microsoft Edge to sync the user's settings and skip the first run experience.
-
- - Microsoft Edge
- - Hide the first-run experience and splash screen - **Enabled**
- - Force synchronization of browser data and do not show the sync consent prompt - **Enabled**
+- **Microsoft Edge** - To improve the first run experience for Microsoft Edge, the following settings configure Microsoft Edge to sync the user's settings and skip the first run experience.
-- **Microsoft OneDrive**
+ | Setting category | Setting | Value |
+ | --- | --- | --- |
+ | **Microsoft Edge** | Hide the first-run experience and splash screen | **Enabled** |
+ | | Force synchronization of browser data and do not show the sync consent prompt | **Enabled** |
- To improve the first sign-in experience, the following settings configure Microsoft OneDrive to automatically sign in and redirect Desktop, Pictures, and Documents to OneDrive. Files On-Demand (FOD) is also recommended. It's enabled by default and isn't included in the following list. For more information on the recommended configuration for the OneDrive sync app, go to [Recommended sync app configuration for Microsoft OneDrive](/onedrive/ideal-state-configuration).
+- **Microsoft OneDrive** - To improve the first sign-in experience, the following settings configure Microsoft OneDrive to automatically sign in and redirect Desktop, Pictures, and Documents to OneDrive. Files On-Demand (FOD) is also recommended. It's enabled by default and isn't included in the following list. For more information on the recommended configuration for the OneDrive sync app, go to [Recommended sync app configuration for Microsoft OneDrive](/onedrive/ideal-state-configuration).
- - OneDrive
- - Silently sign in users to the OneDrive sync app with their Windows credentials - **Enabled**
- - Silently move Windows known folders to OneDrive – **Enabled**
+ | Setting category | Setting | Value |
+ | --- | --- | --- |
+ | **OneDrive** | Silently sign in users to the OneDrive sync app with their Windows credentials | **Enabled** |
+ | | Silently move Windows known folders to OneDrive | **Enabled** |
- > [!NOTE]
- > For more information, go to [Redirect Known Folders](/onedrive/redirect-known-folders).
+ > [!NOTE]
+ > For more information, go to [Redirect Known Folders](/onedrive/redirect-known-folders).
The following screenshot shows an example of a settings catalog profile with each of the suggested settings configured:
@@ -225,49 +243,56 @@ The following screenshot shows an example of a settings catalog profile with eac
Your cloud-native endpoint needs some applications. To get started, we recommend configuring the following applications and targeting them at the **Autopilot Cloud-Native Windows Endpoints** group created previously.
-- **Microsoft 365 Apps** (formerly Office 365 ProPlus)
- Microsoft 365 Apps such as Word, Excel, and Outlook can easily be deployed to devices using the built-in *Microsoft 365 apps for Windows* app profile in Intune.
+- **Microsoft 365 Apps** (formerly Office 365 ProPlus) - Microsoft 365 Apps such as Word, Excel, and Outlook can easily be deployed to devices using the built-in *Microsoft 365 apps for Windows* app profile in Intune.
- Select **configuration designer** for the settings format, as opposed to XML.
- Select **Current Channel** for the update channel.
To deploy Microsoft 365 Apps, go to [Add Microsoft 365 apps to Windows devices using Microsoft Intune](../../app-management/deployment/add-microsoft-365-windows.md)
-- **Company Portal app**
- Deploying the Intune *Company Portal* app to all devices as a required application is recommended. Company Portal app is the self-service hub for users that they use to install applications from multiple sources, like Intune, Microsoft Store, and Configuration Manager. Users also use the Company Portal app to sync their device with Intune, check compliance status, and so on.
+- **Company Portal app** - Deploying the Intune *Company Portal* app to all devices as a required application is recommended. Company Portal app is the self-service hub for users that they use to install applications from multiple sources, like Intune, Microsoft Store, and Configuration Manager. Users also use the Company Portal app to sync their device with Intune, check compliance status, and so on.
To deploy **Company Portal** as required, see [Add and assign the Windows Company Portal app for Intune managed devices](../../app-management/deployment/add-company-portal-autopilot.md).
-- **Microsoft Store App** (Whiteboard)
- While Intune can deploy a wide variety of apps, we deploy a store app (Microsoft Whiteboard) to help keep things simple for this guide. Follow the steps in [Add Microsoft Store apps to Microsoft Intune](../../app-management/deployment/add-microsoft-store.md) to install **Microsoft Whiteboard**.
+- **Microsoft Store App** (Whiteboard) - While Intune can deploy a wide variety of apps, we deploy a store app (Microsoft Whiteboard) to help keep things simple for this guide. Follow the steps in [Add Microsoft Store apps to Microsoft Intune](../../app-management/deployment/add-microsoft-store.md) to install **Microsoft Whiteboard**.
-## Phase 2 - Build a cloud-native Windows endpoint
+> [!div class="nextstepaction"]
+> [Next: Phase 2 – Build a cloud-native Windows endpoint](#phase-2--build-a-cloud-native-windows-endpoint)
-:::image type="content" source="media/tutorial-cloud-native-setup/phase-2.png" alt-text="Phase 2.":::
+## Phase 2 – Build a cloud-native Windows endpoint
-To build your first cloud-native Windows endpoint, use the same virtual machine or physical device that you gathered and then uploaded the hardware hash to the Windows Autopilot service in [Phase 1 > Step 3](#phase-1--set-up-your-environment). With this device, go through the Windows Autopilot process.
+:::image type="icon" source="media/tutorial-cloud-native-setup/phase-2.png":::
+
+To build your first cloud-native Windows endpoint, use the same virtual machine or physical device that you gathered and then uploaded the hardware hash to the Windows Autopilot service in [Phase 1, Step 3 - Import your test device](#step-3---import-your-test-device). With this device, go through the Windows Autopilot process.
1. Resume (or reset if necessary) your Windows PC to the Out of Box Experience (OOBE).
> [!NOTE]
- > If you're prompted to choose setup for personal or an organization, then the Windows Autopilot process hasn't triggered. In that situation, restart the device and ensure it has internet access. If it still doesn't work, try resetting the PC or reinstalling Windows.
+ > If you're prompted to choose setup for personal or an organization, then the Windows Autopilot process didn't start. In that situation, restart the device and ensure it has internet access. If it still doesn't work, try resetting the PC or reinstalling Windows.
2. Sign in with Microsoft Entra credentials (*UPN* or *AzureAD\username*).
3. The enrollment status page shows the status of the device configuration.
-**Congratulations!** You've provisioned your first cloud-native Windows endpoint!
+**Congratulations!** You provisioned your first cloud-native Windows endpoint!
-Some things to check out on your new cloud-native Windows endpoint:
+### Validate your endpoint
-- The OneDrive folders are redirected. When Outlook opens, it's configured automatically to connect to Office 365.
-- Open the **Company Portal** app from the **Start Menu** and notice that **Microsoft Whiteboard** is available for installation.
-- Consider testing access from the device to on-premises resources like file shares, printers, and intranet sites.
+Verify the following tasks on your new device before moving to Phase 3:
- > [!NOTE]
- > If you haven't set up [Windows Hello for Business Hybrid](/windows/security/identity-protection/hello-for-business/hello-identity-verification#hybrid-deployments), you might be prompted on Windows Hello logons to enter passwords to access on-premises resources. To continue testing single sign on access, you can configure Windows Hello for Business Hybrid or logon to the device with username and password rather than Windows Hello. To do so, select the key shaped icon on the logon screen.
