Merge branch 'main' into patch-4

.github/workflows/AutoLabelAssign.yml

@@ -0,0 +1,35 @@
+name: Assign and label PR
+
+permissions:
+  pull-requests: write
+  contents: read
+  actions: read
+
+on: 
+    workflow_run:
+        workflows: [Background tasks]
+        types:
+            - completed
+
+jobs:
+    download-payload:
+        name: Download and extract payload artifact
+        uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod
+        with:
+            WorkflowId: ${{ github.event.workflow_run.id }}
+            OrgRepo: ${{ github.repository }}
+        secrets:
+            AccessToken: ${{ secrets.GITHUB_TOKEN }}
+
+    label-assign:
+        name: Run assign and label
+        needs: [download-payload]
+        uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelAssign.yml@workflows-prod
+        with:
+            PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
+            AutoAssignUsers: 1
+            AutoLabel: 1
+            ExcludedUserList: '["user1", "user2"]'
+            ExcludedBranchList: '["branch1", "branch2"]'
+        secrets:
+            AccessToken: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/AutoLabelMsftContributor.yml

@@ -0,0 +1,34 @@
+name: Auto label Microsoft contributors
+
+permissions:
+  pull-requests: write
+  contents: read
+  actions: read
+
+on: 
+    workflow_run:
+        workflows: [Background tasks]
+        types:
+            - completed
+
+jobs:
+    download-payload:
+        if: github.repository_visibility == 'public'
+        name: Download and extract payload artifact
+        uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod
+        with:
+            WorkflowId: ${{ github.event.workflow_run.id }}
+            OrgRepo: ${{ github.repository }}
+        secrets:
+            AccessToken: ${{ secrets.GITHUB_TOKEN }}
+
+    label-msft:
+        name: Label Microsoft contributors
+        if: github.repository_visibility == 'public'
+        needs: [download-payload]
+        uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelMsftContributor.yml@workflows-prod
+        with:
+          PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
+        secrets:
+          AccessToken: ${{ secrets.GITHUB_TOKEN }}
+          TeamReadAccessToken: ${{ secrets.ORG_READTEAMS_TOKEN }}

.github/workflows/BackgroundTasks.yml

@@ -0,0 +1,26 @@
+name: Background tasks
+
+permissions:
+  pull-requests: write
+  contents: read
+
+on:
+  pull_request_target:
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Save payload data
+        env:
+          PayloadJson: ${{ toJSON(github) }}
+          AccessToken: ${{ github.token }}
+        run: |
+          mkdir -p ./pr
+          echo $PayloadJson > ./pr/PayloadJson.json
+          sed -i -e "s/$AccessToken/XYZ/g" ./pr/PayloadJson.json
+      - uses: actions/upload-artifact@v4
+        with:
+          name: PayloadJson
+          path: pr/

.github/workflows/LiveMergeCheck.yml

@@ -0,0 +1,19 @@
+name: PR can merge into branch
+
+permissions:
+  pull-requests: write
+  statuses: write
+  contents: read
+
+on: 
+  pull_request_target:
+    types: [opened, reopened, synchronize, edited]
+
+jobs:
+
+  live-merge:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-LiveMergeCheck.yml@workflows-prod
+    with:
+      PayloadJson: ${{ toJSON(github) }}
+    secrets:
+      AccessToken: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/PrFileCount.yml

@@ -0,0 +1,19 @@
+name: PR file count less than limit
+
+permissions:
+  pull-requests: write
+  statuses: write
+  contents: read
+
+on: 
+  pull_request_target:
+    types: [opened, reopened, synchronize, labeled, unlabeled, edited]
+
+jobs:
+
+  file-count:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-PrFileCount.yml@workflows-prod
+    with:
+      PayloadJson: ${{ toJSON(github) }}
+    secrets:
+      AccessToken: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ProtectedFiles.yml

@@ -0,0 +1,17 @@
+name: PR has no protected files
+
+permissions:
+  pull-requests: write
+  statuses: write
+  contents: read
+
+on: [pull_request_target]
+
+jobs:
+
+  protected-files:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ProtectedFiles.yml@workflows-prod
+    with:
+      PayloadJson: ${{ toJSON(github) }}
+    secrets:
+      AccessToken: ${{ secrets.GITHUB_TOKEN }}

autopilot/known-issues.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 08/08/2024
+ms.date: 08/21/2024
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -41,6 +41,34 @@ This article describes known issues that can often be resolved with configuratio
 
