diff --git a/.openpublishing.redirection.intune.json b/.openpublishing.redirection.intune.json
index ce725696c37..547af92431f 100644
--- a/.openpublishing.redirection.intune.json
+++ b/.openpublishing.redirection.intune.json
@@ -1,5 +1,35 @@
{
"redirections": [
+ {
+ "source_path_from_root": "/intune/fundamentals/manage-devices.md",
+ "redirect_url": "/intune/fundamentals/core-concepts#devices",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/manage-apps.md",
+ "redirect_url": "/intune/fundamentals/core-concepts#apps",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/tenant-administration/identities.md",
+ "redirect_url": "/intune/fundamentals/core-concepts#identity",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/licensing/index.md",
+ "redirect_url": "/intune/fundamentals/licensing",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/licensing/assign-licenses.md",
+ "redirect_url": "/intune/fundamentals/assign-licenses",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/add-ons.md",
+ "redirect_url": "/intune/fundamentals/advanced-capabilities",
+ "redirect_document_id": false
+ },
{
"source_path_from_root": "/intune/fundamentals/tenant-administration/classic-groups.md",
"redirect_url": "/intune/fundamentals/tenant-administration/add-groups",
@@ -7,7 +37,22 @@
},
{
"source_path_from_root": "/intune/fundamentals/device-lifecycle.md",
- "redirect_url": "/intune/fundamentals/what-is-device-management",
+ "redirect_url": "/intune/fundamentals/core-concepts",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/endpoint-management.md",
+ "redirect_url": "/intune/fundamentals/architecture",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/what-is-device-management.md",
+ "redirect_url": "/intune/fundamentals/what-is-intune",
+ "redirect_document_id": false
+ },
+ {
+ "source_path_from_root": "/intune/fundamentals/service-description.md",
+ "redirect_url": "/intune/fundamentals/advanced-capabilities",
"redirect_document_id": false
},
{
@@ -367,7 +412,7 @@
},
{
"source_path_from_root": "/intune/endpoint-manager-overview.md",
- "redirect_url": "/intune/fundamentals/endpoint-management",
+ "redirect_url": "/intune/fundamentals/architecture",
"redirect_document_id": false
},
{
@@ -445,6 +490,11 @@
"redirect_url": "/intune/privacy/",
"redirect_document_id": false
},
+ {
+ "source_path_from_root": "/intune/fundamentals/licensing/unlicensed-admins.md",
+ "redirect_url": "/intune/fundamentals/licensing#unlicensed-admin-access",
+ "redirect_document_id": false
+ },
{
"source_path_from_root": "/intune/device-security/conditional-access-integration/create-app-based-policy.md",
"redirect_url": "/intune/device-security/conditional-access-integration/app-based-policies",
diff --git a/.openpublishing.redirection.legacy.json b/.openpublishing.redirection.legacy.json
index 4642d3ef2b8..f7becba7d15 100644
--- a/.openpublishing.redirection.legacy.json
+++ b/.openpublishing.redirection.legacy.json
@@ -5727,17 +5727,17 @@
},
{
"source_path_from_root": "/intune/intune/fundamentals/intune-add-ons.md",
- "redirect_url": "/intune/fundamentals/add-ons",
+ "redirect_url": "/intune/fundamentals/advanced-capabilities",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune/fundamentals/premium-add-ons.md",
- "redirect_url": "/intune/fundamentals/add-ons",
+ "redirect_url": "/intune/fundamentals/advanced-capabilities",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/intune-add-ons.md",
- "redirect_url": "/intune/fundamentals/add-ons",
+ "redirect_url": "/intune/fundamentals/advanced-capabilities",
"redirect_document_id": false
},
{
@@ -5922,12 +5922,12 @@
},
{
"source_path_from_root": "/intune/intune/fundamentals/device-lifecycle.md",
- "redirect_url": "/intune/fundamentals/what-is-device-management",
+ "redirect_url": "/intune/fundamentals/manage-devices",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/device-lifecycle.md",
- "redirect_url": "/intune/fundamentals/what-is-device-management",
+ "redirect_url": "/intune/fundamentals/manage-devices",
"redirect_document_id": false
},
{
@@ -6162,47 +6162,47 @@
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/licenses-assign.md",
- "redirect_url": "/intune/fundamentals/licensing/assign-licenses",
+ "redirect_url": "/intune/fundamentals/assign-licenses",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune/fundamentals/licenses-assign.md",
- "redirect_url": "/intune/fundamentals/licensing/assign-licenses",
+ "redirect_url": "/intune/fundamentals/assign-licenses",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune/fundamentals/licenses.md",
- "redirect_url": "/intune/fundamentals/licensing/index",
+ "redirect_url": "/intune/fundamentals/licensing",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune/fundamentals/unlicensed-admins.md",
- "redirect_url": "/intune/fundamentals/licensing/unlicensed-admins",
+ "redirect_url": "/intune/fundamentals/licensing#unlicensed-admin-access",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/unlicensed-admins.md",
- "redirect_url": "/intune/fundamentals/licensing/unlicensed-admins",
+ "redirect_url": "/intune/fundamentals/licensing#unlicensed-admin-access",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune/fundamentals/manage-apps.md",
- "redirect_url": "/intune/fundamentals/manage-apps",
+ "redirect_url": "/intune/fundamentals/core-concepts#apps",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/manage-apps.md",
- "redirect_url": "/intune/fundamentals/manage-apps",
+ "redirect_url": "/intune/fundamentals/core-concepts#apps",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/manage-devices.md",
- "redirect_url": "/intune/fundamentals/manage-devices",
+ "redirect_url": "/intune/fundamentals/core-concepts#devices",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune/fundamentals/manage-devices.md",
- "redirect_url": "/intune/fundamentals/manage-devices",
+ "redirect_url": "/intune/fundamentals/core-concepts#devices",
"redirect_document_id": false
},
{
@@ -6517,12 +6517,12 @@
},
{
"source_path_from_root": "/intune/intune/fundamentals/microsoft-intune-service-description.md",
- "redirect_url": "/intune/fundamentals/service-description",
+ "redirect_url": "/intune/fundamentals/advanced-capabilities",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/microsoft-intune-service-description.md",
- "redirect_url": "/intune/fundamentals/service-description",
+ "redirect_url": "/intune/fundamentals/advanced-capabilities",
"redirect_document_id": false
},
{
@@ -6602,12 +6602,12 @@
},
{
"source_path_from_root": "/intune/intune/fundamentals/manage-identities.md",
- "redirect_url": "/intune/fundamentals/tenant-administration/identities",
+ "redirect_url": "/intune/fundamentals/core-concepts#identity",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/manage-identities.md",
- "redirect_url": "/intune/fundamentals/tenant-administration/identities",
+ "redirect_url": "/intune/fundamentals/core-concepts#identity",
"redirect_document_id": false
},
{
@@ -6682,12 +6682,12 @@
},
{
"source_path_from_root": "/intune/intune-service/fundamentals/what-is-device-management.md",
- "redirect_url": "/intune/fundamentals/what-is-device-management",
+ "redirect_url": "/intune/fundamentals/what-is-intune",
"redirect_document_id": false
},
{
"source_path_from_root": "/intune/intune/fundamentals/what-is-device-management.md",
- "redirect_url": "/intune/fundamentals/what-is-device-management",
+ "redirect_url": "/intune/fundamentals/what-is-intune",
"redirect_document_id": false
},
{
diff --git a/autopilot/add-devices.md b/autopilot/add-devices.md
index 9c729bf674b..c6ac44363ff 100644
--- a/autopilot/add-devices.md
+++ b/autopilot/add-devices.md
@@ -35,7 +35,7 @@ This article provides step-by-step guidance for manual registration. For more in
## Requirements
-- [Intune subscription](/intune/fundamentals/licensing/index).
+- [Intune subscription](/intune/fundamentals/licensing).
- [Windows automatic enrollment enabled](/intune/intune-service/enrollment/windows-enroll#enable-windows-automatic-enrollment).
- [Microsoft Entra ID P1 or P2 subscription](/azure/active-directory/active-directory-get-started-premium).
diff --git a/autopilot/device-preparation/requirements.md b/autopilot/device-preparation/requirements.md
index 7cec01fd228..edff036040e 100644
--- a/autopilot/device-preparation/requirements.md
+++ b/autopilot/device-preparation/requirements.md
@@ -196,7 +196,7 @@ To provide needed Microsoft Entra ID and MDM functionality, including automatic
> [!NOTE]
>
-> When a Microsoft 365 subscription is used, licenses still need to be assigned to users so they can enroll device in Intune. For more information, see [assign licenses to users so they can enroll devices in Intune](/intune/fundamentals/licensing/assign-licenses).
+> When a Microsoft 365 subscription is used, licenses still need to be assigned to users so they can enroll device in Intune. For more information, see [assign licenses to users so they can enroll devices in Intune](/intune/fundamentals/assign-licenses).
Additionally, the following are also recommended, but not required:
diff --git a/autopilot/requirements.md b/autopilot/requirements.md
index d4ec402fec8..4922c5b955f 100644
--- a/autopilot/requirements.md
+++ b/autopilot/requirements.md
@@ -229,7 +229,7 @@ To provide needed Microsoft Entra ID and MDM functionality, including automatic
> [!NOTE]
>
-> When a Microsoft 365 subscription is used, licenses still need to be assigned to users so they can enroll device in Intune. For more information, see [assign licenses to users so they can enroll devices in Intune](/intune/fundamentals/licensing/assign-licenses).
+> When a Microsoft 365 subscription is used, licenses still need to be assigned to users so they can enroll device in Intune. For more information, see [assign licenses to users so they can enroll devices in Intune](/intune/fundamentals/assign-licenses).
Additionally, the following are also recommended (but not required):
diff --git a/intune/advanced-analytics/anomalies.md b/intune/advanced-analytics/anomalies.md
index 8e3693e48bd..c5b4e7c3b08 100644
--- a/intune/advanced-analytics/anomalies.md
+++ b/intune/advanced-analytics/anomalies.md
@@ -7,8 +7,6 @@ ms.topic: concept-article
# Anomalies report
-[!INCLUDE [intune-add-on-note](includes/intune-add-on-note.md)]
-
The anomalies report in Advanced Analytics helps IT admins proactively identify device health issues before they affect users. It monitors for application hangs, crashes, and Stop Error Restarts, providing visibility into problems before they reach support channels.
The feature correlates deployment objects and configuration changes to speed troubleshooting and suggest root causes. Device correlation groups reveal patterns among affected devices and flag others that are at risk.
diff --git a/intune/advanced-analytics/battery-health.md b/intune/advanced-analytics/battery-health.md
index 46c604e4851..9bdcd72f77a 100644
--- a/intune/advanced-analytics/battery-health.md
+++ b/intune/advanced-analytics/battery-health.md
@@ -7,8 +7,6 @@ ms.topic: concept-article
# Battery health report
-[!INCLUDE [intune-add-on-note](includes/intune-add-on-note.md)]
-
The battery health report provides visibility into the health of batteries in your organization's devices and its influence on user experience.
The score helps you identify emerging hardware issues that might be impacting user productivity so you can proactively make improvements before users generate support tickets.
diff --git a/intune/advanced-analytics/device-query-multiple-devices.md b/intune/advanced-analytics/device-query-multiple-devices.md
index 93623a1694f..1bdb7dee508 100644
--- a/intune/advanced-analytics/device-query-multiple-devices.md
+++ b/intune/advanced-analytics/device-query-multiple-devices.md
@@ -7,8 +7,6 @@ ms.topic: how-to
# Device query for multiple devices
-[!INCLUDE [intune-add-on-note](includes/intune-add-on-note.md)]
-
Use Device query for multiple devices in Microsoft Intune to run Kusto Query Language (KQL) queries across device inventory data and identify trends across your managed fleet. This article explains prerequisites, how to create and run queries in the Intune admin center, how to work with results, and which operators, functions, and properties are supported.
## Before you begin
diff --git a/intune/advanced-analytics/device-query.md b/intune/advanced-analytics/device-query.md
index 67db010a72e..ab7ece56c55 100644
--- a/intune/advanced-analytics/device-query.md
+++ b/intune/advanced-analytics/device-query.md
@@ -7,8 +7,6 @@ ms.topic: how-to
# Device query
-[!INCLUDE [intune-add-on-note](includes/intune-add-on-note.md)]
-
Device query allows you to quickly gain on-demand information about the state of your Windows devices. When you enter a query on a selected device, Device query runs a query in real time. The data returned can then be used to respond to security threats, troubleshoot the device, or make business decisions.
## Before you begin
diff --git a/intune/advanced-analytics/device-scopes.md b/intune/advanced-analytics/device-scopes.md
index 084e5224823..be87f942d4d 100644
--- a/intune/advanced-analytics/device-scopes.md
+++ b/intune/advanced-analytics/device-scopes.md
@@ -7,8 +7,6 @@ ms.topic: concept-article
# Device scopes
-[!INCLUDE [intune-add-on-note](includes/intune-add-on-note.md)]
-
Device scopes use scope tags to filter endpoint analytics reports to a subset of devices, allowing you to see scores, insights, and recommendations for a specific subset of devices.
Device scopes are supported on the following endpoint analytics reports:
diff --git a/intune/advanced-analytics/device-timeline.md b/intune/advanced-analytics/device-timeline.md
index e2d219f571f..09f23f80b63 100644
--- a/intune/advanced-analytics/device-timeline.md
+++ b/intune/advanced-analytics/device-timeline.md
@@ -7,8 +7,6 @@ ms.topic: concept-article
# Device timeline report
-[!INCLUDE [intune-add-on-note](includes/intune-add-on-note.md)]
-
The device timeline allows you to see a history of events that have occurred on a specific device.
