Merging changes synced from https://github.com/MicrosoftDocs/memdocs-pr (branch live)

Author: cmcclister

memdocs/configmgr/core/get-started/2020/includes/2005/6234688.md

@@ -36,7 +36,7 @@ Additionally, you'll need the following items:
    - If a script you run contains functionality from a later version of PowerShell, the client on which you run the script must be running that later version of PowerShell.
 - At least one script that is already created and approved in Configuration Manager.
    - Script parameters aren't for this technical preview.
-   - Only scripts that are already created and approved appear in the admin center. For more information on approving scripts, see [Approve or deny a script](/configmgr/apps/deploy-use/create-deploy-scripts.md##run-script-authors-and-approvers).
+   - Only scripts that are already created and approved appear in the admin center. For more information on approving scripts, see [Approve or deny a script](../../../../../apps/deploy-use/create-deploy-scripts.md#run-script-authors-and-approvers).
 
 
 #### Permissions
@@ -46,7 +46,7 @@ The user account needs the following permissions:
 - The **Read** permission for the device's **Collection** in Configuration Manager.
 - The **Admin User** role for the Configuration Manager Microservice application in Azure AD.
   - Add the role in Azure AD from **Enterprise applications** > **Configuration Manager Microservice** > **Users and groups** > **Add user**. Groups are supported if you have Azure AD premium.
-- To use scripts, you must be a member of the appropriate Configuration Manager security role. For more information, see [Security scopes for run scripts](/configmgr/apps/deploy-use/create-deploy-scripts.md#bkmk_ScriptRoles).
+- To use scripts, you must be a member of the appropriate Configuration Manager security role. For more information, see [Security scopes for run scripts](../../../../../apps/deploy-use/create-deploy-scripts.md#bkmk_ScriptRoles).
 - To run scripts, the account must have **Run Script** permissions for **Collections**.
 
 #### Run a script

memdocs/configmgr/core/plan-design/hierarchy/log-files.md

@@ -476,6 +476,7 @@ The following table lists the log files that contain information related to appl
 |SMSdpmon.log|Records details about the distribution point health monitoring scheduled task that is configured on a distribution point.|Site server|  
 |SoftwareCatalogUpdateEndpoint.log|Records activities for managing the URL for the Application Catalog shown in Software Center.|Client|  
 |SoftwareCenterSystemTasks.log|Records activities related to Software Center prerequisite component validation.|Client|  
+|TSDTHandler.log|For the task sequence deployment type. It logs the process from app enforcement (install or uninstall) to the launch of the task sequence. Use it with AppEnforce.log and smsts.log.|Client|<!-- MEMDocs#336 -->
 
 #### Packages and programs
 

memdocs/configmgr/protect/deploy-use/bitlocker/deploy-management-agent.md

@@ -121,7 +121,7 @@ When you create more than one policy, you can configure their relative priority.
 
 1. If you want the device to potentially encrypt or decrypt its drives at any time, select the option to **Allow remediation outside the maintenance window**. If the collection has any maintenance windows, it still remediates this BitLocker policy.
 
-1. Configure a **Simple** or **Custom** schedule. By default, the client evaluates its compliance with this policy every 12 hours.
+1. Configure a **Simple** or **Custom** schedule. The client evaluates its compliance based on the settings specified in the schedule.
 
 1. Select **OK** to deploy the policy.
 

memdocs/intune/fundamentals/in-development.md

@@ -84,14 +84,7 @@ To configure the Company Portal to be in ASAM in the Microsoft Endpoint Manager,
 ## Device configuration
 
 ### Set device compliance state from third-party MDM partners<!-- 6361689   -->
-You’ll soon be able to allow the compliance state of iOS or Android devices managed by third-party Mobile Device Management (MDM) partners to be set in Azure Active Directory (Azure AD).
-
-When Intune is configured for partner compliance, compliance data for devices managed by the third-party MDM partner is sent to Intune for compliance evaluation. The results are then passed to Azure AD where the compliance data is used to enforce your conditional access policies for those devices.
-
-Support will soon include the following partners:
-- VMware WorkspaceONE (previously known as AirWatch)
-
-To enable a device compliance partner you’ll use a new node in the Microsoft Endpoint Manager admin center: **Tenant Administration** > **Connectors and Tokens** > **Partner Compliance management** where you’ll select **Add Compliance Partner**.
+Microsoft 365 customers who own third-party MDM solutions will be able to enforce Conditional Access policies for Microsoft 365 apps on iOS and Android via integration with Microsoft Intune Device Compliance service. Third-party MDM vendor will leverage the Intune Device Compliance service to send device compliance data to Intune. Intune will then evaluate to determine if the device is trusted and set the conditional access attributes in Azure AD.  Customers will be required to set Azure AD Conditional Access policies from within the Microsoft Endpoint Manager admin center or the Azure AD portal.  
 