 ## Known issues
 
+<!-- MAXADO-9270654 -->
+
+### Auto logon for Kiosk device profile only partially fixed
+
+Date added: *August 21, 2024*
+
+The know issue of [Kiosk device profiles not auto logging in when auto logon was enabled](#kiosk-device-profile-not-auto-logging-in) was previously reported as fixed. However, there are scenarios where the issue might still occur when using autologon with Kiosks and [Assigned Access](/windows/configuration/assigned-access/overview). If multiple reboots or unexpected reboots occur during the Windows out-of-box experience (OOBE) when initially configuring the Kiosk, the autologon entries in the registry might be deleted. The issue is being investigated.
+
+The following workarounds are available until the issue is resolved:
+
+1. Apply or reapply the kiosk profile after Windows Autopilot completes.
+
+1. Apply the autologon registry entries either manually or via a script. For example:
+
+    ```cmd
+    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoAdminLogon" /t REG_DWORD /d 1 /f
+
+    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "DefaultDomainName" /t REG_SZ /d "." /f
+
+    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "DefaultUserName" /t REG_SZ /d "kioskUser0" /f
+    ```
+
+1. Exclude items the required reboots during OOBE from Windows Autopilot.
+
+1. Manually enter the kiosk user credentials.
+
+For more information, see [Assigned Access recommendations - Automatic sign-in](/windows/configuration/assigned-access/recommendations#automatic-sign-in). For additional assistance, contact support.
+
 ## BitLocker encryption defaults to 128-bit when 256-bit encryption is configured
 
 Date added: *July 8, 2024*
@@ -81,20 +109,25 @@ Platforms with the Infineon SLB9672 TPM with firmware release 15.22 with EK cert
 
 ### Kiosk device profile not auto logging in
 
-Date added: *January 30, 2023*
+Date added: *January 30, 2023*<br>
+Date updated: *August 21, 2024*
 
 There's currently a known issue in the following Windows Updates released in January 2023:
 
 - Windows 11, version 22H2: [KB5022303](https://support.microsoft.com/topic/january-10-2023-kb5022303-os-build-22621-1105-c45956c6-4ccb-4216-832c-2ec6309c7629)
 - Windows 11, version 21H2: [KB5022287](https://support.microsoft.com/topic/january-10-2023-kb5022287-os-build-22000-1455-951898ec-2628-4d25-850e-9a44207bc139)
 - Windows 10, version 22H2: [KB5022282](https://support.microsoft.com/topic/january-10-2023-kb5022282-os-builds-19042-2486-19044-2486-and-19045-2486-9587e4e3-c2d7-48a6-86e2-8cd9146b47fd)
 
-If these updates are installed on a device, Kiosk device profiles that have auto sign-in enabled won't auto sign in. After Autopilot completes provisioning, the device stays on the sign-in screen prompting for credentials. To work around this known issue, manually enter the kiosk user credentials with the username `kioskUser0` and no password. After the username is entered with no password, it should go to the desktop. This issue should be resolved in cumulative updates released for Windows 11 in April 2023 and Windows 10 in March 2023:
+If these updates are installed on a device, Kiosk device profiles that have auto logon enabled won't auto log on. After Autopilot completes provisioning, the device stays on the sign-in screen prompting for credentials. To work around this known issue, manually enter the kiosk user credentials with the username `kioskUser0` and no password. After the username is entered with no password, it should go to the desktop. This issue should be resolved in cumulative updates released for Windows 11 in April 2023 and Windows 10 in March 2023:
 
 - Windows 11, version 22H2: [KB5025239](https://support.microsoft.com/topic/april-11-2023-kb5025239-os-build-22621-1555-5eaaaf42-bc4d-4881-8d38-97e0082a6982) or later.
 - Windows 11, version 21H2: [KB5025224](https://support.microsoft.com/topic/april-11-2023-kb5025224-os-build-22000-1817-ebc75372-608d-4a77-a6e0-cb1e15f117fc) or later.
 - Windows 10, version 22H2: [KB5023773](https://support.microsoft.com/topic/march-21-2023-kb5023773-os-builds-19042-2788-19044-2788-and-19045-2788-preview-5850ac11-dd43-4550-89ec-9e63353fef23) or later.
 