## Before you begin
diff --git a/intune/advanced-analytics/includes/intune-add-on-note.md b/intune/advanced-analytics/includes/intune-add-on-note.md
deleted file mode 100644
index df9e22c451c..00000000000
--- a/intune/advanced-analytics/includes/intune-add-on-note.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-author: MandiOhlinger
-ms.topic: include
-ms.date: 02/22/2023
-ms.author: mandia
----
-> [!NOTE]
-> This capability is available as an Intune add-on. For more information, see [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md).
diff --git a/intune/advanced-analytics/index.md b/intune/advanced-analytics/index.md
index 173bdac34ea..ae9dc3d1322 100644
--- a/intune/advanced-analytics/index.md
+++ b/intune/advanced-analytics/index.md
@@ -14,71 +14,60 @@ Microsoft Intune Advanced Analytics delivers deep, actionable insights into the
Advanced Analytics enhances endpoint analytics with the following reports and capabilities:
:::row:::
-:::column:::
-#### :::image type="icon" source="../media/icons/24/report.svg"::: Resource performance report
+:::column:::
+
+> [!div class="nextstepaction"]
+> [Resource performance report](resource-performance.md)
> Identifies CPU and RAM performance issues by device, model, and manufacturer to guide purchasing decisions.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](resource-performance.md)
:::column-end:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/report.svg"::: Battery health report
+> [!div class="nextstepaction"]
+> [Battery health report](battery-health.md)
> Monitors battery health for Windows devices to ensure long battery life and a better user experience.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](battery-health.md)
+
:::column-end:::
:::row-end:::
:::row:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/report.svg"::: Anomalies report
+> [!div class="nextstepaction"]
+> [Anomalies report](anomalies.md)
> Tracks device health for regressions in user experience and productivity after configuration changes.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](anomalies.md)
:::column-end:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/report.svg"::: Device timeline report
+> [!div class="nextstepaction"]
+> [Device timeline report](device-timeline.md)
> Shows detailed events with low latency to help troubleshoot device issues quickly.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](device-timeline.md)
:::column-end:::
:::row-end:::
:::row:::
-:::column:::
-#### :::image type="icon" source="../media/icons/24/query.svg"::: Device query
+:::column:::
+> [!div class="nextstepaction"]
+> [Device query](device-query.md)
> Provides near real-time data about the state and configuration of Windows devices.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](device-query.md)
+
:::column-end:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/query.svg"::: Device query for multiple devices
+> [!div class="nextstepaction"]
+> [Device query for multiple devices](device-query-multiple-devices.md)
> Allows you to run queries directly in Intune to retrieve inventory data across multiple devices and platforms.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](device-query-multiple-devices.md)
:::column-end:::
:::row-end:::
:::row:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/devices.svg"::: Device scopes
+> [!div class="nextstepaction"]
+> [Device scopes](device-scopes.md)
> Allows you to use scope tags to filter reports for a subset of devices. See scores, insights, and recommendations specific to those devices.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](device-scopes.md)
:::column-end:::
:::column:::
@@ -128,17 +117,14 @@ This section details **additional prerequisites** specific to Advanced Analytics
:::row:::
:::column span="1":::
-[!INCLUDE [platform](../includes/requirements/licensing.md)]
-
+[!INCLUDE [licensing](../includes/requirements/licensing.md)]
:::column-end:::
:::column span="3":::
-
-> Advanced Analytics features are included in [Microsoft Intune Suite](../fundamentals/add-ons.md). The capabilities are also available as an individual add-on to Microsoft subscriptions that include Intune.
->
-> **Mixed licensing scenarios**: A mixed licensing scenario occurs when some users in your tenant have access to Advanced Analytics through an add-on subscription or trial, while others only have access to the *base* endpoint analytics product. In these cases, the subscription with the highest level of functionality determines the overall endpoint analytics experience for your tenant. For example, if any users have Advanced Analytics, all enrolled devices will benefit from the advanced features.
+> [!INCLUDE [additional-licensing](../includes/licensing/additional-licensing.md)]
:::column-end:::
:::row-end:::
+
## Get started with Advanced Analytics
Before deploying Advanced Analytics, complete these foundational tasks:
diff --git a/intune/advanced-analytics/resource-performance.md b/intune/advanced-analytics/resource-performance.md
index 6a7a7da1e43..878d53f4a28 100644
--- a/intune/advanced-analytics/resource-performance.md
+++ b/intune/advanced-analytics/resource-performance.md
@@ -7,8 +7,6 @@ ms.topic: concept-article
# Resource performance report
-[!INCLUDE [intune-add-on-note](includes/intune-add-on-note.md)]
-
The resource performance report gives you a clear view of processor and memory performance on Windows devices and how these factors affect user experience. By tracking the performance score, you can spot emerging hardware issues that may reduce productivity and take proactive steps before support tickets occur.
The report also provides actionable insights—showing how much your score could improve by upgrading CPU or RAM and helping you identify devices for replacement before warranties expire.
diff --git a/intune/advanced-analytics/toc.yml b/intune/advanced-analytics/toc.yml
index eec8eca8b3e..0e69711136a 100644
--- a/intune/advanced-analytics/toc.yml
+++ b/intune/advanced-analytics/toc.yml
@@ -1,33 +1,33 @@
items:
-- name: Advanced Analytics overview
+- name: Overview
href: index.md
displayName: Advanced Analytics
-- name: Advanced Analytics reports and capabilities
+- name: Reports
items:
- - name: Resource performance report
+ - name: Resource performance
href: resource-performance.md
- displayName: Advanced Analytics
- - name: Battery health report
+ displayName: Advanced Analytics, CPU, memory, slow devices, performance issues
+ - name: Battery health
href: battery-health.md
- displayName: Advanced Analytics
- - name: Anomalies report
+ displayName: Advanced Analytics, battery, power, charge
+ - name: Anomalies
href: anomalies.md
- displayName: Advanced Analytics
- - name: Device timeline report
+ displayName: Advanced Analytics, anomaly detection, outliers, unusual
+ - name: Device timeline
href: device-timeline.md
- displayName: Advanced Analytics
- - name: Device query
- href: device-query.md
- displayName: Advanced Analytics
- - name: Device query for multiple devices
- href: device-query-multiple-devices.md
- displayName: Advanced Analytics
- - name: Device scopes
- href: device-scopes.md
- displayName: Advanced Analytics
+ displayName: Advanced Analytics, history, events, audit, timeline
+- name: Device query
+ href: device-query.md
+ displayName: Advanced Analytics, KQL, Kusto, real-time
+- name: Multi-device query
+ href: device-query-multiple-devices.md
+ displayName: Advanced Analytics, KQL, fleet, bulk
+- name: Device scopes
+ href: device-scopes.md
+ displayName: Advanced Analytics, scope, RBAC, filter
- name: Data platform schema
href: ref-data-platform-schema.md
- displayName: Advanced Analytics schema
+ displayName: Advanced Analytics, schema, reference, tables, fields
- name: Frequently asked questions
href: faq.yml
- displayName: Advanced Analytics FAQs
\ No newline at end of file
+ displayName: Advanced Analytics, FAQs
diff --git a/intune/app-management/deployment/add-enterprise-catalog-app.md b/intune/app-management/deployment/add-enterprise-catalog-app.md
index 9fe85b59090..abe08104b06 100644
--- a/intune/app-management/deployment/add-enterprise-catalog-app.md
+++ b/intune/app-management/deployment/add-enterprise-catalog-app.md
@@ -16,7 +16,7 @@ ms.collection:
The Enterprise App Catalog is a collection of prepackaged [Win32 apps](./win32.md) that are designed and prepared by Microsoft to support Intune. The catalog contains both Microsoft apps and non-Microsoft apps. An Enterprise App Catalog app is a Windows app that you can add via the Enterprise App Catalog in Intune. This app type uses the Win32 platform and has support for customizable capabilities, including PowerShell script installers for enhanced deployment flexibility (introduced in 2025).
> [!IMPORTANT]
-> The Enterprise App Catalog is a feature of Enterprise App Management (EAM) which is an Intune add-on as part of the Intune suite that's available for trial and purchase. For more information, see [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md).
+> The Enterprise App Catalog is a feature of Enterprise App Management (EAM), which is part of Microsoft Intune Suite and available for trial and purchase. For more information, see [Microsoft Intune advanced capabilities](../../fundamentals/advanced-capabilities.md).
When you add an app to Intune, you want to use default installation, requirements, and detection settings. For apps within the Enterprise App Catalog, these default settings are configured and confirmed by Microsoft. You must be careful if you modify the application properties as unexpected or harmful commands could be passed via the **Install command** and **Uninstall command** fields. In addition, changing the install commands might cause installation to fail.
diff --git a/intune/app-management/deployment/assign-groups.md b/intune/app-management/deployment/assign-groups.md
index ec000317c72..5c1b08377ff 100644
--- a/intune/app-management/deployment/assign-groups.md
+++ b/intune/app-management/deployment/assign-groups.md
@@ -51,7 +51,7 @@ The following table lists the various options when *assigning* apps to users and
6. Select **Add Group** to open the **Add group** pane that relates to the app.
7. For the specific app, select an **assignment type**:
- **Available for enrolled devices**: Assign the app to groups of users who can install the app from the Company Portal app or website.
- - **Available with or without enrollment**: Assign this setting to groups of users whose devices aren't enrolled with Intune. Users must be assigned an Intune license, see [Intune Licenses](../../fundamentals/licensing/index.md).
+ - **Available with or without enrollment**: Assign this setting to groups of users whose devices aren't enrolled with Intune. Users must be assigned an Intune license, see [Intune Licenses](../../fundamentals/licensing.md).
- **Required**: The app is installed on devices in the selected groups. Some platforms might have more prompts for the end user to acknowledge before app installation begins.
- **Uninstall**: The app is uninstalled from devices in the selected groups if Intune previously installed the application. This applies only to apps installed via an "Available for enrolled devices" or "Required" assignment using the same deployment.
diff --git a/intune/app-management/deployment/enterprise-app-management.md b/intune/app-management/deployment/enterprise-app-management.md
index 0ec2a3efc80..e50f8ee3571 100644
--- a/intune/app-management/deployment/enterprise-app-management.md
+++ b/intune/app-management/deployment/enterprise-app-management.md
@@ -14,11 +14,6 @@ ms.collection:
Microsoft Intune Enterprise App Management enables you to easily discover and deploy applications and keep them up to date from the Enterprise App Catalog. The Enterprise App Catalog is a collection of prepared Microsoft and non-Microsoft applications. These apps are Win32 apps that are [prepared as Win32 apps](./create-win32-package.md) and hosted by Microsoft.
-> [!IMPORTANT]
-> Enterprise App Management is an Intune add-on as part of the Intune suite that's available for trial and purchase. For more information, see [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md).
-
-[!INCLUDE [windows-10-support](../../includes/windows-10-support.md)]
-
## Benefits of Enterprise App Management
The Enterprise App Management provides the following benefits:
@@ -59,6 +54,32 @@ The Enterprise App Catalog includes apps that self update. Intune ensures the ap
> [!IMPORTANT]
> Self-updating apps might require that your tenant has network rules configured to allow an update from the app vendor.
+## Prerequisites
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
+
+:::column-end:::
+:::column span="3":::
+
+>[!INCLUDE [additional-licensing](../../includes/licensing/additional-licensing.md)]
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
+
+:::column-end:::
+:::column span="3":::
+
+>The Enterprise App Catalog is available for Windows apps.
+>
+>[!INCLUDE [windows-10-support](../../includes/windows-10-support.md)]
+:::column-end:::
+:::row-end:::
+
## Frequently asked questions (FAQ)
### How can I request to add an application to the Enterprise App Catalog?
diff --git a/intune/app-management/protection/mam-faq.yml b/intune/app-management/protection/mam-faq.yml
index 0170f3c7d71..183cf4293bc 100644
--- a/intune/app-management/protection/mam-faq.yml
+++ b/intune/app-management/protection/mam-faq.yml
@@ -47,7 +47,7 @@ sections:
answer: |
- The end user must have a Microsoft Entra account. For more information on how to create Intune users in Microsoft Entra ID, see [Add users and give administrative permission to Intune](../../fundamentals/tenant-administration/add-users.md).
- - The end user must have a license for Microsoft Intune assigned to their Microsoft Entra account. For more information on how to assign Intune licenses to end users, see [Manage Intune licenses](../../fundamentals/licensing/assign-licenses.md).
+ - The end user must have a license for Microsoft Intune assigned to their Microsoft Entra account. For more information on how to assign Intune licenses to end users, see [Manage Intune licenses](../../fundamentals/assign-licenses.md).
- The end user must belong to a security group targeted by an app protection policy. The same app protection policy must target the specific app being used. App protection policies can be created and deployed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). Security groups can currently be created in the [Microsoft 365 admin center](https://admin.microsoft.com).
diff --git a/intune/app-management/protection/mam-without-enrollment.md b/intune/app-management/protection/mam-without-enrollment.md
index 7d646a1bb01..1b5b690f1d0 100644
--- a/intune/app-management/protection/mam-without-enrollment.md
+++ b/intune/app-management/protection/mam-without-enrollment.md
@@ -26,8 +26,6 @@ This article provides recommendations on when to use MAM. It also includes an ov
- [Microsoft Intune app management](../overview.md)
- [Data protection for Windows MAM](./enable-mam-windows.md)
-> [!TIP]
-> [!INCLUDE [tips-guidance-plan-deploy-guides](../../device-enrollment/includes/tips-guidance-plan-deploy-guides.md)]
## Before you begin
diff --git a/intune/app-management/protection/overview.md b/intune/app-management/protection/overview.md
index cd462efabbe..4cf21db4072 100644
--- a/intune/app-management/protection/overview.md
+++ b/intune/app-management/protection/overview.md
@@ -153,7 +153,7 @@ The following list provides the user requirements to use app protection policies
- The user must have a Microsoft Entra account. See [Add users and give administrative permission to Intune](../../fundamentals/tenant-administration/add-users.md) to learn how to create Intune users in Microsoft Entra ID.
-- The user must have a license for Microsoft Intune assigned to their Microsoft Entra account. See [Manage Intune licenses](../../fundamentals/licensing/assign-licenses.md) to learn how to assign Intune licenses to users.
+- The user must have a license for Microsoft Intune assigned to their Microsoft Entra account. See [Manage Intune licenses](../../fundamentals/assign-licenses.md) to learn how to assign Intune licenses to users.
- The user must belong to a security group that is targeted by an app protection policy. The same app protection policy must target the specific app being used. App protection policies can be created and deployed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). Security groups can currently be created in the [Microsoft 365 admin center](https://admin.microsoft.com).
diff --git a/intune/app-management/protection/policy-delivery-timing.md b/intune/app-management/protection/policy-delivery-timing.md
index feef77477ae..6da8da428d9 100644
--- a/intune/app-management/protection/policy-delivery-timing.md
+++ b/intune/app-management/protection/policy-delivery-timing.md
@@ -37,5 +37,5 @@ When user registration fails due to network connectivity issues an accelerated r
## Next steps
-[Assign licenses to users so they can enroll devices in Intune](../../fundamentals/licensing/assign-licenses.md)
+[Assign licenses to users so they can enroll devices in Intune](../../fundamentals/assign-licenses.md)
diff --git a/intune/app-management/protection/ref-settings-windows.md b/intune/app-management/protection/ref-settings-windows.md
index 90c375387d7..d937346c329 100644
--- a/intune/app-management/protection/ref-settings-windows.md
+++ b/intune/app-management/protection/ref-settings-windows.md
@@ -42,7 +42,7 @@ The **Data protection** settings affect the org data and context. As the admin,
## Health Checks
-Set the health check conditions for your app protection policy. Select a **Setting** and enter the **Value** that users must meet to access your org data. Then select the **Action** you want to take if users don't meet your conditionals. In some cases, multiple actions can be configured for a single setting. For more information, see [Health Check Actions]().
+Set the health check conditions for your app protection policy. Select a **Setting** and enter the **Value** that users must meet to access your org data. Then select the **Action** you want to take if users don't meet your conditionals. In some cases, multiple actions can be configured for a single setting.
### App conditions
diff --git a/intune/app-management/protection/validate-policy-setup.md b/intune/app-management/protection/validate-policy-setup.md
index d7ce3c89ef2..b1451dd6e63 100644
--- a/intune/app-management/protection/validate-policy-setup.md
+++ b/intune/app-management/protection/validate-policy-setup.md
@@ -32,16 +32,16 @@ If testing shows that your app protection policy behavior isn't functioning as e
## What to do
Here are the actions to take based on the user status:
-- If the user isn't licensed for app protection, assign an [Intune license](../../fundamentals/licensing/index.md) to the user.
-- If the user isn't licensed for Microsoft 365, get a [license](../../fundamentals/licensing/index.md) for the user.