 ### Add a link to your company portal support website to emails for noncompliance<!-- 7225498    -->
 We're adding a new setting to the email notification template that will add the link to your company portal website to email notifications that are sent to users of non-compliant devices. (**Endpoint security** > **Device compliance** > **Notifications** > **Create notification**).  Users who receive an email due to having a noncompliant device can use the link to open a website to learn more about why their device isn’t compliant.

memdocs/intune/includes/intune-notices.md

@@ -28,26 +28,85 @@ Legacy PC management is going out of support on October 15, 2020. Upgrade device
 [Learn more](https://go.microsoft.com/fwlink/?linkid=2107122)
 
 
-### Decreasing support for Android device administrator<!--5857738-->
-Android device administrator (sometimes referred to "legacy" Android management and released with Android 2.2) is a way to manage Android devices. However, improved management functionality is now available with [Android Enterprise](../enrollment/connect-intune-android-enterprise.md) (released with Android 5.0). In an effort to move to modern, richer, and more secure device management, Google is decreasing device administrator support in new Android releases.
+### Decreasing support for Android device administrator<!--7371518-->
+Android device administrator management was released in Android 2.2 as a way to manage Android devices. Then beginning with Android 5, the more modern management framework of [Android Enterprise](../enrollment/connect-intune-android-enterprise.md) was released (for devices that can reliably connect to Google Mobile Services). Google is encouraging movement off of device administrator management by decreasing its management support in new Android releases.
 
 #### How does this affect me?
-Because of these changes by Google, Intune users will be impacted in the following ways:  
-- Intune will only be able to provide full support for device administrator-managed Android devices running Android 10 and later through Q2 CY2020. Device administrator-managed devices that are running Android 10 or later after this time won't be able to be entirely managed. In particular, impacted devices won't receive new password requirements.
-    - Samsung Knox devices won't be impacted in this timeframe because extended support is provided through Intune's integration with the Knox platform. This gives you more time to plan the transition off device admin management.    
-- Device administrator-managed Android devices that remain on Android versions below Android 10 won't be impacted and can continue to be entirely managed with device administrator.    
-- For all devices running Android 10 and later, Google has restricted the ability for device administrator management agents like Company Portal to access device identifier information. This restriction impacts the following Intune features after a device is updated to Android 10 or later:  
-    - Network access control for VPN will no longer work.   
-    - Identifying devices as corporate-owned with an IMEI or serial number won't automatically mark devices as corporate-owned.  
-    - The IMEI and serial number will no longer be visible to IT admins in Intune. 
-        > [!NOTE]
-        > This only impacts device administrator-managed devices on Android 10 and later and does not affect devices being managed as Android Enterprise. 
+Because of these changes by Google, in the fourth quarter of 2020, you will no longer have as extensive management capabilities on impacted device administrator-managed devices. 
+
+> [!NOTE]
+> This date was previously communicated as third quarter of 2020, but it has been moved out based on the [latest information from Google](https://www.blog.google/products/android-enterprise/da-migration/).
+
+##### Device types that will be impacted
+Devices that will be impacted by the decreasing device administrator support are those for which all three conditions below apply:
+- Enrolled in device administrator management.
+- Running Android 10 or later.
+- Not a Samsung device.
+
+Devices will not be impacted if they are any of the below:
+- Not enrolled with device administrator management.
+- Running an Android version below Android 10.
+- Samsung devices. Samsung Knox devices won't be impacted in this timeframe because extended support is provided through Intune’s integration with the Knox platform. This gives you additional time to plan the transition off device administrator management for Samsung devices.
+
+##### Settings that will be impacted
+[Google's decreased device administrator support](https://developers.google.com/android/work/device-admin-deprecation) prevents configuration of these settings from applying on impacted devices.
+
+###### Configuration profile device restriction settings
+
+- Block **Camera**
+- Set **Minimum password length**
+- Set **Number of sign-in failures before wiping device** (will not apply on devices without a password set, but will apply on devices with a password)
+- Set **Password expiration (days)**
+- Set **Required password type**
+- Set **Prevent use of previous passwords**
+- Block **Smart Lock and other trust agents**
+
+###### Compliance policy settings
+
+- Set **Required password type**
+- Set **Minimum password length**
+- Set **Number of days until password expires**
+- Set **Number of previous passwords to prevent reuse**
+
+###### Additional impacts based on Android OS version
+
+**Android 10**: For all device administrator-managed devices (including Samsung) running Android 10 and later, Google has restricted the ability for device administrator management agents like Company Portal to access device identifier information. This restriction impacts the following Intune features after a device is updated to Android 10 or later:
+- Network access control for VPN will no longer work
+- Identifying devices as corporate-owned with an IMEI or serial number won't automatically mark devices as corporate-owned
+- The IMEI and serial number will no longer be visible to IT admins in Intune
+
+**Android 11**: We are currently testing Android 11 support on the latest developer beta release to evaluate if it will cause impact on device administrator-managed devices.
+
+#### User experience of impacted settings on impacted devices
+
+Impacted configuration settings:
+- For already enrolled devices that already had the settings applied, the impacted configuration settings will continue being enforced.
+- For newly enrolled devices, newly assigned settings, and updated settings, the impacted configuration settings will not be enforced (but all other configuration settings will still be enforced).
+
+Impacted compliance settings:
+- For already enrolled devices that already had the settings applied, the impacted compliance settings will still show as reasons for noncompliance on the “Update device settings” page, the device will be out of compliance, and the password requirements will still be enforced in the Settings app.
+- For newly enrolled devices, newly assigned settings, and updated settings, the impacted compliance settings will still show as reasons for noncompliance on the “Update device settings” page and the device will be out of compliance, but stricter password requirements will not be enforced in the Settings app.
+
+#### Cause of impact 
+Devices will begin being impacted in the fourth quarter of 2020. At that time, there will be a Company Portal app update that will increase the Company Portal API targeting from level 28 to level 29 ([as required by Google](https://www.blog.google/products/android-enterprise/da-migration/)). 
+
+At that point, device administrator-managed devices that are not manufactured by Samsung will be impacted once the user completes both these actions:
+- Updates to Android 10 or later.
+- Updates the Company Portal app to the version that targets API level 29.
 