+> [!div class="checklist"]
+> * OneDrive folders (Desktop, Documents, Pictures) are redirected and syncing.
+> * Outlook opens and auto-configures your Microsoft 365 profile.
+> * **Company Portal** is installed and **Microsoft Whiteboard** is available.
+> * You can sign in with your Microsoft Entra credentials and access cloud resources.
+> * On-premises resources (file shares, intranet sites, printers) are accessible if required.
+
+If you're prompted to enter a password when using Windows Hello to access on-premises resources, Windows Hello for Business Hybrid isn't configured yet. You can continue testing by selecting the key icon on the sign-in screen and using your username and password instead. For more information, see [Windows Hello for Business Hybrid](/windows/security/identity-protection/hello-for-business/hello-identity-verification#hybrid-deployments).
+
+> [!div class="nextstepaction"]
+> [Next: Phase 3 – Secure your cloud-native Windows endpoint](#phase-3--secure-your-cloud-native-windows-endpoint)
## Phase 3 – Secure your cloud-native Windows endpoint
-:::image type="content" source="media/tutorial-cloud-native-setup/phase-3.png" alt-text="Phase 3.":::
+:::image type="icon" source="media/tutorial-cloud-native-setup/phase-3.png":::
This phase is designed to help you build out security settings for your organization. This section draws your attention to the various Endpoint Security components in Microsoft Intune including:
@@ -277,12 +302,14 @@ This phase is designed to help you build out security settings for your organiza
- [Windows Local Administrator Password Solution (LAPS)](#windows-local-administrator-password-solution-laps)
- [Security baselines](#security-baselines)
- [Windows Update client policies](#windows-update-for-business)
+- [Compliance policy](#compliance-policy)
+- [Conditional Access](#conditional-access)
### Microsoft Defender Antivirus (MDAV)
The following settings are recommended as a minimum configuration for Microsoft Defender Antivirus, a built-in OS component of Windows. These settings don't require any specific licensing agreement such as E3 or E5, and can be enabled in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-#### [:::image type="icon" source="../../media/icons/16/intune.svg"::: **Intune Admin Console**](#tab/intuneadminconsole)
+#### [:::image type="icon" source="../../media/icons/16/intune.svg"::: **Intune admin center**](#tab/intuneadmincenter)
In the admin center, go to **Endpoint Security** > **Antivirus** > **Create Policy** > **Windows and later** > **Profile type** = **Microsoft Defender Antivirus**.
@@ -311,7 +338,7 @@ In the admin center, go to **Endpoint Security** > **Antivirus** > **Create Poli
[!INCLUDE [graph-explorer-introduction](../includes/graph-explorer-intro.md)]
-This creates a policy in your tenant with the name **_MSLearn_Example_Windows - Defender Antivirus** under **Endpoint Security** > **Antivirus**.
+This task creates a policy in your tenant with the name **_MSLearn_Example_Windows - Defender Antivirus** under **Endpoint Security** > **Antivirus**.
```msgraph-interactive
POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
@@ -350,62 +377,49 @@ These settings can be enabled in the [Microsoft Intune admin center](https://go.
When you configure the following BitLocker settings, they silently enable 128-bit encryption for standard users, which is a common scenario. However, your organization might have different security requirements, so use the [BitLocker documentation](../../device-configuration/endpoint-security/encrypt-bitlocker-windows.md) for more settings.
-**BitLocker**:
-
-- Require Device Encryption: **Enabled**
-- Allow Warning For Other Disk Encryption: **Disabled**
- - Allow Standard User Encryption: **Enabled**
-- Configure Recovery Password Rotation: **Refresh on for Azure AD-joined devices**
-
-**BitLocker Drive Encryption**:
-
-- Choose drive encryption method and cipher strength: **Not Configured**
-- Provide the unique identifiers for your organization: **Not Configured**
-
-**Operating System Drives**:
-
-- Enforce drive encryption type on operating system drives: **Enabled**
- - Select the encryption type (Device): **Used Space Only encryption**
-- Require additional authentication at startup: **Enabled**
- - Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive): **False**
- - Configure TPM startup key and PIN: **Allow startup key and PIN with TPM**
- - Configure TPM startup key: **Allow startup key with TPM**
- - Configure TPM startup PIN: **Allow startup PIN with TPM**
- - Configure TPM startup: **Require TPM**
- - Configure minimum PIN length for startup: **Not configured**
- - Allow enhanced PINs for startup: **Not configured**
-- Disallow standard users from changing the PIN or password: **Not configured**
-- Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN: **Not configured**
-- Enable use of BitLocker authentication requiring preboot keyboard input on slates: **Not configured**
-- Choose how BitLocker-protected operating system drives can be recovered: **Enabled**
- - Configure user storage of BitLocker recovery information: **Require 48-digit recovery password**
- - Allow data recovery agent: **False**
- - Configure storage of BitLocker recovery information to AD DS: **Store recovery passwords and key packages**
- - Do not enable BitLocker until recovery information is stored to AD DS for operating system drives: **True**
- - Omit recovery options from the BitLocker setup wizard: **True**
- - Save BitLocker recovery information to AD DS for operating system drives: **True**
-- Configure pre-boot recovery message and URL: **Not configured**
-
-**Fixed Data Drives**:
-
-- Enforce drive encryption type on fixed data drives: **Enabled**
- - Select the encryption type: (Device): **Allow user to choose (default)**
-- Choose how BitLocker-protected fixed drives can be recovered: **Enabled**
- - Configure user storage of BitLocker recovery information: **Require 48-digit recovery password**
- - Allow data recovery agent: **False**
- - Configure storage of BitLocker recovery information to AD DS: **Backup recovery passwords and key packages**
- - Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives: **True**
- - Omit recovery options from the BitLocker setup wizard: **True**
- - Save BitLocker recovery information to AD DS for fixed data drives: **True**
-- Deny write access to fixed drives not protected by BitLocker: **Not configured**
-
-**Removable Data Drives**:
-
-- Control use of BitLocker on removable drives: **Enabled**
- - Allow users to apply BitLocker protection on removable data drives (Device): **False**
- - Allow users to suspend and decrypt BitLocker protection on removable data drives (Device): **False**
-- Deny write access to removable drives not protected by BitLocker: **Not configured**
-
+ | Setting category | Setting | Value |
+ | --- | --- | --- |
+ | **BitLocker** | Require Device Encryption | **Enabled** |
+ | | Allow Warning For Other Disk Encryption | **Disabled** |
+ | | Allow Standard User Encryption | **Enabled** |
+ | | Configure Recovery Password Rotation | **Refresh on for Azure AD-joined devices** |
+ | **BitLocker Drive Encryption** | Choose drive encryption method and cipher strength | **Not Configured** |
+ | | Provide the unique identifiers for your organization | **Not Configured** |
+ | **Operating System Drives** | Enforce drive encryption type on operating system drives | **Enabled** |
+ | | Select the encryption type (Device) | **Used Space Only encryption** |
+ | | Require additional authentication at startup | **Enabled** |
+ | | Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) | **False** |
+ | | Configure TPM startup key and PIN | **Allow startup key and PIN with TPM** |
+ | | Configure TPM startup key | **Allow startup key with TPM** |
+ | | Configure TPM startup PIN | **Allow startup PIN with TPM** |
+ | | Configure TPM startup | **Require TPM** |
+ | | Configure minimum PIN length for startup | **Not configured** |
+ | | Allow enhanced PINs for startup | **Not configured** |
+ | | Disallow standard users from changing the PIN or password | **Not configured** |
+ | | Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN | **Not configured** |
+ | | Enable use of BitLocker authentication requiring preboot keyboard input on slates | **Not configured** |
+ | | Choose how BitLocker-protected operating system drives can be recovered | **Enabled** |
+ | | Configure user storage of BitLocker recovery information | **Require 48-digit recovery password** |
+ | | Allow data recovery agent | **False** |
+ | | Configure storage of BitLocker recovery information to AD DS | **Store recovery passwords and key packages** |
+ | | Do not enable BitLocker until recovery information is stored to AD DS for operating system drives | **True** |
+ | | Omit recovery options from the BitLocker setup wizard | **True** |
+ | | Save BitLocker recovery information to AD DS for operating system drives | **True** |
+ | | Configure pre-boot recovery message and URL | **Not configured** |
+ | **Fixed Data Drives** | Enforce drive encryption type on fixed data drives | **Enabled** |
+ | | Select the encryption type: (Device) | **Allow user to choose (default)** |
+ | | Choose how BitLocker-protected fixed drives can be recovered | **Enabled** |
+ | | Configure user storage of BitLocker recovery information | **Require 48-digit recovery password** |
+ | | Allow data recovery agent | **False** |
+ | | Configure storage of BitLocker recovery information to AD DS | **Backup recovery passwords and key packages** |
+ | | Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives | **True** |
+ | | Omit recovery options from the BitLocker setup wizard | **True** |
+ | | Save BitLocker recovery information to AD DS for fixed data drives | **True** |
+ | | Deny write access to fixed drives not protected by BitLocker | **Not configured** |
+ | **Removable Data Drives** | Control use of BitLocker on removable drives | **Enabled** |
+ | | Allow users to apply BitLocker protection on removable data drives (Device) | **False** |
+ | | Allow users to suspend and decrypt BitLocker protection on removable data drives (Device) | **False** |
+ | | Deny write access to removable drives not protected by BitLocker | **Not configured** |
### Windows Local Administrator Password Solution (LAPS)
@@ -464,24 +478,94 @@ For more information, go to:
- [Learn about using Windows Update client policies in Microsoft Intune](../../device-updates/windows/index.md)
- [Module 4.2 - Windows Update for Business Fundamentals](https://www.youtube.com/watch?v=TXwp-jLDcg0&list=PLMuDtq95SdKsEc_BmAbvwI5l6RPQ2Y2ak&index=6&t=5s) from the Intune for Education Deployment Workshop video series
-If you'd like more granular control for Windows Updates and you use Configuration Manager, consider [co-management](../../configmgr/comanage/overview.md).
+> [!TIP]
+> For cloud-native environments, consider [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview). Autopatch automates update ring management and reporting, removing the need to manually tune deferral periods and deadlines. It's included with Microsoft Intune and is the recommended approach for organizations that want fully automated, policy-driven Windows updates with minimal admin overhead.
+
+### Compliance policy
+
+A compliance policy reports on the health of your cloud-native Windows endpoints — for example, whether BitLocker is enabled, Secure Boot is on, and Microsoft Defender Antivirus is running. The policy is also the foundation for Conditional Access, so you can block noncompliant devices from accessing organization resources.
+
+To create a Windows compliance policy:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Devices** > **Compliance** > **Create policy**.
+3. For **Platform**, select **Windows 10 and later** > **Create**.
+4. In **Basics**, enter a name for the policy and select **Next**.
+5. In **Compliance settings**, configure the following recommended values and select **Next**:
+
+ | Setting category | Setting | Value |
+ | --- | --- | --- |
+ | **Device Health** | Require BitLocker | Require |
+ | | Require Secure Boot to be enabled on the device | Require |
+ | | Require code integrity | Require |
+ | **System Security** | Firewall | Require |
+ | | Antivirus | Require |
+ | | Antispyware | Require |
+ | | Require a password to unlock mobile devices | Require |
+ | | Simple passwords | Block |
+ | | Password type | Alphanumeric |
+ | | Minimum password length | 14 |
+ | | Maximum minutes of inactivity before password is required | 1 Minute |
+ | | Password expiration (days) | 365 |
+ | | Number of previous passwords to prevent reuse | 5 |
+ | **Defender** | Microsoft Defender Antimalware | Require |
+ | | Microsoft Defender Antimalware security intelligence up-to-date | Require |
+ | | Real-time protection | Require |
+
+ > [!TIP]
+ > Microsoft and current [NIST guidance](https://pages.nist.gov/800-63-3/sp800-63b.html) no longer recommend periodic password expiration. The Windows security baseline removed password expiration in 2019. For cloud-native endpoints, the strongest posture is to move users to passwordless sign-in with [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/) and [passkeys / FIDO2 security keys](/entra/identity/authentication/concept-authentication-passwordless), and to block weak passwords with [Microsoft Entra Password Protection](/entra/identity/authentication/concept-password-ban-bad). Adjust the values above to match your organization's policy. To learn more, see [Passwordless authentication with Microsoft Intune](../passwordless.md).
+
+6. In **Actions for noncompliance**, set the **Mark device noncompliant** schedule to `1` day (or another grace period that suits your organization).
+
+ > [!TIP]
+ > If you use Conditional Access, configure a grace period so noncompliant devices don't immediately lose access to organization resources. You can also add an action to email users with steps to get compliant.
+
+7. Assign the policy to the **Autopilot Cloud-Native Windows Endpoints** group from [Step 4 - Create Microsoft Entra dynamic group for the device](#step-4---create-microsoft-entra-dynamic-group-for-the-device).
+
+For more information on Windows compliance settings, see [Windows device compliance settings in Microsoft Intune](../../device-security/compliance/ref-windows-settings.md).
+
+### Conditional Access
+
+Conditional Access in Microsoft Entra uses compliance signal from Intune to allow or block access to organization resources. The most common cloud-native pattern is **require a compliant device** for Microsoft 365 apps and other cloud services. This pattern ensures only Intune-managed, healthy devices can access your data.
+
+A typical cloud-native Conditional Access baseline includes:
+
+- **Require multifactor authentication** for all users.
+- **Require a compliant device** (or hybrid Microsoft Entra joined device) for cloud apps.
+- **Block legacy authentication** protocols.
+
+> [!IMPORTANT]
+> Test Conditional Access policies on a pilot group first. A misconfigured policy can lock administrators out of the Microsoft Entra admin center.