+- If the user isn't licensed for app protection, assign an [Intune license](../../fundamentals/licensing.md) to the user.
+- If the user isn't licensed for Microsoft 365, get a [license](../../fundamentals/licensing.md) for the user.
- If a user's app is listed as **Not checked in**, check if you've correctly configured an [app protection policy](./validate-policy-setup.md) for that app.
- Ensure that these conditions apply across all users to which you want [app protection policies](./monitor-policies.md) to apply.
## See also
- [What is Intune app protection policy?](./create-policy.md)
-- [Licenses that include Intune](../../fundamentals/licensing/index.md)
-- [Assign licenses to users so they can enroll devices in Intune](../../fundamentals/licensing/assign-licenses.md)
+- [Licenses that include Intune](../../fundamentals/licensing.md)
+- [Assign licenses to users so they can enroll devices in Intune](../../fundamentals/assign-licenses.md)
- [How to validate your app protection policy setup](./validate-policy-setup.md)
- [How to monitor app protection policies](./monitor-policies.md)
diff --git a/intune/cloud-pki/index.md b/intune/cloud-pki/index.md
index 26c7f894e44..4610d539e1e 100644
--- a/intune/cloud-pki/index.md
+++ b/intune/cloud-pki/index.md
@@ -1,19 +1,12 @@
---
title: Microsoft Cloud PKI for Microsoft Intune
-description: An overview of the Microsoft Cloud PKI service, available with Microsoft Intune Suite or as an Intune add-on.
+description: An overview of the Microsoft Cloud PKI service, available with Microsoft Intune Suite or as a standalone capability.
ms.date: 12/06/2024
ms.topic: how-to
---
# Overview of Microsoft Cloud PKI for Microsoft Intune
-**Applies to**:
-
-* Windows
-* Android
-* iOS
-* macOS
-
Use Microsoft Cloud PKI to issue certificates for Intune-managed devices. Microsoft Cloud PKI is a cloud-based service that simplifies and automates certificate lifecycle management for Intune-managed devices. It provides a dedicated public key infrastructure (PKI) for your organization, without requiring any on-premises servers, connectors, or hardware. It handles the certificate issuance, renewal, and revocation for all Intune supported platforms.
This article provides an overview of Microsoft Cloud PKI for Intune, how it works, and its architecture.
@@ -22,6 +15,56 @@ This article provides an overview of Microsoft Cloud PKI for Intune, how it work
PKI is a system that uses digital certificates to authenticate and encrypt data between devices and services. PKI certificates are essential for securing various scenarios, such as VPN, Wi-Fi, email, web, and device identity. However, managing PKI certificates can be challenging, costly, and complex, especially for organizations that have a large number of devices and users. You can use Microsoft Cloud PKI to enhance the security and productivity of your devices and users, and to accelerate your digital transformation to a fully managed cloud PKI service. Additionally, you can utilize the Cloud PKI service in to reduce workloads for Active Directory Certificate Services (ADCS) or private on-premises certification authorities.
+## Prerequisites
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../includes/requirements/licensing.md)]
+
+:::column-end:::
+:::column span="3":::
+
+>[!INCLUDE [additional-licensing](../includes/licensing/additional-licensing.md)]
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../includes/requirements/platform.md)]
+
+:::column-end:::
+:::column span="3":::
+
+>You can use the Microsoft Cloud PKI service with these platforms:
+>
+>- Android
+>- iOS/iPadOS
+>- macOS
+>- Windows
+>
+>Devices must be enrolled in Intune, and the platform must support the Intune device configuration SCEP certificate profile.
+
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [rbac](../includes/requirements/rbac.md)]
+
+:::column-end:::
+:::column span="3":::
+
+>The following permissions are available to assign to custom Intune roles. These permissions enable users to view and manage CAs in the admin center.
+>
+>- Read CAs: Any user assigned this permission can read the properties of a CA.
+>- Create certificate authorities: Any user assigned this permission can create a root or issuing CA.
+>- Revoke issued leaf certificates: Any user assigned this permission has the ability to manually revoke a certificate issued by an issuing CA. This permission also requires the *read CA* permission.
+>
+>You can assign scope tags to the root and issuing CAs. For more information about how to create custom roles and scope tags, see [Role-based access control with Microsoft Intune](../fundamentals/role-based-access-control/scope-tags.md).
+
+:::column-end:::
+:::row-end:::
+
## Manage Cloud PKI in Microsoft Intune admin center
Microsoft Cloud PKI objects are created and managed in the Microsoft Intune admin center. From there, you can:
@@ -33,17 +76,6 @@ Microsoft Cloud PKI objects are created and managed in the Microsoft Intune admi
After you create a Cloud PKI issuing CA, you can start to issue certificates in minutes.
-## Supported device platforms
-
-You can use the Microsoft Cloud PKI service with these platforms:
-
-* Android
-* iOS/iPadOS
-* macOS
-* Windows
-
-Devices must be enrolled in Intune, and the platform must support the Intune device configuration SCEP certificate profile.
-
## Overview of features
The following table lists the features and scenarios supported with Microsoft Cloud PKI and Microsoft Intune.
@@ -54,8 +86,8 @@ The following table lists the features and scenarios supported with Microsoft Cl
| Bring your own CA (BYOCA) | Anchor an Intune Issuing CA to a private CA through Active Directory Certificate Services or a non-Microsoft certificate service. If you have an existing PKI infrastructure, you can maintain the same root CA and create an issuing CA that chains to your external root. This option includes support for external private CA N+ tier hierarchies. |
| Signing and Encryption algorithms| Intune supports RSA, key sizes 2048, 3072, and 4096. |
| Hash algorithms | Intune supports SHA-256, SHA-384, and SHA-512. |
-|HSM keys (signing and encryption)|Keys are provisioned using [Azure Managed Hardware Security Module (Azure Managed HSM)](/azure/key-vault/managed-hsm/overview).
CAs created with a licensed Intune Suite or Cloud PKI Standalone Add-on automatically use HSM signing and encryption keys. No Azure subscription is required for Azure HSM. |
-|Software Keys (signing and encryption) |CAs created during a trial period of Intune Suite or Cloud PKI standalone Add-on use software-backed signing and encryption keys using `System.Security.Cryptography.RSA`. |
+|HSM keys (signing and encryption)|Keys are provisioned using [Azure Managed Hardware Security Module (Azure Managed HSM)](/azure/key-vault/managed-hsm/overview).
Cloud PKI CAs use HSM signing and encryption keys. No Azure subscription is required for Azure HSM. |
+|Software Keys (signing and encryption) |CAs created during a trial period of Intune Suite or standalone Cloud PKI use software-backed signing and encryption keys using `System.Security.Cryptography.RSA`. |
| Certificate registration authority | Providing a Cloud Certificate Registration Authority supporting Simple Certificate Enrollment Protocol (SCEP) for each Cloud PKI Issuing CA.|
|Certificate Revocation List (CRL) distribution points | Intune hosts the CRL distribution point (CDP) for each CA.
The CRL validity period is seven days. Publishing and refresh happen every 3.5 days. The CRL is updated with every certificate revocation. |
|Authority Information Access (AIA) end points | Intune hosts the AIA endpoint for each Issuing CA. The AIA endpoint can be used by relying parties to retrieve parent certificates. |
@@ -114,31 +146,12 @@ A5. The signed certificate is delivered to the Intune MDM-enrolled device.
>[!NOTE]
> The SCEP challenge is encrypted and signed using the Intune SCEP registration authority keys.
-## Licensing requirements
-
-Microsoft Cloud PKI requires one of the following licenses:
-
-* Microsoft Intune Suite license
-* Microsoft Cloud PKI standalone Intune add-ons license
-
-For more information about licensing options, see [Microsoft Intune licensing](../fundamentals/licensing/index.md).
-
-## Role based access control
-
-The following permissions are available to assign to custom Intune roles. These permissions enable users to view and manage CAs in the admin center.
-
-* Read CAs: Any user assigned this permission can read the properties of a CA.
-* Create certificate authorities: Any user assigned this permission can create a root or issuing CA.
-* Revoke issued leaf certificates: Any user assigned this permission has the ability to manually revoke a certificate issued by an issuing CA. This permission also requires the *read CA* permission.
-
-You can assign scope tags to the root and issuing CAs. For more information about how to create custom roles and scope tags, see [Role-based access control with Microsoft Intune](../fundamentals/role-based-access-control/scope-tags.md).
-
## Try Microsoft Cloud PKI
You can try out the Microsoft Cloud PKI feature in the Intune admin center during a trial period. Available trials include:
-* [Microsoft Intune Suite trial](https://www.microsoft.com/security/business/microsoft-intune-pricing)
-* [Standalone add-on trial](../fundamentals/add-ons.md#try-or-buy-intune-add-ons)
+- [Microsoft Intune Suite trial](https://www.microsoft.com/security/business/microsoft-intune-pricing)
+- [Standalone Cloud PKI trial](../fundamentals/advanced-capabilities.md)
During the trial period, you can create up to six CAs in your tenant. Cloud PKI CAs created during the trial use software-backed keys, and use `System.Security.Cryptography.RSA` to generate and sign the keys. You can continue to use the CAs after purchasing a Cloud PKI license. However, the keys remain software-backed, and can't be converted to HSM backed keys. The Microsoft Intune service managed CA keys. No Azure subscription is required for Azure HSM capabilities.
@@ -157,7 +170,7 @@ For the latest changes and additions, see [What's new in Microsoft Intune](../wh
* You can create up to six CAs in an Intune tenant.
* Licensed Cloud PKI - A total of 6 CAs can be created using Azure mHSM keys.
- * Trial Cloud PKI - A total of 6 CAs can be created during a trial of Intune Suite or Cloud PKI standalone add-on.
+ * Trial Cloud PKI - A total of 6 CAs can be created during a trial of Intune Suite or standalone Cloud PKI.
* The following CA types count toward the CA capacity:
* Cloud PKI Root CA
* Cloud PKI Issuing CA
diff --git a/intune/configmgr/comanage/how-to-monitor.md b/intune/configmgr/comanage/how-to-monitor.md
index 9d9183f0963..2a590d8921c 100644
--- a/intune/configmgr/comanage/how-to-monitor.md
+++ b/intune/configmgr/comanage/how-to-monitor.md
@@ -87,7 +87,7 @@ There are hundreds of possible errors. The following table lists the most common
| Error | Description |
|---------|---------|
| 2147549183 (0x8000FFFF) | MDM enrollment hasn't been configured yet on Microsoft Entra ID, or the enrollment URL isn't expected.
[Enable automatic enrollment](../../device-enrollment/windows/enable-automatic-mdm.md) |
-| 2149056536 (0x80180018) MENROLL_E_USERLICENSE | License of user is in bad state blocking enrollment
[Assign licenses to users](/mem/fundamentals/licensing/assign-licenses) |
+| 2149056536 (0x80180018) MENROLL_E_USERLICENSE | License of user is in bad state blocking enrollment
[Assign licenses to users](../../fundamentals/assign-licenses.md) |
| 2149056555 (0x8018002B) MENROLL_E_MDM_NOT_CONFIGURED | When trying to automatically enroll to Intune, but the Microsoft Entra configuration isn't fully applied. This issue should be transient, as the device retries after a short time. |
| 2149056554 (0x8018002A) | The user canceled the operation
If MDM enrollment requires multi-factor authentication, and the user hasn't signed in with a supported second factor, Windows displays a toast notification to the user to enroll. If the user doesn't respond to toast notification, this error occurs. This issue should be transient, as Configuration Manager will retry and prompt the user. Users should use multi-factor authentication when they sign in to Windows. Also educate them to expect this behavior, and if prompted, take action. |
| 2149056532 (0x80180014) MENROLL_E_DEVICENOTSUPPORTED | Mobile device management isn't supported. Check device restrictions. |
diff --git a/intune/configmgr/mdm/index.yml b/intune/configmgr/mdm/index.yml
index 280f521ba34..572938e1574 100644
--- a/intune/configmgr/mdm/index.yml
+++ b/intune/configmgr/mdm/index.yml
@@ -45,8 +45,8 @@ landingContent:
links:
- text: What is Intune?
url: /intune/fundamentals/what-is-intune
- - text: Device management overview
- url: /intune/fundamentals/what-is-device-management
+ - text: Manage and secure devices
+ url: /intune/fundamentals/manage-devices
- linkListType: tutorial
links:
- text: Walkthrough the Microsoft Intune admin center
diff --git a/intune/configmgr/mdm/plan-design/plan-on-premises-mdm.md b/intune/configmgr/mdm/plan-design/plan-on-premises-mdm.md
index af76f0b65b1..228e7a8523a 100644
--- a/intune/configmgr/mdm/plan-design/plan-on-premises-mdm.md
+++ b/intune/configmgr/mdm/plan-design/plan-on-premises-mdm.md
@@ -19,7 +19,7 @@ There are several key areas to review when you're planning to implement on-premi
- Device enrollment
> [!IMPORTANT]
-> While the site or any mobile device doesn't connect to Microsoft Intune, your organization still requires Intune licenses to use this feature. For more information, see [Microsoft Intune licensing](/mem/fundamentals/licensing/index).
+> While the site or any mobile device doesn't connect to Microsoft Intune, your organization still requires Intune licenses to use this feature. For more information, see [Microsoft Intune licensing](/mem/fundamentals/licensing).
Consider the following requirements before preparing the Configuration Manager infrastructure to handle on-premises MDM.
diff --git a/intune/copilot/agents/change-review-agent.md b/intune/copilot/agents/change-review-agent.md
index 1bb804bfc03..f4006e07982 100644
--- a/intune/copilot/agents/change-review-agent.md
+++ b/intune/copilot/agents/change-review-agent.md
@@ -43,7 +43,7 @@ The agent analyzes these signals to assess the potential risk associated with ea
> To use Security Copilot agents in Microsoft Intune, your organization must meet specific licensing requirements.