 #### What do I need to do to prepare for this change?
-To avoid the reduction in functionality coming in Q3 CY2020, we recommend the following:
-- Don't onboard new devices into device administrator management.
-- If a device is expected to receive an update to Android 10, migrate it off of device administrator management to Android Enterprise management and/or app protection policies.
+To avoid the reduction in functionality coming in the fourth quarter of 2020, we recommend the following:
+- **New enrollments**: Onboard new devices into [Android Enterprise](../enrollment/connect-intune-android-enterprise.md) management (where available) and/or [app protection policies](../apps/app-protection-policies.md). Avoid onboarding new devices into device administrator management. 
+- **Previously enrolled devices**: If a device administrator-managed device is running Android 10 or later or may update to Android 10 or later (especially if it is not a Samsung device), move it off of device administrator management to [Android Enterprise](../enrollment/connect-intune-android-enterprise.md) management and/or [app protection policies](../apps/app-protection-policies.md). You can leverage the streamlined flow to [move Android devices from device administrator to work profile management](../enrollment/android-move-device-admin-work-profile.md).
 
 #### Additional information
+- [Move Android devices from device administrator to work profile management](../enrollment/android-move-device-admin-work-profile.md)
+- [Set up enrollment of Android Enterprise work profile devices](../enrollment/android-work-profile-enroll.md)
+- [Set up enrollment of Android Enterprise dedicated devices](../enrollment/android-kiosk-enroll.md)
+- [Set up enrollment of Android Enterprise fully managed devices](../enrollment/android-fully-managed-enroll.md)
+- [How to create an assign app protection policies](../apps/app-protection-policies.md)
+- [How to use Intune in environments without Google Mobile Services](../apps/manage-without-gms.md)
+- [Understanding app protection policies and work profiles on Android Enterprise devices](../apps/android-deployment-scenarios-app-protection-work-profiles.md)
+- [Google’s blog about what you need to know about Device Admin deprecation](https://www.blog.google/products/android-enterprise/da-migration/)
 - [Google's guidance for migration from device administrator to Android Enterprise](http://static.googleusercontent.com/media/android.com/en/enterprise/static/2016/pdfs/enterprise/Android-Enterprise-Migration-Bluebook_2019.pdf)
-- [Google's documentation on the plan to deprecate the device administrator API](https://developers.google.com/android/work/device-admin-deprecation)
+- [Google's documentation of deprecated device administrator APIs](https://developers.google.com/android/work/device-admin-deprecation)