+
+For step-by-step guidance, see:
+
+- [Conditional Access: Require compliant or hybrid Microsoft Entra joined device](/entra/identity/conditional-access/howto-conditional-access-policy-compliant-device)
+- [Plan a Conditional Access deployment](/entra/identity/conditional-access/plan-conditional-access)
+- [Conditional Access common policies](/entra/identity/conditional-access/concept-conditional-access-policy-common)
+
+> [!div class="nextstepaction"]
+> [Next: Phase 4 – Apply customizations and review your on-premises configuration](#phase-4--apply-customizations-and-review-your-on-premises-configuration)
## Phase 4 – Apply customizations and review your on-premises configuration
-:::image type="content" source="media/tutorial-cloud-native-setup/phase-4.png" alt-text="Phase 4.":::
+:::image type="icon" source="media/tutorial-cloud-native-setup/phase-4.png":::
In this phase, you apply organization-specific settings, apps, and review your on-premises configuration. The phase helps you build any customizations specific to your organization. Notice the various components of Windows, how you can review existing configurations from an on-premises AD Group Policy environment, and apply them to cloud-native endpoints. There are sections for each of the following areas:
-- [Microsoft Edge](#microsoft-edge)
-- [Start and Taskbar layout](#start-and-taskbar-layout)
-- [Settings catalog](#settings-catalog)
-- [Device Restrictions](#device-restrictions)
-- [Delivery Optimization](#delivery-optimization)
-- [Local Administrators](#local-administrators)
-- [Group Policy to MDM Setting Migration](#group-policy-to-mdm-setting-migration)
-- [Scripts](#scripts)
-- [Mapping Network Drives and Printers](#mapping-network-drives-and-printers)
-- [Applications](#applications)
+- **User experience**
+ - [Microsoft Edge](#microsoft-edge)
+ - [Start and Taskbar layout](#start-and-taskbar-layout)
+- **Device configuration**
+ - [Settings catalog](#settings-catalog)
+ - [Device Restrictions](#device-restrictions)
+ - [Delivery Optimization](#delivery-optimization)
+ - [Local Administrators](#local-administrators)
+- **Migrate from on-premises**
+ - [Group Policy to MDM Setting Migration](#group-policy-to-mdm-setting-migration)
+ - [Scripts](#scripts)
+ - [Mapping Network Drives and Printers](#mapping-network-drives-and-printers)
+- **Applications**
+ - [Applications](#applications)
### Microsoft Edge
@@ -540,43 +624,47 @@ The settings catalog is a single location where all configurable Windows setting
Following are some settings available in the settings catalog that might be relevant to your organization:
-- **Azure Active Directory preferred tenant domain**
- This setting configures the preferred tenant domain name to be appended to a user's username. A preferred tenant domain allows users to sign in to Microsoft Entra endpoints with only their username rather than their whole UPN so long as the user's domain name matches the preferred tenant domain. For users that have different domain names, they can type their whole UPN.
+
+- **Azure Active Directory preferred tenant domain** - This setting configures the preferred tenant domain name to be appended to a user's username. A preferred tenant domain allows users to sign in to Microsoft Entra endpoints with only their username rather than their whole UPN so long as the user's domain name matches the preferred tenant domain. For users that have different domain names, they can type their whole UPN.
+
+ | Setting category | Setting | Value |
+ | --- | --- | --- |
+ | **Authentication** | Preferred AAD Tenant Domain Name | Enter domain name, like `contoso.onmicrosoft.com`. |
- The setting can be found in:
- - Authentication
- - Preferred AAD Tenant Domain Name - Specify domain name, like `contoso.onmicrosoft.com`.
+ > [!NOTE]
+ > The setting label uses legacy terminology. "AAD" refers to Microsoft Entra ID.
+
+- **Windows Spotlight** - By default, several consumer features of Windows are enabled which results in selected Store apps installing and third-party suggestions on the lock screen. You can control this using the Experience section of the settings catalog.
-- **Windows Spotlight**
- By default, several consumer features of Windows are enabled which results in selected Store apps installing and third-party suggestions on the lock screen. You can control this using the Experience section of the settings catalog.
+ | Setting category | Setting | Value |
+ | --- | --- | --- |
+ | **Experience > Allow Windows Spotlight** | Allow Windows Consumer Features | **Block** |
+ | | Allow Third-Party Suggestions in Windows Spotlight (user) | **Block** |
- - Experience > Allow Windows Spotlight
- - Allow Windows Consumer Features - **Block**
- - Allow Third-Party Suggestions in Windows Spotlight (user) - **Block**
+- **Microsoft Store** - Organizations typically want to restrict the applications that can install on endpoints. Use this setting if your organization wants to control which applications can install from the Microsoft Store. This setting prevents users from installing applications unless they're approved.
-- **Microsoft Store**
- Organizations typically want to restrict the applications that can install on endpoints. Use this setting if your organization wants to control which applications can install from the Microsoft Store. This setting prevents users from installing applications unless they're approved.
- - Microsoft App Store
- - Require Private Store Only - **Only Private store is enabled**
+ | Setting category | Setting | Value |
+ | --- | --- | --- |
+ | **Microsoft App Store** | Require Private Store Only | **Only Private store is enabled** |
- > [!NOTE]
- > This setting applies to Windows 10. On Windows 11, this setting blocks access to the public Microsoft store. For more information, go to:
- >
- > - [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077)
- > - [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286)
+ > [!NOTE]
+ > This setting applies to Windows 10. On Windows 11, this setting blocks access to the public Microsoft store. For more information, go to:
+ >
+ > - [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077)
+ > - [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286)
-- **Block Gaming**
- Organizations might prefer that corporate endpoints can't be used to play games. The Gaming page within the Settings app can be hidden entirely using the following setting.
+- **Block Gaming** - Organizations might prefer that corporate endpoints can't be used to play games. The Gaming page within the Settings app can be hidden entirely using the following setting.
For additional information on the settings page visibility, go to the [CSP documentation](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) and the ms-settings [URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
- - Settings
- - Page Visibility List – **hide:gaming-gamebar;gaming-gamedvr;gaming-broadcasting;gaming-gamemode;gaming-trueplay;gaming-xboxnetworking;quietmomentsgame**
-- **Control which tenants the Teams desktop client can sign in to**
+ | Setting category | Setting | Value |
+ | --- | --- | --- |
+ | **Settings** | Page Visibility List | **hide:gaming-gamebar;gaming-gamedvr;gaming-broadcasting;gaming-gamemode;gaming-trueplay;gaming-xboxnetworking;quietmomentsgame** |
- When this policy is configured on a device, users can only sign in with accounts homed in a Microsoft Entra tenant that is included in the "Tenant Allow List" defined in this policy. The "Tenant Allow List" is a comma separated list of Microsoft Entra tenant IDs. By specifying this policy and defining a Microsoft Entra tenant, you also block sign in to Teams for personal use. For more information, go to [How to restrict sign in on desktop devices](/microsoftteams/sign-in-teams#how-to-restrict-sign-in-on-desktop-devices).
+- **Control which tenants the Teams desktop client can sign in to** - When this policy is configured on a device, users can only sign in with accounts homed in a Microsoft Entra tenant that's included in the "Tenant Allow List" defined in this policy. The "Tenant Allow List" is a comma separated list of Microsoft Entra tenant IDs. By specifying this policy and defining a Microsoft Entra tenant, you also block sign in to Teams for personal use. For more information, go to [How to restrict sign in on desktop devices](/microsoftteams/sign-in-teams#how-to-restrict-sign-in-on-desktop-devices).
- - Microsoft Teams
- - Restrict sign in to Teams to accounts in specific tenants (User) - **Enabled**
+ | Setting category | Setting | Value |
+ | --- | --- | --- |
+ | **Microsoft Teams** | Restrict sign in to Teams to accounts in specific tenants (User) | **Enabled** |
### Device Restrictions
@@ -584,11 +672,9 @@ Windows Device restrictions templates contain many of the settings required to s
To create a profile that uses the Device restrictions template, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > Select **Windows 10 and later** for platform > **Templates** **Device restrictions** for profile type.
-- **Desktop background picture URL (Desktop only)**
- Use this setting to set a wallpaper on Windows Enterprise or Windows Education SKUs. You host the file online or reference a file that's copied locally. To configure this setting, on the *Configuration settings* tab in the *Device restrictions* profile, expand *Personalization*, and configure **Desktop background picture URL (Desktop only)**.