>
> Required licenses:
-> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing/index.md)
+> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing.md)
> - [Microsoft Entra ID P2](/entra/fundamentals/licensing)
> - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/tvm-prerequisites)
> - [Microsoft Security Copilot](/copilot/security/get-started-security-copilot) with sufficient security compute units (SCUs)
diff --git a/intune/copilot/agents/device-offboarding-agent.md b/intune/copilot/agents/device-offboarding-agent.md
index a50a8c4e53f..76798896456 100644
--- a/intune/copilot/agents/device-offboarding-agent.md
+++ b/intune/copilot/agents/device-offboarding-agent.md
@@ -37,7 +37,7 @@ The *Device Offboarding Agent* identifies stale or misaligned devices across Int
>
>Required licenses:
>
-> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing/index.md)
+> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing.md)
> - [Microsoft Security Copilot](/copilot/security/get-started-security-copilot) with sufficient security compute units (SCUs)
:::column-end:::
:::row-end:::
diff --git a/intune/copilot/agents/policy-configuration-agent.md b/intune/copilot/agents/policy-configuration-agent.md
index 5daba6f0917..4443b1e7c24 100644
--- a/intune/copilot/agents/policy-configuration-agent.md
+++ b/intune/copilot/agents/policy-configuration-agent.md
@@ -56,7 +56,7 @@ To learn how to use the agent, see [Use the Policy Configuration Agent](manage-p
:::column span="3":::
> To use Security Copilot agents in Microsoft Intune, the following licenses are required:
>
-> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing/index.md)
+> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing.md)
> - [Microsoft Security Copilot](/copilot/security/get-started-security-copilot) with sufficient security compute units (SCUs)
:::column-end:::
:::row-end:::
diff --git a/intune/copilot/agents/vulnerability-remediation-agent.md b/intune/copilot/agents/vulnerability-remediation-agent.md
index 6ee11f2bae0..28fed8e8560 100644
--- a/intune/copilot/agents/vulnerability-remediation-agent.md
+++ b/intune/copilot/agents/vulnerability-remediation-agent.md
@@ -68,7 +68,7 @@ For information about other Security Copilot Agents in Intune and common feature
:::column span="3":::
> To use Security Copilot agents in Microsoft Intune, the following licenses are required:
>
-> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing/index.md)
+> - [Microsoft Intune Plan 1 subscription](../../fundamentals/licensing.md)
> - [Microsoft Security Copilot](/copilot/security/get-started-security-copilot) with sufficient security compute units (SCUs)
> - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management) - This capability is provided by Microsoft Defender for Endpoint P2 or Defender Vulnerability Management Standalone.
diff --git a/intune/copilot/index.md b/intune/copilot/index.md
index 3e73efcbcf1..719d103d6ff 100644
--- a/intune/copilot/index.md
+++ b/intune/copilot/index.md
@@ -216,7 +216,7 @@ For more information about using Copilot with your devices, go to [Use Copilot i
You can use Copilot to help you create Kusto Query Language (KQL) queries to run when using device query in Intune.
> [!NOTE]
-> To use Device query in your tenant, you must have a license that includes Microsoft Intune Advanced Analytics. For more information, see [Intune add-ons](../fundamentals/add-ons.md#microsoft-intune-advanced-analytics).
+> To use Device query in your tenant, you must have a license that includes Advanced Analytics. For more information, see [Microsoft Intune advanced capabilities](../fundamentals/advanced-capabilities.md).
You can use this feature for an individual device or for many devices.
diff --git a/intune/developer/app-sdk/android-phase-1.md b/intune/developer/app-sdk/android-phase-1.md
index eed1563fefa..1ba64a0ed8a 100644
--- a/intune/developer/app-sdk/android-phase-1.md
+++ b/intune/developer/app-sdk/android-phase-1.md
@@ -257,7 +257,7 @@ After you've completed all the [Exit Criteria] above, continue to [Stage 2: The
[Set up Intune]:../../fundamentals/deploy-setup-step-1.md
[Create users]:../../fundamentals/tenant-administration/add-users.md
[Create groups]:../../fundamentals/tenant-administration/add-groups.md
-[Assign licenses]:../../fundamentals/licensing/assign-licenses.md
+[Assign licenses]:../../fundamentals/assign-licenses.md
[Create and assign app protection policies]:../../app-management/protection/create-policy.md
[app configuration policy]:../../app-management/configuration/overview.md
[Quickstart: Register an app in the Microsoft identity platform - Microsoft identity platform]:/azure/active-directory/active-directory-app-registration
diff --git a/intune/developer/app-sdk/ios-phase-1.md b/intune/developer/app-sdk/ios-phase-1.md
index feccd8dfa96..e2ca8e74c33 100644
--- a/intune/developer/app-sdk/ios-phase-1.md
+++ b/intune/developer/app-sdk/ios-phase-1.md
@@ -180,7 +180,7 @@ After you've completed all the [Exit Criteria] above, continue to [Stage 2: MSAL
[Set up Intune]:../../fundamentals/deploy-setup-step-1.md
[Create users]:../../fundamentals/tenant-administration/add-users.md
[Create groups]:../../fundamentals/tenant-administration/add-groups.md
-[Assign licenses]:../../fundamentals/licensing/assign-licenses.md
+[Assign licenses]:../../fundamentals/assign-licenses.md
[Create and assign app protection policies]:../../app-management/protection/create-policy.md
[app configuration policy]:../../app-management/configuration/overview.md
[Quickstart: Register an app in the Microsoft identity platform - Microsoft identity platform]:/azure/active-directory/develop/quickstart-register-app
diff --git a/intune/developer/app-sdk/quickstart-integration.md b/intune/developer/app-sdk/quickstart-integration.md
index b4483ae94c6..6804b68155b 100644
--- a/intune/developer/app-sdk/quickstart-integration.md
+++ b/intune/developer/app-sdk/quickstart-integration.md
@@ -158,7 +158,7 @@ After you finish the necessary steps to integrate your iOS or Android app with t
* If you're developing a line-of-business app that won't be shipped to the store, you're expected to have access to Microsoft Intune through your organization. You can also sign up for a one-month free trial in [Microsoft Intune](https://admin.microsoft.com/Signup/Signup.aspx?OfferId=40BE278A-DFD1-470a-9EF7-9F2596EA7FF9&dl=INTUNE_A&ali=1#0).
- * If you're testing your app on a mobile device using an end user account, ensure that you have given that account an Intune license by in the Microsoft 365 admin center website after logging in with an admin account, see [Assign Microsoft Intune license](../../fundamentals/licensing/assign-licenses.md).
+ * If you're testing your app on a mobile device using an end user account, ensure that you have given that account an Intune license by in the Microsoft 365 admin center website after logging in with an admin account, see [Assign Microsoft Intune license](../../fundamentals/assign-licenses.md).
* **Intune app protection policies**: To test your app against all the Intune app protection policies, you should know what the expected behavior is for each policy setting. See the descriptions for [iOS app protection policies](../../app-management/protection/ref-settings-ios.md) and [Android app protection policies](../../app-management/protection/ref-settings-android.md). If your app has integrated the Intune SDK, but isn't listed in the list of targetable apps, you can specify the app's bundle ID (iOS) or package name (Android) in the text box when selecting **Custom Apps**.
diff --git a/intune/developer/app-sdk/tunnel-mam-ios.md b/intune/developer/app-sdk/tunnel-mam-ios.md
index 5ab8fff3a62..5f24963c468 100644
--- a/intune/developer/app-sdk/tunnel-mam-ios.md
+++ b/intune/developer/app-sdk/tunnel-mam-ios.md
@@ -12,8 +12,6 @@ ms.collection:
# Microsoft Tunnel for MAM iOS SDK Developer Guide
-[!INCLUDE [intune-add-on-note](../../includes/intune-plan2-suite-note.md)]
-
The Microsoft Tunnel for MAM iOS SDK developer guide is a resource for developers. It helps developers integrate and configure the SDK into an iOS/iPadOS app. For an overview of the Microsoft Tunnel for MAM, see [Microsoft Tunnel for MAM for iOS/iPadOS - Intune admin guide](../../device-security/microsoft-tunnel/mam-ios.md).
This guide covers different parts of the integration process in your Xcode app project, including installing the frameworks, configuring the `info.plist` file, build settings, key sharing, and implementing the SDK's delegate methods.
diff --git a/intune/developer/includes/reports-credential-reqs.md b/intune/developer/includes/reports-credential-reqs.md
index c5d93244356..c7d045b0e85 100644
--- a/intune/developer/includes/reports-credential-reqs.md
+++ b/intune/developer/includes/reports-credential-reqs.md
@@ -15,4 +15,4 @@ Requirements for accessing the Intune Data Warehouse (including the API) are:
- User-less authentication using [application-only authentication](../../developer/data-warehouse/configure-app-only-auth.md)
> [!IMPORTANT]
-> To be assigned an Intune role and access the Intune Data Warehouse, the user must have an Intune license. For more information, see [Role-based access control (RBAC) with Microsoft Intune](../../fundamentals/role-based-access-control/overview.md) and [Microsoft Intune licensing](../../fundamentals/licensing/index.md).
+> To be assigned an Intune role and access the Intune Data Warehouse, the user must have an Intune license. For more information, see [Role-based access control (RBAC) with Microsoft Intune](../../fundamentals/role-based-access-control/overview.md) and [Microsoft Intune licensing](../../fundamentals/licensing.md).
diff --git a/intune/device-configuration/endpoint-security/deploy-edr.md b/intune/device-configuration/endpoint-security/deploy-edr.md
index d3e77514d39..a1226ed891e 100644
--- a/intune/device-configuration/endpoint-security/deploy-edr.md
+++ b/intune/device-configuration/endpoint-security/deploy-edr.md
@@ -67,8 +67,8 @@ You need licenses for Microsoft Defender:
- Microsoft Defender XDR (standalone)
For detailed licensing information, see:
-- [Microsoft Intune licensing](../../fundamentals/licensing/index.md)
-- [Microsoft Defender for Endpoint licensing](/defender-endpoint/minimum-requirements#licensing-requirements)
+- [Microsoft Intune licensing](../../fundamentals/licensing.md)
+- [Microsoft Defender for Endpoint licensing](/microsoft-365/security/defender-endpoint/minimum-requirements#licensing-requirements)
### Role-based access control
diff --git a/intune/device-configuration/endpoint-security/ref-endpoint-protection-settings-windows.md b/intune/device-configuration/endpoint-security/ref-endpoint-protection-settings-windows.md
index 1b5cf1078de..d4e7ea6848f 100644
--- a/intune/device-configuration/endpoint-security/ref-endpoint-protection-settings-windows.md
+++ b/intune/device-configuration/endpoint-security/ref-endpoint-protection-settings-windows.md
@@ -1165,7 +1165,7 @@ Block end-user access to the various areas of the Microsoft Defender Security Ce
- **Tamper Protection**
**Default**: Not configured
- Turn Tamper Protection on or off on devices. To use Tamper Protection, you must [integrate Microsoft Defender for Endpoint with Intune](../../device-security/microsoft-defender/overview.md), and have [Enterprise Mobility + Security E5 Licenses](../../fundamentals/licensing/index.md).
+ Turn Tamper Protection on or off on devices. To use Tamper Protection, you must [integrate Microsoft Defender for Endpoint with Intune](../../device-security/microsoft-defender/overview.md), and have [Enterprise Mobility + Security E5 Licenses](../../fundamentals/licensing.md).
- **Not configured** - No change is made to device settings.
- **Enabled** - Tamper Protection is turned on and restrictions are enforced on devices.
- **Disabled** - Tamper Protection is turned off and restrictions aren't enforced.
diff --git a/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md b/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
index 474c076194d..a35190d0eeb 100644
--- a/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
+++ b/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
@@ -34,7 +34,7 @@ Some benefits of Platform SSO include:
- It helps minimize the number of times users need to enter their Microsoft Entra ID credentials.
- It helps reduce the number of passwords users need to remember.
- You get the benefits of Microsoft Entra join, which allows any organization user to sign into the device.
-- It's included with all [Microsoft Intune licensing plans](../../fundamentals/licensing/index.md).
+- It's included with all [Microsoft Intune licensing plans](../../fundamentals/licensing.md).
## How Platform SSO works
diff --git a/intune/device-configuration/settings-catalog/configure-universal-print.md b/intune/device-configuration/settings-catalog/configure-universal-print.md
index 8579f3cb918..b6cd8952366 100644
--- a/intune/device-configuration/settings-catalog/configure-universal-print.md
+++ b/intune/device-configuration/settings-catalog/configure-universal-print.md
@@ -34,7 +34,7 @@ This article shows you how to create a Universal Print policy in Microsoft Intun
:::column span="3":::
> To use this feature, you need the following subscriptions:
> - **Universal Print**: For more specific information, go to [License Universal Print](/universal-print/fundamentals/universal-print-license).
-> - **Microsoft Intune**: For more specific information, go to [Microsoft Intune licensing](../../fundamentals/licensing/index.md).
+> - **Microsoft Intune**: For more specific information, go to [Microsoft Intune licensing](../../fundamentals/licensing.md).
:::column-end:::
:::row-end:::
diff --git a/intune/device-configuration/settings-catalog/update-office.md b/intune/device-configuration/settings-catalog/update-office.md
index 3fd90058459..4169d66448b 100644
--- a/intune/device-configuration/settings-catalog/update-office.md
+++ b/intune/device-configuration/settings-catalog/update-office.md
@@ -28,7 +28,7 @@ This feature applies to:
[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
:::column-end:::
:::column span="3":::
-> Requires Microsoft Intune and a Microsoft 365 subscription. For more information on Intune licensing, see [Microsoft Intune licensing](../../fundamentals/licensing/index.md).
+> Requires Microsoft Intune and a Microsoft 365 subscription. For more information on Intune licensing, see [Microsoft Intune licensing](../../fundamentals/licensing.md).
:::column-end:::
:::row-end:::
diff --git a/intune/device-configuration/settings-insight.md b/intune/device-configuration/settings-insight.md
index a1f39fd7fc4..666de042443 100644
--- a/intune/device-configuration/settings-insight.md
+++ b/intune/device-configuration/settings-insight.md
@@ -36,7 +36,7 @@ Settings insight is informational. You remain responsible for evaluating each se
## Prerequisites
-- **Licensing/Subscriptions**: You must have a Microsoft Intune Plan 1 license to use Settings insight. For more information, see [Licenses available for Microsoft Intune](../fundamentals/licensing/index.md).
+- **Licensing/Subscriptions**: You must have a Microsoft Intune Plan 1 license to use Settings insight. For more information, see [Licenses available for Microsoft Intune](../fundamentals/licensing.md).
- **Permissions**: Endpoint Security Administrators can create a profile using Baselines.
To learn more about this Intune built-in role, see [Role-based access control (RBAC) with Intune](../fundamentals/role-based-access-control/overview.md) and [Built-in role permissions for Intune](../fundamentals/role-based-access-control/ref-built-in-roles.md).
diff --git a/intune/device-enrollment/android/guide.md b/intune/device-enrollment/android/guide.md
index e956dc4f5e5..7a457e6b765 100644
--- a/intune/device-enrollment/android/guide.md
+++ b/intune/device-enrollment/android/guide.md
@@ -27,9 +27,6 @@ There's also a visual guide of the different enrollment options for each platfor
[](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) [Download PDF version](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) | [Download Visio version](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.vsdx)
-> [!TIP]
-> [!INCLUDE [tips-guidance-plan-deploy-guides](../includes/tips-guidance-plan-deploy-guides.md)]
-
## Before you begin
For a list of all the Intune-specific prerequisites and configurations needed to prepare your tenant for enrollment, go to [Enrollment guide: Microsoft Intune enrollment](../guide.md).
diff --git a/intune/device-enrollment/android/setup-aosp-corporate-user-associated.md b/intune/device-enrollment/android/setup-aosp-corporate-user-associated.md
index e1e40ffd1e2..5877abd12dd 100644
--- a/intune/device-enrollment/android/setup-aosp-corporate-user-associated.md
+++ b/intune/device-enrollment/android/setup-aosp-corporate-user-associated.md
@@ -44,7 +44,7 @@ This article describes how to set up Android (AOSP) device management and enroll
:::column-end:::
:::column span="3":::
-> Assign valid licenses to all specialized device users. For more information, see [Microsoft Intune licensing](../../fundamentals/licensing/index.md) and [Managing specialty devices with Microsoft Intune](../../device-management/specialty-devices.md).
+> Assign valid licenses to all specialized device users. For more information, see [Microsoft Intune licensing](../../fundamentals/licensing.md) and [Managing specialty devices with Microsoft Intune](../../device-management/specialty-devices.md).