+> [!NOTE]
+>
+> This issue was only partially fixed and can still occur under certain conditions. For more information, see [Auto logon for Kiosk device profile only partially fixed](#auto-logon-for-kiosk-device-profile-only-partially-fixed).
+
 ### TPM attestation isn't working on AMD platforms with ASP fTPM
 
 Date added: *December 1, 2022*

memdocs/intune/protect/network-access-control-integrate.md

@@ -7,7 +7,7 @@ keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 07/24/2023
+ms.date: 08/21/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -36,7 +36,7 @@ ms.collection:
 Intune integrates with network access control (NAC) partners to help organizations secure corporate data when devices try to access on-premises resources.
 
 >[!NOTE]
-> A new NAC service (CR service) was released in July 2021 and many of our NAC partners are transitioning to this new service. While we have extended the timeline for supporting the legacy NAC service through **March 31, 2024**, we recommend you to migrate to the new CR service to avoid service disruption.Currently, the following NAC partner product supports the new NAC service:
+> The *compliance retrieval service* was released in July 2021 and replaced the previous Intune NAC service. Microsoft Intune is providing support for the legacy Intune NAC service through March 31, 2024. Our NAC partners are transitioning to the compliance retrieval service and include: 
 >
 > - ExtremeCloud Universal ZTNA
 > - Extreme Networks ExtremeCloud IQ-Site Engine version 24.2
@@ -52,7 +52,7 @@ Intune integrates with network access control (NAC) partners to help organizatio
 > - Forescout eyeExtend Microsoft Module v1.0.1 and later
 > - Portnox Cloud
 >
-> Contact your NAC partner if you have questions on the impact of this transition. For more information, see our [blog post on the new compliance retrieval service](https://aka.ms/new-compliance-retrieval-api/).
+> We will be deprecating the Intune NAC service in the future, so we recommend that you migrate to the compliance retrieval service to avoid service disruption. Contact your NAC solution provider if you have questions about the compliance retrieval service or impact to your tenant. For more information and updates about the compliance retrieval service and NAC partners, see [Microsoft Tech Community: New Microsoft Intune service for network access control](https://techcommunity.microsoft.com/t5/intune-customer-success/new-microsoft-intune-service-for-network-access-control/ba-p/2544696). 
 
 ## How do Intune and NAC solutions help protect your organization resources?
 
@@ -98,16 +98,16 @@ The following list is an overview on how NAC integration works when integrated w
 
 ## Enable NAC
 
-To enable use of NAC and the *compliance retrieval service* that became available in July 2021, reference your NAC product's most recent documentation for enabling NAC integration with Intune. This integration might require you to make changes after you upgrade to their new NAC product or version.
+To enable use of NAC and the compliance retrieval service, reference your NAC product's most recent documentation for enabling NAC integration with Intune. This integration might require you to make changes after you upgrade to a new NAC product or version. 
 
 The compliance retrieval service requires certificate-based authentication and the use of the *Intune device ID* as the subject alternative name of the certificates. For Simple Certificate Enrollment Protocol (SCEP) and Private and public key pair (PKCS) certificates, you can add an attribute of the **URI** type with a value defined by your NAC provider. For example, your NAC provider's instructions might say to include `IntuneDeviceId://{{DeviceID}}`as the **Subject alternative name**.
 
 Other NAC products might require you include a device ID when using NAC with iOS VPN profiles.
 
-> [!NOTE]
-> We have now added support for querying devices based on Mac addresses for customers who are unable to use certificate-based authentication. However, our recommendation is to use certificate-based authentication with Intune device id wherever possible.
+> [!TIP]
+> We recommend using certificate-based authentication with the Intune device ID wherever possible. If you're unable to use certificate-based authentication, Intune supports querying devices based on MAC addresses. 
 
-To learn more about certificate profiles, see: [Use SCEP certificate profiles with Microsoft Intune](../protect/certificates-profile-scep.md) and [Use a PKCS certificate profile to provision devices with certificates in Microsoft Intune](../protect/certificates-pfx-configure.md)
+For more information about certificate profiles, see [Use SCEP certificate profiles with Microsoft Intune](../protect/certificates-profile-scep.md) and [Use a PKCS certificate profile to provision devices with certificates in Microsoft Intune](../protect/certificates-pfx-configure.md).  
 
 ## Data shared with NAC partners