+- **Desktop background picture URL (Desktop only)** - Use this setting to set a wallpaper on Windows Enterprise or Windows Education SKUs. You host the file online or reference a file that's copied locally. To configure this setting, on the *Configuration settings* tab in the *Device restrictions* profile, expand *Personalization*, and configure **Desktop background picture URL (Desktop only)**.
-- **Require users to connect to a network during device setup**
- This setting reduces the risk that a device can skip Windows Autopilot if the computer is reset. This setting requires devices to have a network connection during the out of box experience phase. To configure this setting, on the *Configuration settings* tab in the *Device restrictions* profile, expand *General*, and configure **Require users to connect to network during device setup**.
+- **Require users to connect to a network during device setup** - This setting reduces the risk that a device can skip Windows Autopilot if the computer is reset. This setting requires devices to have a network connection during the out of box experience phase. To configure this setting, on the *Configuration settings* tab in the *Device restrictions* profile, expand *General*, and configure **Require users to connect to network during device setup**.
> [!NOTE]
> The setting becomes effective the next time the device is wiped or reset.
@@ -601,8 +687,8 @@ To apply Delivery Optimization settings, create an Intune [Delivery Optimization
Some settings that are commonly used by organizations are:
-- **Restrict peer selection – Subnet**. This setting restricts peer caching to computers on the same subnet.
-- **Group ID**. Delivery Optimization clients can be configured to only share content with devices in the same group. Group IDs can be configured directly by sending a GUID through policy or using DHCP options in DHCP scopes.
+- **Restrict peer selection – Subnet** - This setting restricts peer caching to computers on the same subnet.
+- **Group ID** - Delivery Optimization clients can be configured to only share content with devices in the same group. Group IDs can be configured directly by sending a GUID through policy or using DHCP options in DHCP scopes.
Customers using Microsoft Configuration Manager can deploy connected cache servers that can be used to host Delivery Optimization content. For more information, go to [Microsoft Connected Cache in Configuration Manager](../../configmgr/core/plan-design/hierarchy/microsoft-connected-cache.md).
@@ -662,7 +748,7 @@ Intune supports the deployment of many different Windows application types.
- Windows Installer (MSI) – [Add a Windows line-of-business app to Microsoft Intune](../../app-management/deployment/add-lob-windows.md)
- MSIX – [Add a Windows line-of-business app to Microsoft Intune](../../app-management/deployment/add-lob-windows.md)
- Win32 apps (MSI, EXE, script installers) – [Win32 app management in Microsoft Intune](../../app-management/deployment/win32.md)
-- Store apps – [Add Microsoft Store apps to Microsoft Intune](../../app-management/deployment/add-microsoft-store-legacy.md)
+- Store apps – [Add Microsoft Store apps to Microsoft Intune](../../app-management/deployment/add-microsoft-store.md)
- Web links – [Add web apps to Microsoft Intune](../../app-management/deployment/add-web.md)
If you have applications that use MSI, EXE, or script installers, you can deploy all of these applications using *Win32 app management in Microsoft Intune*. Wrapping these installers in the Win32 format provides more flexibility and benefits, including notifications, delivery optimization, dependencies, detection rules, and support for the Enrollment Status Page in Windows Autopilot.
@@ -670,26 +756,124 @@ If you have applications that use MSI, EXE, or script installers, you can deploy
> [!NOTE]
> To prevent conflicts during installation, we recommend that you stick to using the Windows line-of-business apps or Win32 apps features exclusively. If you have applications that are packaged as `.msi` or `.exe`, then they can be converted to Win32 apps (`.intunewin`) using the *[Microsoft Win32 Content Prep Tool](https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool)* available on GitHub.
-## Phase 5 – Deploy at scale with Windows Autopilot
+> [!div class="nextstepaction"]
+> [Next: Phase 5 – Scale your deployment with Windows Autopilot](#phase-5--scale-your-deployment-with-windows-autopilot)
+
+## Phase 5 – Scale your deployment with Windows Autopilot
+
+:::image type="icon" source="media/tutorial-cloud-native-setup/phase-5.png":::
+
+You proved cloud-native works on one device. This phase covers how to move from a test device to your production fleet — how devices get registered, how you group them by persona, how you stage rollout, and how you handle the existing PCs you already manage.
+
+### Register devices at scale
+
+In [Phase 1](#phase-1--set-up-your-environment), you uploaded a hardware hash manually. That's fine for a lab, but doesn't scale. The production-ready options are:
+
+| Registration source | How it works | Best for |
+| --- | --- | --- |
+| **OEM or hardware partner** | Devices ship from the vendor already registered to your tenant (Dell, HP, Lenovo, Microsoft, Surface, and others). | New hardware procurement — the recommended target state. |
+| **Reseller or CSP** | A Microsoft partner registers devices on your behalf. | Indirect or mixed supply chains. |
+| **Manual hash upload (CSV)** | Same `Get-WindowsAutopilotInfo` flow from [Phase 1, Step 3](#step-3---import-your-test-device), bulk-uploaded as a CSV. | Pilots, lab devices, small batches, existing devices being onboarded. |
+| **Intune Connector / direct enrollment** | Newer registration paths surfaced in the admin center. | Specific enrollment scenarios — see the Autopilot registration overview. |
+
+For full details, see [Register Autopilot devices](/autopilot/registration-overview).
+
+> [!TIP]
+> Whenever you buy new Windows hardware, ask your reseller or OEM to register devices to your Microsoft Entra tenant ID at the time of purchase. This approach is the lowest-friction long-term pattern and removes the need to ever collect a hash manually.
+
+### Use Group Tags for personas
+
+You already used the `CloudNative` group tag in Phase 1 to drive a dynamic group. The same pattern scales to multiple device personas. Define one group tag per persona, one dynamic Microsoft Entra group per tag, and one Autopilot deployment profile plus Enrollment Status Page per group.
+
+| Persona | Suggested group tag | Autopilot profile | User account type |
+| --- | --- | --- | --- |
+| Knowledge worker | `KnowledgeWorker` | User-driven | Standard user |
+| Developer / power user | `Developer` | User-driven | Administrator |
+| Kiosk or shared device | `Kiosk` | Self-deploying | N/A |
+| Pre-provisioned (white glove) | `PreProvisioned` | Pre-provisioned | Standard user |
+
+This pattern keeps configuration, apps, and security policies isolated per persona and avoids one-off exceptions sprawling across your tenant.
+
+### Roll out in rings
+
+Don't deploy to the whole fleet at once. Use the same ring concept that you use for Windows Updates:
+
+| Ring | Audience | Purpose |
+| --- | --- | --- |
+| **Pilot** | IT team and a small group of volunteers | Validate end-to-end provisioning and policy. |
+| **Early adopters** | ~5% of users, spread across departments | Catch persona- and app-specific issues. |
+| **Broad** | The remaining fleet, staged by region or department | Production rollout. |
+
+Use **[assignment filters](../../fundamentals/filters/overview.md)** to target rings instead of creating duplicate groups for every policy. Monitor each ring using the [Monitor your cloud-native Windows endpoints](#monitor-your-cloud-native-windows-endpoints) section before promoting to the next.