:::column-end:::
:::row-end:::
diff --git a/intune/device-enrollment/android/setup-aosp-corporate-userless.md b/intune/device-enrollment/android/setup-aosp-corporate-userless.md
index ffa10eeb177..217acee4df6 100644
--- a/intune/device-enrollment/android/setup-aosp-corporate-userless.md
+++ b/intune/device-enrollment/android/setup-aosp-corporate-userless.md
@@ -50,7 +50,7 @@ Devices are configured in [Microsoft Entra shared device mode](/azure/active-dir
:::column-end:::
:::column span="3":::
-> Assign valid licenses to all specialized device users. For more information, see [Microsoft Intune licensing](../../fundamentals/licensing/index.md) and [Managing specialty devices with Microsoft Intune](../../device-management/specialty-devices.md).
+> Assign valid licenses to all specialized device users. For more information, see [Microsoft Intune licensing](../../fundamentals/licensing.md) and [Managing specialty devices with Microsoft Intune](../../device-management/specialty-devices.md).
:::column-end:::
:::row-end:::
diff --git a/intune/device-enrollment/apple/enable-supervised-mode.md b/intune/device-enrollment/apple/enable-supervised-mode.md
index 511213d5c65..f748c4613fb 100644
--- a/intune/device-enrollment/apple/enable-supervised-mode.md
+++ b/intune/device-enrollment/apple/enable-supervised-mode.md
@@ -30,4 +30,4 @@ Users are notified that their devices are supervised in the **Settings** app. In
## Next steps
-For other device management options, see [What is Microsoft Intune device management?](../../fundamentals/what-is-device-management.md)
+For other device management options, see [What is Microsoft Intune?](../../fundamentals/what-is-intune.md)
diff --git a/intune/device-enrollment/apple/guide-ios-ipados.md b/intune/device-enrollment/apple/guide-ios-ipados.md
index ff0eba09654..f101e14fe45 100644
--- a/intune/device-enrollment/apple/guide-ios-ipados.md
+++ b/intune/device-enrollment/apple/guide-ios-ipados.md
@@ -32,8 +32,7 @@ There's also a visual guide of the different enrollment options for each platfor
> [!TIP]
>
-> - [!INCLUDE [tips-guidance-plan-deploy-guides](../includes/tips-guidance-plan-deploy-guides.md)]
-> - For a customized experience based on your environment, you can access the [Manage and secure iOS and iPadOS devices guide](https://go.microsoft.com/fwlink/?linkid=2313884) in the [Microsoft 365 admin center](https://admin.microsoft.com).
+> For a customized experience based on your environment, you can access the [Manage and secure iOS and iPadOS devices guide](https://go.microsoft.com/fwlink/?linkid=2313884) in the [Microsoft 365 admin center](https://admin.microsoft.com).
## Before you begin
diff --git a/intune/device-enrollment/apple/guide-macos.md b/intune/device-enrollment/apple/guide-macos.md
index 064e9c87a82..21e4bf74fab 100644
--- a/intune/device-enrollment/apple/guide-macos.md
+++ b/intune/device-enrollment/apple/guide-macos.md
@@ -30,9 +30,6 @@ There's also a visual guide of the different enrollment options for each platfor
[](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) [Download PDF version](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) | [Download Visio version](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.vsdx)
-> [!TIP]
-> [!INCLUDE [tips-guidance-plan-deploy-guides](../includes/tips-guidance-plan-deploy-guides.md)]
-
## Before you begin
For all Intune-specific prerequisites and configurations needed to prepare your tenant for enrollment, go to [Enrollment guide: Microsoft Intune enrollment](../guide.md).
diff --git a/intune/device-enrollment/apple/manage-devices-tokens-apple.md b/intune/device-enrollment/apple/manage-devices-tokens-apple.md
index 6d132404701..c6588357580 100644
--- a/intune/device-enrollment/apple/manage-devices-tokens-apple.md
+++ b/intune/device-enrollment/apple/manage-devices-tokens-apple.md
@@ -112,7 +112,7 @@ If you exceed 200,000 devices per token, you might experience sync problems. Spl
## Distribute devices
-Users on devices enrolled with user affinity must have an Intune license assigned. Devices enrolled without user affinity need an Intune device license, unless an Intune-licensed user is associated with the device. For more information, see [Microsoft Intune licensing](../../fundamentals/licensing/index.md) and the [Intune planning guide](../../intune-service/fundamentals/intune-planning-guide.md).
+Users on devices enrolled with user affinity must have an Intune license assigned. Devices enrolled without user affinity need an Intune device license, unless an Intune-licensed user is associated with the device. For more information, see [Microsoft Intune licensing](../../fundamentals/licensing.md) and the [Intune planning guide](../../intune-service/fundamentals/intune-planning-guide.md).
A device that is already activated needs to be wiped before it can enroll with automated device enrollment. After you wipe it but before activating it again, you can apply the enrollment policy. For more information, see [Set up an existing iPhone, iPad, or iPod touch](https://support.apple.com/en-us/HT207516) (opens Apple support site).
diff --git a/intune/device-enrollment/apple/overview-automated-enrollment-apple.md b/intune/device-enrollment/apple/overview-automated-enrollment-apple.md
index 57eb5bfc15d..1eeeab2ed4f 100644
--- a/intune/device-enrollment/apple/overview-automated-enrollment-apple.md
+++ b/intune/device-enrollment/apple/overview-automated-enrollment-apple.md
@@ -44,7 +44,7 @@ For macOS information, see [Overview of Apple Automated Device Enrollment for ma
| Userless devices (kiosk, shared-use) | ✅ Supported on all Apple mobile platforms. |
| Microsoft Entra shared device mode | ✅ Supported on iOS/iPadOS for frontline worker scenarios. |
| Apple Shared iPad | ✅ Supported on iPadOS. |
-| BYOD or personal devices | ❌ Not supported. Use [MAM](../../intune-service/fundamentals/deployment-guide-enrollment-mamwe.md) or [user and device enrollment](setup-user-company-portal.md) instead. |
+| BYOD or personal devices | ❌ Not supported. Use [MAM](../../app-management/protection/mam-without-enrollment.md) or [user and device enrollment](setup-user-company-portal.md) instead. |
| Device enrollment manager (DEM) accounts | ❌ Not supported. |
| Devices managed by another MDM provider | ❌ Users must unenroll from their current MDM provider before enrolling in Intune. For help migrating devices, see [Apple making device migration to Microsoft Intune easy with upcoming OS 26 release](https://techcommunity.microsoft.com/blog/IntuneCustomerSuccess/apple-making-device-migration-to-microsoft-intune-easy-with-upcoming-os-26-relea/4439895) on the Microsoft Community Hub. |
@@ -85,7 +85,7 @@ You can set up automated device enrollment for devices in [shared device mode](/
Before setting up ADE in Intune, make sure you have the following in place across all platforms:
-* [Microsoft Intune Suite licensing](../../fundamentals/licensing/index.md).
+* [Microsoft Intune Suite licensing](../../fundamentals/licensing.md).
- Microsoft Intune Plan 2 is required for tvOS and visionOS device management.
- Microsoft Intune Plan 1 is the minimum requirement for iOS/iPadOS device management.
* Access to [Apple Business](https://business.apple.com/) or [Apple School Manager](https://school.apple.com/).
diff --git a/intune/device-enrollment/apple/setup-direct-macos.md b/intune/device-enrollment/apple/setup-direct-macos.md
index 2f903abf846..031972ee023 100644
--- a/intune/device-enrollment/apple/setup-direct-macos.md
+++ b/intune/device-enrollment/apple/setup-direct-macos.md
@@ -129,5 +129,5 @@ Start managing enrolled devices in the Microsoft Intune admin center.
- [Tutorial - Walkthrough the Microsoft Intune admin center](../../fundamentals/tutorial-admin-center-walkthrough.md)
- [Remote Device Actions In Microsoft Intune](../../device-management/actions/index.md)
-- [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md)
+- [Microsoft Intune advanced capabilities](../../fundamentals/advanced-capabilities.md)
diff --git a/intune/device-enrollment/guide.md b/intune/device-enrollment/guide.md
index bd24318147e..a22fcf4f431 100644
--- a/intune/device-enrollment/guide.md
+++ b/intune/device-enrollment/guide.md
@@ -35,9 +35,6 @@ Enrollment is enabled for all platforms by default, but you can restrict specifi
This article describes the supported device scenarios and enrollment prerequisites, has information about using other MDM providers, and includes links to platform-specific enrollment guidance.
-> [!TIP]
-> [!INCLUDE [tips-guidance-plan-deploy-guides](includes/tips-guidance-plan-deploy-guides.md)]
-
## Supported device scenarios
Microsoft Intune enables mobile device management for:
@@ -67,7 +64,7 @@ Microsoft Intune automatically marks devices that meet certain criteria as corpo
- Intune is set up, and ready to enroll users and devices. Be sure:
- The [MDM Authority](../fundamentals/setup-mdm-authority.md) is set to Intune, even when using [co-management](../configmgr/comanage/overview.md) with Intune + Configuration Manager.
- - [Intune licenses are assigned](../fundamentals/licensing/assign-licenses.md).
+ - [Intune licenses are assigned](../fundamentals/assign-licenses.md).
For more information, go to the [Intune setup deployment guide](../fundamentals/setup-migration.md).
diff --git a/intune/device-enrollment/includes/tips-guidance-plan-deploy-guides.md b/intune/device-enrollment/includes/tips-guidance-plan-deploy-guides.md
deleted file mode 100644
index c605dce80bf..00000000000
--- a/intune/device-enrollment/includes/tips-guidance-plan-deploy-guides.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-author: MandiOhlinger
-ms.topic: include
-ms.date: 10/26/2020
-ms.author: mandia
----
-
-
-
-This guide is a living thing. So, be sure to add or update existing tips and guidance you've found helpful.
diff --git a/intune/device-enrollment/windows/enable-automatic-mdm.md b/intune/device-enrollment/windows/enable-automatic-mdm.md
index e9700716730..2ca5c3e9151 100644
--- a/intune/device-enrollment/windows/enable-automatic-mdm.md
+++ b/intune/device-enrollment/windows/enable-automatic-mdm.md
@@ -109,7 +109,7 @@ The Microsoft Intune user help docs provide conceptual information, tutorials, a
Users on personal devices running Windows can automatically enroll by adding their work or school account on their device, or by using the Intune Company Portal app. Devices running earlier versions of Windows must enroll using the Intune Company Portal app. For more information, see [Enroll Windows devices](../../user-help/enrollment/enroll-windows.md).
-Intune also supports unlicensed admin access, which lets administrators sign in to the Intune admin center without an Intune license. Tenants created after July 2021 have this enabled by default. For more information, see [Unlicensed admins](../../fundamentals/licensing/unlicensed-admins.md).
+Intune also supports unlicensed admin access, which lets administrators sign in to the Intune admin center without an Intune license. Tenants created after July 2021 have this enabled by default. For more information, see [Unlicensed admins](../../fundamentals/licensing.md#unlicensed-admin-access).
## Best practices and troubleshooting
diff --git a/intune/device-enrollment/windows/guide.md b/intune/device-enrollment/windows/guide.md
index 0a19c666e4a..73cc5c43fb3 100644
--- a/intune/device-enrollment/windows/guide.md
+++ b/intune/device-enrollment/windows/guide.md
@@ -27,9 +27,6 @@ There's also a visual guide of the different enrollment options for each platfor
[](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) [Download PDF version](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) | [Download Visio version](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.vsdx)
-> [!TIP]
-> [!INCLUDE [tips-guidance-plan-deploy-guides](../includes/tips-guidance-plan-deploy-guides.md)]
-
## Before you begin
- For all Intune-specific prerequisites and configurations needed to prepare your tenant for enrollment, go to [Enrollment guide: Microsoft Intune enrollment](../guide.md).
diff --git a/intune/device-management/specialty-devices.md b/intune/device-management/specialty-devices.md
index e99650e8826..82694fef830 100644
--- a/intune/device-management/specialty-devices.md
+++ b/intune/device-management/specialty-devices.md
@@ -3,7 +3,7 @@ title: Manage Specialty devices with Microsoft Intune
description: This article provides information about specialty devices and how can you manage them with Microsoft Intune
author: lenewsad
ms.author: lanewsad
-ms.date: 08/01/2024
+ms.date: 05/12/2026
ms.topic: article
ms.reviewer: priyar
ms.subservice: suite
@@ -11,30 +11,46 @@ ms.collection:
- M365-identity-device-management
---
-# Managing specialty devices with Microsoft Intune
+# Specialty device management
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
+Specialty device management provides a range of management, configuration, and protection capabilities for specialized devices, such as AR/VR headsets, large smart-screen devices, and select conference room meeting devices.
-Specialty device management with Microsoft Intune provides a range of management, configuration, and protection capabilities for specialized devices, such as AR/VR headsets, large smart-screen devices, and select conference room meeting devices. To use these advanced endpoint management capabilities and remain compliant with the licensing terms of Microsoft agreements, organizations will need a new license or promotional offer in addition to their plan that includes Microsoft Intune, starting from March 1, 2023.
+## Prerequisites
-Either a Microsoft Intune Suite, Intune Plan 2 or an alternative Microsoft plan or promotion that covers device licenses is required for users of these devices. The new Intune plans are based on a per user per month subscription model and are required to cover all the users of these specialty devices.
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../includes/requirements/licensing.md)]
-For specialty devices such as headsets and AR/VR devices, for example **RealWear** and **HTC** devices, organizations need to purchase either the Microsoft Intune Suite or Intune Plan 2 for the users of these devices when they're considered generally available.
+:::column-end:::
+:::column span="3":::
-For **Microsoft Teams Rooms** devices including Microsoft Surface Hub, organizations need to have sufficient [Microsoft Teams Rooms Pro licenses](/microsoftteams/rooms/rooms-licensing), conference area phone [Teams Shared Device license](/microsoftteams/set-up-common-area-phones) or a Teams license plan that includes Microsoft Intune Plan 1, to cover the users of these devices.
+>[!INCLUDE [additional-licensing-plan2](../includes/licensing/additional-licensing-plan2.md)]
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [cloud](../includes/requirements/cloud.md)]
-For **Microsoft HoloLens**, subscribers of Microsoft Intune (Plan 1) aren't required to proactively add the Intune Plan 2 license. Microsoft is exploring ways to use their Microsoft 365 subscription that includes Intune to ensure licensing compliance. In the interim, there won't be any disruption to their ability to manage and protect HoloLens devices.
+:::column-end:::
+:::column span="3":::
+> Specialty device management is supported in the following cloud environments:
+> - Public cloud
+> - Sovereign cloud environments:
+> - U.S. Government Community Cloud (GCC) High
+> - U.S. Department of Defense (DoD)
+:::column-end:::
+:::row-end:::
-For specialty devices that run in Microsoft Entra shared device Mode (SDM), organizations need to have the same volume of Intune Suite or Intune Plan 2 licenses as their core Intune license (Intune Plan 1 for either Microsoft E or F plans) for those users. For example, if 10 frontline workers are sharing one device and they're all covered by Intune Plan 1 core licenses, the organization should also have 10 Intune Plan 2 licenses.