-:::image type="content" source="media/tutorial-cloud-native-setup/phase-5.png" alt-text="Phase 5.":::
+### Handle existing devices
-Now that you configured your cloud-native Windows endpoint and provisioned it with Windows Autopilot, consider how you can import more devices. Also consider how you can work with your partner or hardware supplier to start provisioning new endpoints from the cloud. Review the following resources to determine the best approach for your organization.
+For Windows PCs you already manage, Microsoft recommends moving to Autopilot at the **next hardware refresh** rather than re-provisioning your entire fleet today. Cloud-native Windows gets its full benefits from a clean OOBE start, and refresh cycles let you transition naturally with minimal user disruption.
+
+If you can't wait for refresh, two paths are available:
+
+- **Register and reset in place.** Collect the hash for an existing device, register it to Autopilot, then reset the PC. The device comes back through OOBE as a cloud-native endpoint. See [Add existing devices to Windows Autopilot](/autopilot/add-devices).
+- **Reimage on refresh.** Only new or refreshed hardware enrolls as cloud-native. Existing devices stay on their current management until they reach end of life.
+
+> [!CAUTION]
+> Don't register devices that are actively managed by Microsoft Configuration Manager without a co-management plan. Decide whether the device will be cloud-managed, co-managed, or stay on Configuration Manager **before** you register it to Autopilot. For more information, see [Co-management for Windows devices](../../configmgr/comanage/overview.md).
+
+### Learn more
- [Overview of Windows Autopilot](/autopilot/overview)
+- [Windows Autopilot deployment profiles](/autopilot/profiles)
- [Module 6.4 - Windows Autopilot Fundamentals - YouTube](https://www.youtube.com/watch?v=wNmLvqZ21AE)
-If for some reason Windows Autopilot isn't the right option for you, there are other enrollment methods for Windows. For more information, go to [Intune enrollment methods for Windows devices](../../device-enrollment/enroll-devices.md).
+If Windows Autopilot isn't the right fit for your scenario, see [Intune enrollment methods for Windows devices](../../device-enrollment/enroll-devices.md) for alternatives.
+
+> [!div class="nextstepaction"]
+> [Next: Monitor your cloud-native Windows endpoints](#monitor-your-cloud-native-windows-endpoints)
+
+## Monitor your cloud-native Windows endpoints
+
+After your cloud-native Windows endpoints are provisioned and configured, use the monitoring views in the Microsoft Intune admin center to confirm policies, scripts, and apps deploy successfully — and to spot issues early. Monitoring is an ongoing operational task, not a one-time setup step.
+
+| What to monitor | In the admin center | What to review | More information |
+| --- | --- | --- | --- |
+| **Script status** | **Devices** > **By platform** > **Windows** > **Manage devices** > **Scripts and remediations** > **Platform scripts** | Select a script > **Device status** | — |
+| **App installation status** | **Apps** > **Windows** > **Windows apps** | Select an app > **Device install status** or **User install status** | [Troubleshoot app installs](/troubleshoot/mem/intune/app-management/troubleshoot-app-install) |
+| **Security baselines** | — | — | [Monitor security baselines in Intune](../../device-security/security-baselines/monitor-baselines.md) |
+| **Disk encryption (BitLocker)** | **Endpoint security** > **Disk encryption** | Select the BitLocker policy > **Device install status**. Recovery keys: **Devices** > **Windows** > select a device > **Recovery keys** | — |
+| **Windows Update rings** | **Devices** > **Manage updates** > **Windows 10 and later updates** > **Update rings** | Select a ring > **Device status** | [Reports for update rings](../../device-updates/windows/monitor-update-rings.md) |
+| **Compliance** | **Devices** > **Compliance** | Select the policy to see assignment results, noncompliant devices, and per-setting failures | [Monitor compliance policies](../../device-security/compliance/monitor-policy.md) |
+| **Endpoint analytics** | **Reports** > **Endpoint analytics** | Startup performance, app reliability, and proactive remediations across your fleet | [Endpoint analytics overview](../../endpoint-analytics/index.md) · [Intune reports](/mem/intune/fundamentals/reports) |
## Follow the cloud-native endpoints guidance
1. [Overview: What are cloud-native endpoints?](overview.md)
-2. 🡺 **Tutorial: Get started with cloud-native Windows endpoints** (*You are here*)
+2. 🡺 **Tutorial: Set up cloud-native Windows endpoints with Microsoft Intune** (*You're here*)
3. [Concept: Microsoft Entra joined vs. Hybrid Microsoft Entra joined](entra-join-types.md)
4. [Concept: Cloud-native endpoints and on-premises resources](on-premises-resources.md)
5. [High level planning guide](planning-guide.md)
6. [Known issues and important information](troubleshoot.md)
+## Frequently asked questions
+
+### What is a cloud-native Windows endpoint?
+
+A cloud-native Windows endpoint is a Windows device that's Microsoft Entra joined and enrolled in Microsoft Intune — with no dependency on on-premises Active Directory, Group Policy, or domain controllers. All configuration, security, and app deployment is managed from the cloud using Microsoft Intune and Windows Autopilot.
+
+### What's the difference between cloud-native and hybrid Microsoft Entra joined?
+
+A hybrid Microsoft Entra joined device is joined to both on-premises Active Directory and Microsoft Entra. It still depends on domain controllers for authentication and Group Policy for configuration. A cloud-native (Microsoft Entra joined only) device has no on-premises dependency — identity, policy, and apps all come from the cloud. For a detailed comparison, see [Microsoft Entra joined vs. Hybrid Microsoft Entra joined](entra-join-types.md).
+
+### Do I need Windows 11 for cloud-native endpoints?
+
+No. Cloud-native Windows works with Windows 10 22H2 or later. Microsoft recommends Windows 11 for the best experience with Windows Autopilot, Windows Hello for Business, and modern security features.
+
+### Can I move existing domain-joined devices to cloud-native?
+
+Yes, but Microsoft recommends doing it at the **next hardware refresh** rather than re-provisioning your entire fleet. Cloud-native Windows gets its full benefits from a clean OOBE start. For devices you can't wait to refresh, see [Handle existing devices](#handle-existing-devices) in Phase 5.
+
+### Does cloud-native Windows work with on-premises resources like file shares and printers?
+
+Yes, with some planning. Cloud-native devices can access on-premises resources over VPN or through Microsoft Entra application proxy. For file storage, Microsoft recommends migrating to OneDrive and SharePoint. For printing, consider [Universal Print](/universal-print/fundamentals/universal-print-whatis). See [Cloud-native endpoints and on-premises resources](on-premises-resources.md) for detailed guidance.
+
## Helpful online resources
- [Co-management for Windows devices](../../configmgr/comanage/overview.md)
diff --git a/intune/solutions/education/tutorial-school-deployment/configure-apps.md b/intune/solutions/education/tutorial-school-deployment/configure-apps.md
index dbf19510563..4df9c822e6e 100644
--- a/intune/solutions/education/tutorial-school-deployment/configure-apps.md
+++ b/intune/solutions/education/tutorial-school-deployment/configure-apps.md
@@ -32,7 +32,7 @@ Intune supports the deployment several application types including desktop apps
Enterprise App Management enables you to easily discover and deploy applications and keep them up to date from the Enterprise App Catalog. The Enterprise App Catalog is a collection of prepared Microsoft and non-Microsoft applications. These apps are Win32 apps that are [prepared as Win32 apps](../../../app-management/deployment/create-win32-package.md) and hosted by Microsoft.
> [!IMPORTANT]
-> Enterprise App Management is an Intune add-on as part of the Intune suite that is available for trial and purchase. For more information, see [Use Intune Suite add-on capabilities](../../../fundamentals/add-ons.md).
+> Enterprise App Management is part of Microsoft Intune Suite and available for trial and purchase. For more information, see [Microsoft Intune advanced capabilities](../../../fundamentals/advanced-capabilities.md).
For more information, see [Enterprise Application Management](../../../app-management/deployment/enterprise-app-management.md).
diff --git a/intune/solutions/education/tutorial-school-deployment/grouping-and-targeting.md b/intune/solutions/education/tutorial-school-deployment/grouping-and-targeting.md
index 3c7d9a5fd33..f03c4c4b099 100644
--- a/intune/solutions/education/tutorial-school-deployment/grouping-and-targeting.md
+++ b/intune/solutions/education/tutorial-school-deployment/grouping-and-targeting.md
@@ -1,7 +1,7 @@
---
title: Plan Education device grouping and targeting
description: Plan how you'll group devices and users and target policies and applications.
-ms.date: 5/2/2024
+ms.date: 05/19/2026
ms.topic: tutorial
ms.author: scbree
author: scottbreenmsft
@@ -69,6 +69,8 @@ The following table provides guidance about which iOS device grouping options to
> [!TIP]
> For more information on grouping and targeting options, see [Performance recommendations for Grouping, Targeting, and Filtering in large Microsoft Intune environments](../../../fundamentals/filters/performance-recommendations.md).
+>
+> For Intune-only device targeting based on properties like OS type, manufacturer, model, or device category, assignment filters are preferred over dynamic device groups. Filters evaluate at check-in without depending on group membership processing. Use dynamic groups when you need group membership for cross-workload scenarios (Conditional Access, licensing) or Autopilot profile assignment.
## Create groups and filters
diff --git a/intune/solutions/education/tutorial-school-deployment/setup-intune.md b/intune/solutions/education/tutorial-school-deployment/setup-intune.md
index e849a34d9c3..d79aa05a8fc 100644
--- a/intune/solutions/education/tutorial-school-deployment/setup-intune.md
+++ b/intune/solutions/education/tutorial-school-deployment/setup-intune.md
@@ -262,7 +262,7 @@ When the Intune service configured, you can configure policies and applications
-[MEM-1]: ../../../fundamentals/licensing/index.md
+[MEM-1]: ../../../fundamentals/licensing.md
[MEM-2]: ../../../device-enrollment/restrictions.md
[MEM-4]: ../../../device-security/identity-protection/configure-tenant-wide-policy.md
[INT-1]: /intune-education/what-is-intune-for-education
diff --git a/intune/solutions/end-to-end-guides/macos-endpoints-get-started.md b/intune/solutions/end-to-end-guides/macos-endpoints-get-started.md
index a5f9eb418d8..dfae4c41fc4 100644
--- a/intune/solutions/end-to-end-guides/macos-endpoints-get-started.md
+++ b/intune/solutions/end-to-end-guides/macos-endpoints-get-started.md
@@ -91,7 +91,7 @@ Specifically:
- **Licensing**
- Users enrolling macOS devices require a Microsoft Intune or Microsoft Intune for Education license. To assign licenses, go to [Assign Microsoft Intune licenses](../../fundamentals/licensing/assign-licenses.md). Assign the licenses to the test accounts you created.
+ Users enrolling macOS devices require a Microsoft Intune or Microsoft Intune for Education license. To assign licenses, go to [Assign Microsoft Intune licenses](../../fundamentals/assign-licenses.md). Assign the licenses to the test accounts you created.
> [!NOTE]
> Both types of licenses are typically included with licensing bundles, like Microsoft 365 E3 (or A3) and higher. For more information, go to [Compare Microsoft 365 Enterprise Plans](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
diff --git a/intune/solutions/frontline-worker/index.md b/intune/solutions/frontline-worker/index.md
index 250123e179c..2ff88aec0cf 100644
--- a/intune/solutions/frontline-worker/index.md
+++ b/intune/solutions/frontline-worker/index.md
@@ -79,7 +79,7 @@ Intune has built-in features that can be used for frontline worker devices, incl
These devices include augmented reality (AR) & virtual reality (VR) headsets, large smart-screen devices, and some conference room meeting devices, like Microsoft Teams Rooms devices. They can be managed using Intune policies.
> [!NOTE]
-> Some features may require additional licenses. For more information, go to [Intune Suite add-on capabilities](../../fundamentals/add-ons.md) or [Microsoft Intune licensing](../../fundamentals/licensing/index.md).
+> Some features may require additional licenses. For more information, go to [Microsoft Intune advanced capabilities](../../fundamentals/advanced-capabilities.md) or [Microsoft Intune licensing](../../fundamentals/licensing.md).
## Microsoft Entra shared device mode for FLW
diff --git a/intune/solutions/passwordless.md b/intune/solutions/passwordless.md
index 952a44d0b08..2c612405b3e 100644
--- a/intune/solutions/passwordless.md
+++ b/intune/solutions/passwordless.md
@@ -305,12 +305,12 @@ Depending on the passwordless methods you choose, your organization might need M
| Certificate-based authentication (CBA) | Microsoft Entra ID P1 (P2 for risk-based Conditional Access) |
| Authentication strength policies | Microsoft Entra ID P1 |
| Risk-based Conditional Access | Microsoft Entra ID P2 |
-| Microsoft Cloud PKI | Microsoft Intune Suite add-on or standalone Cloud PKI add-on |
+| Microsoft Cloud PKI | Microsoft Intune Suite or standalone Cloud PKI license |
| Device compliance and configuration profiles | Microsoft Intune Plan 1 |
:::image type="icon" source="../media/icons/16/learn-more.svg" border="false"::: **Learn more**
- [Microsoft Entra plans and pricing](/entra/fundamentals/licensing)
-- [Microsoft Intune licensing](../fundamentals/licensing/index.md)
+- [Microsoft Intune licensing](../fundamentals/licensing.md)
### Platform requirements
diff --git a/intune/whats-new/archive/index.md b/intune/whats-new/archive/index.md
index 8387cb99faf..c6a02a29412 100644
--- a/intune/whats-new/archive/index.md
+++ b/intune/whats-new/archive/index.md
@@ -1036,7 +1036,7 @@ Endpoint Privilege Management (EPM) elevation rules now include a new file eleva
*Deny* rules support the same configuration options as other [elevation types](../../epm/create-elevation-rules.md#creating-elevation-rules-with-endpoint-privilege-management) except for child processes, which aren't used.
-For more information about EPM, which is available as an [Intune Suite add-on-capability](../../fundamentals/add-ons.md), see [Endpoint Privilege Management overview](../../epm/overview.md).
+For more information about EPM, which is available as an [Intune Suite add-on-capability](../../fundamentals/advanced-capabilities.md), see [Endpoint Privilege Management overview](../../epm/overview.md).
### App management
@@ -1163,7 +1163,7 @@ Microsoft Intune has a new icon. The Intune icon is being updated across platfor
File elevation rules for Endpoint Privilege Management (EPM) now support [command line file arguments](../../epm/create-elevation-rules.md#use-file-arguments-for-elevation-rules). When an elevation rule is configured to define one or more file arguments, EPM allows that file to run in an elevated request only when one of the defined arguments is used. EPM blocks elevation of the file should a command line argument be used that isn't defined by the elevation rule. Use of file arguments in your file elevation rules can help you refine how and for what intent different files are successfully run in an elevated context by Endpoint Privilege Management.