+### Licensing considerations
-## Government cloud support
+For specialty devices such as headsets and AR/VR devices, for example **Apple Vision Pro**, **RealWear**, and **HTC** devices, organizations must assign a required license to the users of these devices.
-Specialty device management is supported with the following sovereign cloud environments:
+For **Microsoft Teams Rooms** devices including Microsoft Surface Hub, organizations need to have sufficient [Microsoft Teams Rooms Pro licenses](/microsoftteams/rooms/rooms-licensing), conference area phone [Teams Shared Device license](/microsoftteams/set-up-common-area-phones) or a Teams license plan that includes Microsoft Intune Plan 1, to cover the users of these devices.
-- U.S. Government Community Cloud (GCC) High
-- U.S. Department of Defense (DoD)
+For **Microsoft HoloLens**, subscribers of Microsoft Intune (Plan 1) aren't required to add more licenses to manage HoloLens devices.
-For more information, see [Microsoft Intune for US Government GCC service description](../fundamentals/government-service.md).
+For specialty devices that run in Microsoft Entra shared device Mode (SDM), organizations need to have the same volume of required licenses as their core Intune license (Intune Plan 1 for either Microsoft E or F plans) for those users. For example, if 10 frontline workers are sharing one device and they're all covered by Intune Plan 1 core licenses, the organization should also have 10 of the required specialty device licenses to cover those users.
## Next Steps
diff --git a/intune/device-management/tools/setup-servicenow.md b/intune/device-management/tools/setup-servicenow.md
index 00080b362c6..84af7860abc 100644
--- a/intune/device-management/tools/setup-servicenow.md
+++ b/intune/device-management/tools/setup-servicenow.md
@@ -12,7 +12,7 @@ ms.collection:
---
# ServiceNow Integration with Microsoft Intune
-Remote Help, an add-on to Microsoft Intune, provides a secure cloud based remote assistance solution for Windows commercial users. The integration between Intune and ServiceNow makes it possible for helpdesk agents to use Intune to troubleshoot endpoint related issues.
+Remote Help provides a secure cloud based remote assistance solution for Windows commercial users. The integration between Intune and ServiceNow makes it possible for helpdesk agents to use Intune to troubleshoot endpoint related issues.
Support organizations need all the tools at their disposal to resolve workers' technology issues quickly and efficiently. With ServiceNow integration, helpdesk agents licensed to use Remote Help and who use ServiceNow can view incidents to see the details of the tech issue that an employee is facing. This integration allows helpdesk agents to view ServiceNow incidents directly from the Troubleshooting pane in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
@@ -28,7 +28,7 @@ The Intune ServiceNow Connector Integration focuses on creating a basic ticketin
To get started, review the following steps:
-- ServiceNow integration is now Generally Available. An active Intune Suite or Remote Help trial or add-on license is required. Go to [Remote Help trial or add-on license.](../../fundamentals/add-ons.md)
+- ServiceNow integration is now Generally Available. An active Remote Help license or trial is required. For more information, see [Microsoft Intune advanced capabilities](../../fundamentals/advanced-capabilities.md).
- You must have the Microsoft Entra Intune Admin role to make updates to the connector. To view the incidents, you must have the Microsoft Entra Intune Admin role or have an Intune Role with the Organization | Read permission. Admins that aren't assigned the Microsoft Entra role, need one of these two permissions to either modify the connector or view incidents respectively; **Update Connector** and **View Incidents**. These permissions are part of the ServiceNow permission category. For information on roles, see [Role-based administration control with Intune](../../fundamentals/role-based-access-control/overview.md)
diff --git a/intune/device-management/tools/setup-teamviewer.md b/intune/device-management/tools/setup-teamviewer.md
index da346579090..057fc55a3c8 100644
--- a/intune/device-management/tools/setup-teamviewer.md
+++ b/intune/device-management/tools/setup-teamviewer.md
@@ -47,7 +47,7 @@ Before you configure the TeamViewer connector in Intune, make sure these require
[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
:::column-end:::
:::column span="3":::
-> - The administrator configuring the TeamViewer connector must have a Microsoft Intune license. You can give administrators access to Intune without them requiring an Intune license. For more information, see [Unlicensed admins](../../fundamentals/licensing/unlicensed-admins.md).
+> - The administrator configuring the TeamViewer connector must have a Microsoft Intune license. You can give administrators access to Intune without them requiring an Intune license. For more information, see [Unlicensed admins](../../fundamentals/licensing.md#unlicensed-admin-access).
> - A TeamViewer account and license is required. Visit the [TeamViewer integration docs](https://www.teamviewer.com/en/integrations/microsoft-intune/) (opens the TeamViewer website) or contact the TeamViewer sales team for more information about account setup and required licenses.
:::column-end:::
:::row-end:::
diff --git a/intune/device-management/tools/teamviewer-legacy.md b/intune/device-management/tools/teamviewer-legacy.md
index a18dc1ea96d..acd5857c97a 100644
--- a/intune/device-management/tools/teamviewer-legacy.md
+++ b/intune/device-management/tools/teamviewer-legacy.md
@@ -31,7 +31,7 @@ This feature applies to:
## Prerequisites
-- The administrator configuring the TeamViewer connector must have an Intune license. You can give administrators access to Microsoft Intune without them requiring an Intune license. For more information, see [Unlicensed admins](../../fundamentals/licensing/unlicensed-admins.md).
+- The administrator configuring the TeamViewer connector must have an Intune license. You can give administrators access to Microsoft Intune without them requiring an Intune license. For more information, see [Unlicensed admins](../../fundamentals/licensing.md#unlicensed-admin-access).
- Users must be assigned the Remote assistance connectors/Read and Remote assistance connectors/Update permissions in the Intune admin center to onboard TeamViewer. For more information, see [Role-based access control (RBAC) with Microsoft Intune](../../fundamentals/role-based-access-control/overview.md).
diff --git a/intune/device-security/endpoint-security-policies.md b/intune/device-security/endpoint-security-policies.md
index 6a1bfdc81b5..b963ee07706 100644
--- a/intune/device-security/endpoint-security-policies.md
+++ b/intune/device-security/endpoint-security-policies.md
@@ -105,8 +105,8 @@ Endpoint Privilege Management enforces least privilege access by allowing users
You deploy Endpoint Privilege Management by creating elevation rules that define which applications can run with administrative privileges and under what conditions. Elevation rules support multiple validation methods including file hashes, publisher certificates, and file paths. You can configure automatic elevation for trusted applications, user-confirmed elevation with optional authentication requirements, support-approved elevation where administrators review requests, or deny rules to block specific files. EPM includes detailed reporting for both managed elevations and unmanaged elevations, helping you identify elevation patterns, refine rules, and plan the transition of users from administrator to standard user accounts.
-> [!IMPORTANT]
-> Endpoint Privilege Management is available as an [Intune add-on](../fundamentals/add-ons.md) that requires an additional license beyond Microsoft Intune. You can license EPM as a standalone add-on or as part of the Microsoft Intune Suite. EPM policies are only available for Windows devices.
+> [!NOTE]
+> Endpoint Privilege Management is a [Microsoft Intune advanced capability](../fundamentals/advanced-capabilities.md) that requires additional licensing beyond Microsoft Intune.
For more information, see [Endpoint Privilege Management](../epm/overview.md).
diff --git a/intune/device-security/microsoft-defender/overview.md b/intune/device-security/microsoft-defender/overview.md
index 84abad8b436..053783a4701 100644
--- a/intune/device-security/microsoft-defender/overview.md
+++ b/intune/device-security/microsoft-defender/overview.md
@@ -57,7 +57,7 @@ You can add these permissions to a [custom Intune role](../../fundamentals/role-
**Subscription**: Microsoft Intune Plan 1 subscription provides access to Intune and the Microsoft Intune admin center.
-For licensing options, see [Microsoft Intune licensing](../../fundamentals/licensing/index.md).
+For licensing options, see [Microsoft Intune licensing](../../fundamentals/licensing.md).
**Supported platforms**:
diff --git a/intune/device-security/microsoft-tunnel/mam-android.md b/intune/device-security/microsoft-tunnel/mam-android.md
index 66c848c9683..48a4f677ed0 100644
--- a/intune/device-security/microsoft-tunnel/mam-android.md
+++ b/intune/device-security/microsoft-tunnel/mam-android.md
@@ -12,7 +12,7 @@ ms.collection:
# Microsoft Tunnel for Mobile Application Management for Android
-[!INCLUDE [intune-add-on-note](../../advanced-analytics/includes/intune-add-on-note.md)]
+[!INCLUDE [additional-licensing-plan2](../../includes/licensing/additional-licensing-plan2.md)]
When you add Microsoft Tunnel for Mobile Application Management (MAM) to your tenant, you can use Microsoft Tunnel VPN Gateway with unenrolled Android devices to support MAM scenarios. With support for MAM, your unenrolled devices can use Tunnel to securely connect to your organization allowing users and apps safe access to your organizational data.
diff --git a/intune/device-security/microsoft-tunnel/mam-ios.md b/intune/device-security/microsoft-tunnel/mam-ios.md
index d8c84299efa..9bb4de1414e 100644
--- a/intune/device-security/microsoft-tunnel/mam-ios.md
+++ b/intune/device-security/microsoft-tunnel/mam-ios.md
@@ -12,7 +12,7 @@ ms.collection:
# Microsoft Tunnel for Mobile Application Management for iOS/iPadOS
-[!INCLUDE [intune-add-on-note](../../advanced-analytics/includes/intune-add-on-note.md)]
+[!INCLUDE [additional-licensing-plan2](../../includes/licensing/additional-licensing-plan2.md)]
When you add Microsoft Tunnel for Mobile Application Management (MAM) to your tenant, you can use Microsoft Tunnel VPN Gateway with unenrolled iOS devices to support MAM the following scenarios:
diff --git a/intune/device-security/microsoft-tunnel/mam.md b/intune/device-security/microsoft-tunnel/mam.md
index faf776b0572..058c7cbf59a 100644
--- a/intune/device-security/microsoft-tunnel/mam.md
+++ b/intune/device-security/microsoft-tunnel/mam.md
@@ -12,27 +12,37 @@ ms.collection:
# Microsoft Tunnel for Mobile Application Management
-[!INCLUDE [intune-add-on-note](../../includes/intune-plan2-suite-note.md)]
-
When you use the Microsoft Tunnel VPN Gateway, you can extend Tunnel support by adding Tunnel for Mobile Application Management (MAM). Tunnel for MAM extends the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that aren't enrolled with Microsoft Intune. With this solution, your users can use a single device that isn't enrolled with Intune to gain secure access to the organizations on-premises apps and resources using modern authentication, single sign-on, and Conditional Access. With Tunnel for MAM, your users can use their own device (BYOD) for both work and personal use, without having to grant the organization's IT department control over that device.
-Applies to:
-
-- Android
-- iOS/iPadOS
-
-## Platform requirements and feature overview
-
Before you begin, you must already have deployed the Microsoft Tunnel gateway. To learn more about Microsoft Tunnel gateway and how to install and configure it, see:
- [Learn about the Microsoft Tunnel VPN solution for Microsoft Intune](./overview.md)
- [Identify the prerequisites to install and use the Microsoft Tunnel VPN solution for Microsoft Intune](./prerequisites.md)
- [Install and configure Microsoft Tunnel VPN solution for Microsoft Intune](./install.md)
-Microsoft Tunnel for MAM supports the following platforms:
+## Prerequisites
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
+
+:::column-end:::
+:::column span="3":::
+>- Android Enterprise
+>- iOS/iPadOS
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
+
+:::column-end:::
+:::column span="3":::
-- Android Enterprise version 10.0 or higher
-- iOS version 14.0 or higher
+>[!INCLUDE [additional-licensing-plan2](../../includes/licensing/additional-licensing-plan2.md)]
+:::column-end:::
+:::row-end:::
The following table identifies key features for the supported platforms:
diff --git a/intune/device-security/microsoft-tunnel/overview.md b/intune/device-security/microsoft-tunnel/overview.md
index d79ea34d28e..df268e521ea 100644
--- a/intune/device-security/microsoft-tunnel/overview.md
+++ b/intune/device-security/microsoft-tunnel/overview.md
@@ -17,7 +17,7 @@ This article introduces the core Microsoft Tunnel, how it works, and its archite
If you're ready to deploy the Microsoft Tunnel, see [Prerequisites for the Microsoft Tunnel](./prerequisites.md), and then [Configure the Microsoft Tunnel](./install.md).
-After you deploy Microsoft Tunnel, you can choose to add [Microsoft Tunnel for Mobile Application Management](./mam.md) (Tunnel for MAM). Tunnel for MAM extends the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that aren't enrolled with Microsoft Intune. Tunnel for MAM is available when you add *Microsoft Intune Plan 2* or *Microsoft Intune Suite* as an [add-on license](../../fundamentals/add-ons.md) to your Tenant.
+After you deploy Microsoft Tunnel, you can choose to add [Microsoft Tunnel for Mobile Application Management](./mam.md) (Tunnel for MAM). Tunnel for MAM extends the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that aren't enrolled with Microsoft Intune. Tunnel for MAM is is a [Microsoft Intune advanced capability](../../fundamentals/advanced-capabilities.md) that requires additional licensing beyond Microsoft Intune.
> [!NOTE]
>
@@ -38,7 +38,7 @@ Microsoft Tunnel Gateway installs onto a container that runs on a Linux server.
- A friendly name for the VPN connection that is visible to your end users.
- The site that the VPN client connects to.
- Per-app VPN configurations that define which apps the VPN profile is used for, and if it's always-on or not. When always-on, the VPN automatically connects and is used only for the apps you define. If no apps are defined, the always-on connection provides tunnel access for all network traffic from the device.
-- For iOS devices that have Microsoft Defender configured to support per-app VPNs and *TunnelOnly* mode set to *True*, users don’t need to open or sign-in to Microsoft Defender on their device for the Tunnel to be used. Instead, with the user signed-in to the Company Portal on the device or to any other app that uses multifactor authentication that has a valid token for access, the Tunnel per-app VPN is used automatically. *TunnelOnly* mode is supported for iOS/iPadOS, and disables the Defender functionality, leaving only the Tunnel capabilities.
+- For iOS devices that have Microsoft Defender configured to support per-app VPNs and *TunnelOnly* mode set to *True*, users don't need to open or sign-in to Microsoft Defender on their device for the Tunnel to be used. Instead, with the user signed-in to the Company Portal on the device or to any other app that uses multifactor authentication that has a valid token for access, the Tunnel per-app VPN is used automatically. *TunnelOnly* mode is supported for iOS/iPadOS, and disables the Defender functionality, leaving only the Tunnel capabilities.
- Manual connections to the tunnel when a user launches the VPN and selects *Connect*.
- On-demand VPN rules that allow use of the VPN when conditions are met for specific FQDNs or IP addresses. *(iOS/iPadOS)*
- Proxy support. *(iOS/iPadOS, Android 11+)*
@@ -46,11 +46,11 @@ Microsoft Tunnel Gateway installs onto a container that runs on a Linux server.
When a device is identified as rooted, the client immediately marks the device's risk category as *High*, drops active Tunnel connections, and continues to block access until the device is determined to be compliant. The device user receives a notification about this status from the Defender client.