-EPM is available as an [Intune Suite add-on-capability](../../fundamentals/add-ons.md).
+EPM is available as an [Intune Suite add-on-capability](../../fundamentals/advanced-capabilities.md).
### App management
@@ -1712,7 +1712,7 @@ With this capability, while reviewing the properties of a file elevation request
- The risk score for the user requesting the file elevation
- The risk score of the device from which the elevation was submitted
-EPM is available as an [Intune Suite add-on-capability](../../fundamentals/add-ons.md). To learn more about how you can currently use Copilot in Intune, see [Microsoft Copilot in Intune](../../copilot/index.md).
+EPM is available as an [Intune Suite add-on-capability](../../fundamentals/advanced-capabilities.md). To learn more about how you can currently use Copilot in Intune, see [Microsoft Copilot in Intune](../../copilot/index.md).
To learn more about Microsoft Security Copilot, see, [Microsoft Security Copilot](/copilot/security/microsoft-security-copilot).
@@ -2314,7 +2314,7 @@ The resource performance scores and insights for physical devices are aimed to h
For more information, see:
- [Resource performance report](../../advanced-analytics/resource-performance.md)
-- [Microsoft Intune Suite](../../fundamentals/add-ons.md)
+- [Microsoft Intune Suite](../../fundamentals/advanced-capabilities.md)
### App management
@@ -2603,7 +2603,7 @@ Plan 2 capabilities:
For more information, see:
-- [Use Microsoft Intune Suite add-on capabilities](../../fundamentals/add-ons.md)
+- [Use Microsoft Intune Suite add-on capabilities](../../fundamentals/advanced-capabilities.md)
- [Microsoft Intune for US Government GCC service description](../../fundamentals/government-service.md)
### Device enrollment
@@ -3494,7 +3494,7 @@ Applies to:
#### GCC customers can use Remote Help for Windows and Android devices
-The [Microsoft Intune Suite](../../fundamentals/add-ons.md) includes advanced endpoint management and security features, including Remote Help.
+The [Microsoft Intune Suite](../../fundamentals/advanced-capabilities.md) includes advanced endpoint management and security features, including Remote Help.
On Windows and enrolled Android Enterprise dedicated devices, you can use remote help on US Government GCC environments.
@@ -3530,7 +3530,7 @@ Applies to
#### New elevation type for Endpoint Privilege Management
-Endpoint Privilege Management has a new file elevation type, **support approved**. Endpoint Privilege Management is a feature component of the Microsoft Intune Suite and is also available as a standalone [Intune add-on](../../fundamentals/add-ons.md).
+Endpoint Privilege Management has a new file elevation type, **support approved**. Endpoint Privilege Management is a feature component of the Microsoft Intune Suite and is also available as a standalone [Intune add-on](../../fundamentals/advanced-capabilities.md).
A support-approved elevation gives you a third option for both the default elevation response and the elevation type for each rule. Unlike automatic or user confirmed, a support-approved elevation request requires Intune administrators to manage which files can run as elevated on a case-by-case basis.
@@ -3846,7 +3846,7 @@ For more information, see [Create a notification message template](../../device-
#### New Microsoft Cloud PKI service
-Use the Microsoft Cloud PKI service to simplify and automate certificate lifecycle management for Intune-managed devices. Microsoft Cloud PKI is a feature component of the Microsoft Intune Suite and is also available as a standalone [Intune add-on](../../fundamentals/add-ons.md). The cloud-based service provides a dedicated PKI infrastructure for your organization, and doesn't require on-premises servers, connectors, or hardware. Microsoft Cloud PKI automatically issues, renews, and revokes certificates for all OS platforms supporting the SCEP certificate device configuration profile. Issued certificates can be used for certificate-based authentication for Wi-Fi, VPN, and other services supporting certificate-based authentication. For more information, see [Overview of Microsoft Cloud PKI](../../cloud-pki/index.md).
+Use the Microsoft Cloud PKI service to simplify and automate certificate lifecycle management for Intune-managed devices. Microsoft Cloud PKI is a feature component of the Microsoft Intune Suite and is also available as a standalone [Intune add-on](../../fundamentals/advanced-capabilities.md). The cloud-based service provides a dedicated PKI infrastructure for your organization, and doesn't require on-premises servers, connectors, or hardware. Microsoft Cloud PKI automatically issues, renews, and revokes certificates for all OS platforms supporting the SCEP certificate device configuration profile. Issued certificates can be used for certificate-based authentication for Wi-Fi, VPN, and other services supporting certificate-based authentication. For more information, see [Overview of Microsoft Cloud PKI](../../cloud-pki/index.md).
Applies to:
@@ -4111,7 +4111,7 @@ Enterprise Application Management provides an Enterprise App Catalog of Win32 ap
For more information, see:
-- [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md)
+- [Use Intune Suite add-on capabilities](../../fundamentals/advanced-capabilities.md)
- [Microsoft Intune Enterprise Application Management](../../app-management/deployment/enterprise-app-management.md)
- [Add an Enterprise App Catalog app to Microsoft Intune](../../app-management/deployment/add-enterprise-catalog-app.md)
@@ -4142,7 +4142,7 @@ To use Device query and battery health report in your tenant, or any of the exis
For more information, see:
-- [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md)
+- [Use Intune Suite add-on capabilities](../../fundamentals/advanced-capabilities.md)
- [Microsoft Intune Advanced Analytics](../../advanced-analytics/index.md)
- [Battery health](../../advanced-analytics/battery-health.md)
- [Device query](../../advanced-analytics/device-query.md)
@@ -4843,7 +4843,7 @@ For more information, see [Set up web based device enrollment for iOS](../../dev
The Intune add-ons page under **Tenant administration** includes **Your add-ons**, **All add-ons**, and **Capabilities**. It provides an enhanced view into your trial or purchased licenses, the add-on capabilities you're licensed to use in your tenant, and support for new billing experiences in Microsoft admin center.
-For more information, see [Use Intune Suite add-ons capabilities](../../fundamentals/add-ons.md).
+For more information, see [Use Intune Suite add-ons capabilities](../../fundamentals/advanced-capabilities.md).
#### Remote Help for Android is now Generally available
@@ -5076,7 +5076,7 @@ This integration is now generally available for Android Enterprise Dedicated and
Previously, this feature was in public preview and free for use. With this release as generally available, this solution now requires an add-on license for its use.
-For licensing details, see [Intune add-ons](../../fundamentals/add-ons.md).
+For licensing details, see [Intune add-ons](../../fundamentals/advanced-capabilities.md).
### Device enrollment
diff --git a/intune/whats-new/index.md b/intune/whats-new/index.md
index 38a62ce1c6e..e932063beee 100644
--- a/intune/whats-new/index.md
+++ b/intune/whats-new/index.md
@@ -885,7 +885,7 @@ Device query for multiple devices now includes expanded operator support, cleare
Endpoint Privilege Management (EPM) elevation policies now support deployment to users on Azure Virtual Desktop (AVD) single-session virtual machines.
-For information about using EPM, which is available as an [Intune Suite add-on-capability](../fundamentals/add-ons.md), see [Plan and Prepare for Endpoint Privilege Management Deployment](../epm/deployment-planning.md).
+For information about using EPM, see [Plan and Prepare for Endpoint Privilege Management Deployment](../epm/deployment-planning.md).
### App management