- This capability doesn’t replace the use of Intune compliance policies for Android to manage the settings for *Rooted devices*, *Play Integrity Verdict*, and *Require the device to be at or under the Device Threat Level*. Use of Intune compliance policies to manage keys settings for Android supports the Microsoft Zero Trust security model for Android Enterprise [personally owned](../security-configurations/android-personally-owned.md#personally-owned-work-profile-enhanced-security-level-2) and [fully managed](../security-configurations/android-fully-managed.md#fully-managed-basic-security-level-1) devices.
+ This capability doesn't replace the use of Intune compliance policies for Android to manage the settings for *Rooted devices*, *Play Integrity Verdict*, and *Require the device to be at or under the Device Threat Level*. Use of Intune compliance policies to manage keys settings for Android supports the Microsoft Zero Trust security model for Android Enterprise [personally owned](../security-configurations/android-personally-owned.md#personally-owned-work-profile-enhanced-security-level-2) and [fully managed](../security-configurations/android-fully-managed.md#fully-managed-basic-security-level-1) devices.
### Setup Overview
-Through the Microsoft Intune admin center, you’ll:
+Through the Microsoft Intune admin center, you'll:
- Download the Microsoft Tunnel installation script that you run on the Linux servers.
- Configure aspects of Microsoft Tunnel Gateway like IP addresses, DNS servers, and ports.
@@ -61,9 +61,9 @@ Through the Defender app, iOS/iPadOS and Android Enterprise devices:
- Use Microsoft Entra ID to authenticate to the tunnel.
- Use Active Directory Federation Services (AD FS) to authenticate to the tunnel.
-- Are evaluated against your Conditional Access policies. If the device isn’t compliant, then it can't access your VPN server or your on-premises network.
+- Are evaluated against your Conditional Access policies. If the device isn't compliant, then it can't access your VPN server or your on-premises network.
-You can install multiple Linux servers to support Microsoft Tunnel, and combine servers into logical groups called *Sites*. Each server can join a single Site. When you configure a Site, you’re defining a connection point for devices to use when they access the tunnel. Sites require a *Server configuration* that you define and assign to the Site. The Server configuration is applied to each server you add to that Site, simplifying the configuration of more servers.
+You can install multiple Linux servers to support Microsoft Tunnel, and combine servers into logical groups called *Sites*. Each server can join a single Site. When you configure a Site, you're defining a connection point for devices to use when they access the tunnel. Sites require a *Server configuration* that you define and assign to the Site. The Server configuration is applied to each server you add to that Site, simplifying the configuration of more servers.
To direct devices to use the tunnel, you create and deploy a VPN policy for Microsoft Tunnel. This policy is a device configuration VPN profile that uses Microsoft Tunnel for its connection type.
@@ -80,7 +80,7 @@ Site configuration includes:
- A public IP address or FQDN, which is the connection point for devices that use the tunnel. This address can be for an individual server or the IP or FQDN of a load-balancing server.
- The Server configuration that is applied to each server in the Site.
-You assign a server to a Site at the time you install the tunnel software on the Linux server. The installation uses a script that you can download from within the admin center. After starting the script, you’ll be prompted to configure its operation for your environment, which includes specifying the Site the server will join.
+You assign a server to a Site at the time you install the tunnel software on the Linux server. The installation uses a script that you can download from within the admin center. After starting the script, you'll be prompted to configure its operation for your environment, which includes specifying the Site the server will join.
To use the Microsoft Tunnel, devices must install the Microsoft Defender app. You get the applicable app from the iOS/iPadOS or Android app stores and deploy it to users.
diff --git a/intune/device-security/microsoft-tunnel/prerequisites.md b/intune/device-security/microsoft-tunnel/prerequisites.md
index c9cc1fcdc9d..81303aa4a42 100644
--- a/intune/device-security/microsoft-tunnel/prerequisites.md
+++ b/intune/device-security/microsoft-tunnel/prerequisites.md
@@ -16,10 +16,11 @@ Before you can install the Microsoft Tunnel VPN gateway for Microsoft Intune, re
At a high level, the Microsoft Tunnel requires:
- An Azure subscription.
-
- A *Microsoft Intune Plan 1* subscription.
+
> [!NOTE]
- > This prerequisite is for *Microsoft Tunnel*, and does not include [Microsoft Tunnel for Mobile Application Management](./mam.md), which is an [Intune add-on](../../fundamentals/add-ons.md) that requires a *Microsoft Intune Plan 2* subscription.
+ > This prerequisite is for *Microsoft Tunnel*, and does not include [Microsoft Tunnel for Mobile Application Management](./mam.md), which is a [Microsoft Intune advanced capability](../../fundamentals/advanced-capabilities.md) that requires that requires additional licensing beyond Microsoft Intune.
+
- To complete setup of Microsoft Tunnel, the account you'll use to register Tunnel Gateway with Microsoft Intune and your Intune tenant must be assigned the Microsoft Entra ID role of *Intune Administrator* and be assigned an Intune license.
diff --git a/intune/device-security/overview.md b/intune/device-security/overview.md
index 1be4541f058..4f5708fbb5e 100644
--- a/intune/device-security/overview.md
+++ b/intune/device-security/overview.md
@@ -179,8 +179,8 @@ Conditional Access works across managed and unmanaged devices, helping create an
- Applications are validated using file hashes, certificates, or other criteria.
- Common elevated scenarios: application installations, driver updates, Windows diagnostics.
-> [!TIP]
-> EPM is available as an [Intune add-on](../fundamentals/add-ons.md) for Windows devices and requires an additional license.
+> [!NOTE]
+> EPM is a [Microsoft Intune advanced capability](../fundamentals/advanced-capabilities.md) for Windows devices and requires additional licensing beyond Microsoft Intune.
## Next steps
diff --git a/intune/device-security/ref-zero-trust-security.md b/intune/device-security/ref-zero-trust-security.md
index 0172ea8617c..50a6d7d7ada 100644
--- a/intune/device-security/ref-zero-trust-security.md
+++ b/intune/device-security/ref-zero-trust-security.md
@@ -54,7 +54,7 @@ Ensure tenant-level governance, identity, and configuration consistency.
For license details, see:
-- [Microsoft Intune licensing](../fundamentals/licensing/index.md)
+- [Microsoft Intune licensing](../fundamentals/licensing.md)
- [Microsoft Entra licensing](/entra/fundamentals/licensing)
- [Overview of Microsoft Defender for Endpoint Plan 1](/defender-endpoint/defender-endpoint-plan-1)
@@ -83,7 +83,7 @@ Secure endpoints through device configuration and security policies.
For license details, see:
-- [Microsoft Intune licensing](../fundamentals/licensing/index.md)
+- [Microsoft Intune licensing](../fundamentals/licensing.md)
- [Overview of Microsoft Defender for Endpoint Plan 1](/defender-endpoint/defender-endpoint-plan-1)
## Secure Data
@@ -102,7 +102,7 @@ Protect data on devices and in transit, and enforce secure access to organizatio
For license details, see:
-- [Microsoft Intune licensing](../fundamentals/licensing/index.md)
+- [Microsoft Intune licensing](../fundamentals/licensing.md)
- [Microsoft Entra licensing](/entra/fundamentals/licensing)
## Related content
diff --git a/intune/device-security/security-baselines/configure-baselines.md b/intune/device-security/security-baselines/configure-baselines.md
index 5d8ce7423ab..2496b533329 100644
--- a/intune/device-security/security-baselines/configure-baselines.md
+++ b/intune/device-security/security-baselines/configure-baselines.md
@@ -49,7 +49,7 @@ Find out what you need to manage Intune security baselines.
### Licensing
-- Use of Intune to deploy security baselines requires a Microsoft Intune Plan 1 subscription. See [Microsoft Intune licensing](../../fundamentals/licensing/index.md).
+- Use of Intune to deploy security baselines requires a Microsoft Intune Plan 1 subscription. See [Microsoft Intune licensing](../../fundamentals/licensing.md).
> [!TIP]
>
diff --git a/intune/device-updates/android/manage-fota.md b/intune/device-updates/android/manage-fota.md
index 630976f3655..e27a92b1661 100644
--- a/intune/device-updates/android/manage-fota.md
+++ b/intune/device-updates/android/manage-fota.md
@@ -1,43 +1,82 @@
---
-title: Android FOTA Updates
+title: Manage Android FOTA updates with Microsoft Intune
description: Use Microsoft Intune to manage firmware updates on Android devices. A FOTA update can include software and security patches, feature updates, and other changes to the device's firmware.
-ms.date: 04/09/2025
+ms.date: 05/12/2026
ms.topic: how-to
ms.reviewer: jieyan
ms.subservice: suite
---
-# Android FOTA Updates
-You can use Microsoft Intune to manage software updates on the following Android Enterprise devices:
+# Manage Firmware Over-the-Air updates on Android
-- Fully Managed
-- Dedicated
-- Corporate-Owned Work Profile devices
+Firmware Over-the-Air (FOTA) updates let you remotely update device firmware over a wireless connection. A FOTA update can include software and security patches, feature updates, and other changes to the device's firmware. This method is more efficient, convenient, and more secure than manual updates and can be performed on a scheduled or on-demand basis.
-You have two ways to manage software updates on android:
+In the context of FOTA, a *deployment* is an update policy that includes instructions about the firmware update to be deployed to devices and other update-related settings. For example, Schedule type, and charging requirements.
+
+## Prerequisites
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
+
+:::column-end:::
+:::column span="3":::
+
+> FOTA updates are supported on Android Enterprise devices enrolled in Intune. This includes the following enrollment types:
+> - Android Enterprise corporate-owned dedicated (COSU)
+> - Android Enterprise corporate-owned fully managed (COBO)
+> - Android Enterprise corporate-owned work profile (COPE)
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
+
+:::column-end:::
+:::column span="3":::
+
+>[!INCLUDE [additional-licensing-plan2](../../includes/licensing/additional-licensing-plan2.md)]
+:::column-end:::
+:::row-end:::
+
+## Manage FOTA updates
+
+You have two ways to manage software updates:
- Use Firmware Over-the-Air (FOTA), which works for some OEMs.
> [!NOTE]
- > This feature requires a Microsoft Intune Plan 2 or Microsoft Intune Suite license. See [Intune add-ons and licensing](../../fundamentals/add-ons.md) for details.
- >
> If Zebra updated the available firmware list in the last 24 hours, then the list of firmware available might take up to 24 hours to populate.
- If FOTA isn't available you can use Device restrictions profiles, which work for all OEMs.
- 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
- 2. Navigate to **Devices** > **By platform** > **Android** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Fully Managed, Dedicated, and Corporate-Owned Work Profile** > **Device restrictions**.
- 3. Device restrictions profiles offer control over how the device handles over-the-air updates and allow you to set a freeze period for these updates.
- > [!NOTE]
- > Not all device manufacturers support over-the-air updates. For more information about device restriction settings, see [Corporate-owned Android Enterprise device restrictions](../../device-configuration/templates/ref-device-restrictions-android-enterprise.md).
+### FOTA update management for specific OEMs
+
+Manufacturer-specific FOTA support might offer more controls beyond what device restrictions profiles offer.
-Firmware Over-the-Air (FOTA) updates allow remotely updating the firmware of devices using a wireless connection, rather than requiring the devices to be physically connected to a computer or network.
+Intune supports FOTA update management for supported devices from the following manufacturers:
-A FOTA update can include software and security patches, feature updates, and other changes to the device's firmware. This method is more efficient, convenient, and more secure than manual updates and can be performed on a scheduled or on-demand basis.
+- **Zebra**: For Zebra devices, see [LifeGuard Over-the-Air Integration with Microsoft Intune](setup-zebra-lifeguard.md).
+- **Samsung**: For Samsung devices, see [E-FOTA Update Management with Microsoft Intune](https://techcommunity.microsoft.com/t5/intune-customer-success/samsung-e-fota-update-management-with-microsoft-endpoint-manager/ba-p/2002552).
-In the context of FOTA, a deployment is an update policy that includes instructions about the firmware update to be deployed to devices and other update-related settings. For example, Schedule type, and charging requirements.
+### Use device restrictions profiles to manage FOTA updates
-In addition, Microsoft Intune supports FOTA update management for supported devices from the following manufacturers. Manufacturer-specific FOTA support might offer more controls beyond what Device restrictions profiles offer.
+Device restrictions profiles offer control over how the device handles over-the-air updates and allow you to set a freeze period for these updates. A freeze period is a specified time frame during which over-the-air updates are blocked from being installed on the device. This can be useful for organizations that want to prevent updates from being installed during critical business periods or when devices are in use.
-- **Zebra**: For Zebra devices, see [LifeGuard Over-the-Air Integration with Microsoft Intune](setup-zebra-lifeguard.md).
-- **Samsung**: For Samsung devices, see [E-FOTA Update Management with Microsoft Endpoint Manager](https://techcommunity.microsoft.com/t5/intune-customer-success/samsung-e-fota-update-management-with-microsoft-endpoint-manager/ba-p/2002552).
+> [!NOTE]
+> Not all device manufacturers support over-the-air updates.
+
+To manage FOTA updates using device restrictions profiles:
+
+1. In the [Microsoft Intune admin center], select [**Devices**] > **Android**.
+1. Select **Manage devices** > **Configuration** > **Create** > **New policy**
+1. Under **Platform**, select **Android Enterprise**.
+1. Under **Policy type**, select **Templates**.
+1. Under **Fully Managed, Dedicated, and Corporate-Owned Work Profile**, select **Device restrictions** > **Create**.
+1. Configure the system update settings as needed. For more information about these settings, see [Device restrictions for Android Enterprise](../../device-configuration/templates/ref-device-restrictions-android-enterprise.md).
+
+
+
+[Microsoft Intune admin center]: https://go.microsoft.com/fwlink/?linkid=2109431
+[**Devices**]: https://go.microsoft.com/fwlink/?linkid=2109431#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/overview
diff --git a/intune/device-updates/android/setup-zebra-lifeguard.md b/intune/device-updates/android/setup-zebra-lifeguard.md
index bec17b499a2..cc3f37d2ce9 100644
--- a/intune/device-updates/android/setup-zebra-lifeguard.md
+++ b/intune/device-updates/android/setup-zebra-lifeguard.md
@@ -6,10 +6,8 @@ ms.topic: how-to
ms.reviewer: jieyan
ms.subservice: suite
---
-# Zebra LifeGuard Over-the-Air Integration with Microsoft Intune
-> [!IMPORTANT]
-> This feature is now generally available.
+# Zebra LifeGuard Over-the-Air Integration with Microsoft Intune
Microsoft Intune supports/provides integration with Zebra LifeGuard Over-the-Air (LG OTA), so that you can have a single area for managing firmware updates for supported Zebra devices. Zebra LifeGuard Over-the-Air (LG OTA) is a service offered by Zebra Technologies that allows deployment of updates to their Android devices in a hands-free and automated manner.
@@ -19,52 +17,89 @@ Intune manages the creation, management, and monitoring of these deployments thr
## Prerequisites
-- Managed Google Play must be configured for your tenant. For setup instructions, see [Set up Managed Google Play](../../device-enrollment/android/connect-managed-google-play.md).
-
-- Administrators must have all the required RBAC (role-based access control) permissions:
-
- - Mobile Apps (to create and deploy app configuration profiles)
- - Android FOTA (to manage firmware OTA updates)
-
-- A Microsoft Intune Plan 2 or Microsoft Intune Suite license is required. For details, see [Intune add-ons and licensing](../../fundamentals/add-ons.md).
-
-- Access to all appropriate Zebra licenses, and entitlements to use the LG OTA service. For more information, contact Zebra support or see the [Zebra LifeGuard FAQ](https://techdocs.zebra.com/lifeguard/faq/).
-- For information about services ports and endpoints used by Zebra OTA updates, refer to [Zebra Lifeguard Over the Air FOTA Updates Ports](https://supportcommunity.zebra.com/s/article/000022419?language=en_US).
-- For more information about which Zebra devices work with the service based on the platform, see [Zebra LifeGuard device requirements](https://techdocs.zebra.com/lifeguard/update/#devicerequirements).
-
-## Government cloud support
-
-Zebra LifeGuard Over-the-Air updates are supported with the following sovereign cloud environments:
-
-- U.S. Government Community Cloud (GCC) High
-- U.S. Department of Defense (DoD)
-
-For more information, see [Microsoft Intune for US Government GCC service description](../../fundamentals/government-service.md).
-
-## Supported Devices
-
-LG OTA is supported on the following devices:
-
-- [Android Enterprise dedicated devices](../../device-enrollment/android/guide.md#android-enterprise-dedicated-devices)
-- [Android Enterprise fully managed devices](../../device-enrollment/android/guide.md#android-enterprise-fully-managed)
-
-For more specific information on supported devices, see [Zebra LifeGuard device requirements](https://techdocs.zebra.com/lifeguard/update/#devicerequirements).
-
-The following aren't supported in public preview:
-
-- Graph assignment with inclusions/exclusions
-
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
+
+:::column-end:::
+:::column span="3":::
+> FOTA updates are supported on Android Enterprise devices enrolled in Intune. This includes the following enrollment types:
+> - Android Enterprise corporate-owned dedicated (COSU)
+> - Android Enterprise corporate-owned fully managed (COBO)
+>
+> For information about which Zebra devices work with the service based on the platform, see [Zebra LifeGuard device requirements](https://techdocs.zebra.com/lifeguard/update/#devicerequirements).
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [network-connectivity](../../includes/requirements/network-connectivity.md)]
+
+:::column-end:::
+:::column span="3":::
+> For information about services ports and endpoints used by Zebra OTA updates, refer to [Zebra Lifeguard Over the Air FOTA Updates Ports](https://supportcommunity.zebra.com/s/article/000022419).
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../../includes/requirements/licensing.md)]
+
+:::column-end:::
+:::column span="3":::
+
+>You must have access to all appropriate Zebra licenses and entitlements to use the LG OTA service. For more information, contact Zebra support or see the [Zebra LifeGuard FAQ](https://techdocs.zebra.com/lifeguard/faq/).
+>
+>[!INCLUDE [additional-licensing-plan2](../../includes/licensing/additional-licensing-plan2.md)]
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [rbac](../../includes/requirements/rbac.md)]
+
+:::column-end:::
+:::column span="3":::
+>Administrators must have all the required RBAC (role-based access control) permissions:
+> - Mobile Apps (to create and deploy app configuration profiles)
+> - Android FOTA (to manage firmware OTA updates)
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [tenant-configuration](../../includes/requirements/tenant-configuration.md)]
+
+:::column-end:::
+:::column span="3":::
+> Managed Google Play must be configured for your tenant. For setup instructions, see [Set up Managed Google Play](../../device-enrollment/android/connect-managed-google-play.md).
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [cloud](../../includes/requirements/cloud.md)]
+
+:::column-end:::
+:::column span="3":::
+> Zebra LifeGuard Over-the-Air updates are supported in the following cloud environments:
+> - Public cloud
+> - Sovereign cloud environments:
+> - U.S. Government Community Cloud (GCC) High
+> - U.S. Department of Defense (DoD)
+:::column-end:::
+:::row-end:::
## Process overview
The process for using LG OTA via Intune is as follows:
1. [Set up Zebra connector](#step-1-set-up-zebra-connector).
-2. [Enroll devices with Zebra LG OTA service](#step-2-enroll-devices-with-zebra-lg-ota-service).
- 3. [Approve and deploy required apps for your tenant](#2a-approve-and-deploy-required-apps-for-your-tenant).
- 4. [Create app configuration policy](#2b-create-app-configuration-policy).
-5. [Create and assign deployments in Intune](#step-3-create-and-assign-deployments).
-6. [View and manage deployments](#step-4-view-and-manage-deployments).
+1. [Enroll devices with Zebra LG OTA service](#step-2-enroll-devices-with-zebra-lg-ota-service).
+ - [Approve and deploy required apps for your tenant](#2a-approve-and-deploy-required-apps-for-your-tenant).
+ - [Create app configuration policy](#2b-create-app-configuration-policy).
+1. [Create and assign deployments in Intune](#step-3-create-and-assign-deployments).
+1. [View and manage deployments](#step-4-view-and-manage-deployments).
## Before you start
diff --git a/intune/device-updates/apple/index.md b/intune/device-updates/apple/index.md
index b62a4d49756..726b8cba84e 100644
--- a/intune/device-updates/apple/index.md
+++ b/intune/device-updates/apple/index.md
@@ -72,9 +72,6 @@ When designing your Apple device update strategy, align with your organization's
| **Declarative Device Management** > **Software Update Enforce Latest** | **Delay in Days**
Specify the number of days that should pass before a deadline is enforced. This delay is based on either the posting date of the new update when released by Apple, or when the policy is configured. The delay only determines the target enforcement date and not the date that the update is offered to users.|
| **Declarative Device Management** > **Software Update Enforce Latest** | **Install Time**
Specify the local device time for when updates are enforced. The Install Time setting is configured using the 24-hour clock format where midnight is `00:00` and 11:59pm is `23:59`. Ensure that you include the leading 0 on single digit hours. For example, `01:00`, `02:00`, `03:00`.|
- > [!NOTE]
- > Once an update enforcement is assigned, the update may install before the deadline if the device is idle or automatic update actions are configured to Always On.
-
1. [Assign the policy](../../device-configuration/assign-device-profile.md) to a group to target users or devices.
# [**Targeted version**](#tab/manual-updates)
@@ -92,6 +89,9 @@ When designing your Apple device update strategy, align with your organization's
---
+> [!NOTE]
+> When an update enforcement is assigned, the device ignores software update settings, including automatic update actions. The update may install before the deadline if the device is idle.
+
For more information about configuring Software Update policies and the available settings, see [Software Update](../../device-configuration/settings-catalog/ref-apple-settings.md#software-update).
## Software Update Settings
diff --git a/intune/device-updates/windows/includes/prerequisites-licensing.md b/intune/device-updates/windows/includes/prerequisites-licensing.md
index dc6f91af0f5..7f94f5f3293 100644
--- a/intune/device-updates/windows/includes/prerequisites-licensing.md
+++ b/intune/device-updates/windows/includes/prerequisites-licensing.md
@@ -12,7 +12,7 @@ ms.date: 01/08/2026
:::column-end:::
:::column span="3":::
> To use this feature, the following licenses are required:
-> - [Microsoft Intune Plan 1](../../../fundamentals/licensing/index.md)
+> - [Microsoft Intune Plan 1](../../../fundamentals/licensing.md)
> - A Windows license that includes the [Autopatch entitlement](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#licenses-and-entitlements).
:::column-end:::
:::row-end:::
diff --git a/intune/device-updates/windows/manage-update-rings.md b/intune/device-updates/windows/manage-update-rings.md
index 17bfbf47043..9936b016ea4 100644
--- a/intune/device-updates/windows/manage-update-rings.md
+++ b/intune/device-updates/windows/manage-update-rings.md
@@ -25,7 +25,7 @@ In Microsoft Intune, update rings are configured through **update ring policies*
:::column-end:::
:::column span="3":::
-> - [Microsoft Intune Plan 1](../../fundamentals/licensing/index.md)
+> - [Microsoft Intune Plan 1](../../fundamentals/licensing.md)
:::column-end:::
:::row-end:::
diff --git a/intune/docfx.json b/intune/docfx.json
index 9a25b780a2b..a710fc247e7 100644
--- a/intune/docfx.json
+++ b/intune/docfx.json
@@ -138,7 +138,6 @@
"epm/**/*": "brenduns",
"fundamentals/certificates/**/*": "paolomatarazzo",
"fundamentals/filters/**/*": "mandiohlinger",
- "fundamentals/licensing/**/*": "paolomatarazzo",
"fundamentals/role-based-access-control/**/*": "brenduns",
"privacy/**/*": "paolomatarazzo",
"remote-help/**/*": "lenewsad",
@@ -171,7 +170,6 @@
"epm/**/*": "brenduns",
"fundamentals/certificates/**/*": "paoloma",
"fundamentals/filters/**/*": "mandia",
- "fundamentals/licensing/**/*": "paoloma",
"fundamentals/role-based-access-control/**/*": "brenduns",
"privacy/**/*": "paoloma",
"remote-help/**/*": "lanewsad",
diff --git a/intune/endpoint-analytics/index.md b/intune/endpoint-analytics/index.md
index ce40554bc3b..066eaba46c8 100644
--- a/intune/endpoint-analytics/index.md
+++ b/intune/endpoint-analytics/index.md
@@ -27,40 +27,32 @@ The service integrates with Microsoft Intune, enabling IT pros to:
Endpoint analytics organizes insights into reports that highlight performance and reliability issues across managed devices. These reports help IT teams identify trends, diagnose problems, and implement improvements to enhance the overall user experience. Endpoint analytics includes the following reports:
:::row:::
- :::column:::
-#### :::image type="icon" source="../media/icons/24/report.svg" border="false"::: Startup performance
+:::column:::
+> [!div class="nextstepaction"]
+> [Startup performance report](startup-performance.md)
> Identifies devices with slow boot times and factors that delay startup.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](startup-performance.md)
:::column-end:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/report.svg" border="false"::: Application reliability
+> [!div class="nextstepaction"]
+> [Application reliability report](app-reliability.md)
> Monitors app crashes and stability trends to improve user experience.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](app-reliability.md)
:::column-end:::
:::row-end:::
:::row:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/report.svg" border="false"::: Work from anywhere
+> [!div class="nextstepaction"]
+> [Work from anywhere report](work-from-anywhere.md)
> Evaluates device readiness for secure and efficient remote work.
->
-> > [!div class="nextstepaction"]
-> > [Learn more](work-from-anywhere.md)
:::column-end:::
:::column:::
-#### :::image type="icon" source="../media/icons/24/query.svg" border="false"::: Advanced Analytics
+> [!div class="nextstepaction"]
+> [Advanced Analytics](../advanced-analytics/index.md)
> Provides deeper insights and extended reporting capabilities (**requires additional licensing**).
->
-> > [!div class="nextstepaction"]
-> > [Learn more](../advanced-analytics/index.md)
:::column-end:::
:::row-end:::
@@ -145,7 +137,7 @@ To use endpoint analytics, ensure your environment meets the following prerequis
:::column span="3":::
::: zone pivot="intune"
-> Devices enrolled in endpoint analytics need a valid license for the use of Microsoft Intune. For more information, see [Microsoft Intune licensing](../fundamentals/licensing/index.md).
+> Devices enrolled in endpoint analytics need a valid license for the use of Microsoft Intune. For more information, see [Microsoft Intune licensing](../fundamentals/licensing.md).
::: zone-end
diff --git a/intune/endpoint-analytics/toc.yml b/intune/endpoint-analytics/toc.yml
index 93b96da801c..1bbc67936a3 100644
--- a/intune/endpoint-analytics/toc.yml
+++ b/intune/endpoint-analytics/toc.yml
@@ -1,33 +1,33 @@
items:
-- name: Endpoint analytics overview
+- name: Overview
href: index.md
displayName: endpoint analytics
- name: Configure the service
href: configure.md
- displayName: endpoint analytics
+ displayName: endpoint analytics, setup, prerequisites, enable, onboard
- name: Scores, baselines, and insights
href: scores.md
- displayName: endpoint analytics
-- name: Endpoint analytics reports
+ displayName: endpoint analytics, scores, baselines, benchmarks, insights
+- name: Reports
items:
- name: Startup performance
href: startup-performance.md
- displayName: endpoint analytics report
+ displayName: endpoint analytics report, boot time, login, sign-in, slow startup
- name: Application reliability
href: app-reliability.md
- displayName: endpoint analytics report
+ displayName: endpoint analytics report, app crashes, hangs, freezes
- name: Work from anywhere
href: work-from-anywhere.md
- displayName: endpoint analytics report
-- name: Endpoint analytics in Microsoft Adoption Score
+ displayName: endpoint analytics report, remote work, cloud identity, cloud management
+- name: Adoption Score integration
href: adoption-score.md
- displayName: endpoint analytics
+ displayName: endpoint analytics, Microsoft Adoption Score, productivity score
- name: Data collection
href: ref-data-collection.md
- displayName: endpoint analytics
+ displayName: endpoint analytics, telemetry, data, privacy
- name: Troubleshooting
href: troubleshoot.md
- displayName: endpoint analytics
+ displayName: endpoint analytics, troubleshoot, errors, issues
- name: Support options
href: support.md
- displayName: endpoint analytics
+ displayName: endpoint analytics, support, contact, help
diff --git a/intune/epm/create-elevation-rules.md b/intune/epm/create-elevation-rules.md
index 00dbdd9d1a0..e9560357477 100644
--- a/intune/epm/create-elevation-rules.md
+++ b/intune/epm/create-elevation-rules.md
@@ -13,10 +13,6 @@ ms.collection:
# Creating elevation rules with Endpoint Privilege Management
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
Elevation rules policies allow Endpoint Privilege Management (EPM) to identify specific files and scripts and perform the associated elevation action. For elevation rules to take effect, devices must have an *elevation settings policy* targeted that enables EPM. For more information, see [EPM elevation settings](./manage-elevation-settings.md).
> [!NOTE]
diff --git a/intune/epm/deploy.md b/intune/epm/deploy.md
index 0e172502e1a..03b5e1b51be 100644
--- a/intune/epm/deploy.md
+++ b/intune/epm/deploy.md
@@ -13,10 +13,6 @@ ms.collection:
# Deploy Endpoint Privilege Management with Microsoft Intune
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
To deploy Endpoint Privilege Management (EPM), start by enabling reporting, then use reports to create rules for elevation. This article describes some common deployment scenarios and outlines the recommended deployment phases for your organization.
- [Windows elevation settings policy](./manage-elevation-settings.md).
diff --git a/intune/epm/deployment-planning.md b/intune/epm/deployment-planning.md
index 4bb5a95fa04..cae49257372 100644
--- a/intune/epm/deployment-planning.md
+++ b/intune/epm/deployment-planning.md
@@ -13,10 +13,6 @@ ms.collection:
# Plan and Prepare for Endpoint Privilege Management Deployment
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
This article covers the information required to plan for Endpoint Privilege Management (EPM) deployment including requirements, important concepts, security recommendations, and role based access control.
## Planning Checklist
@@ -35,51 +31,78 @@ This article covers the information required to plan for Endpoint Privilege Mana
## Prerequisites
-✅ Find out what you need for EPM
-
-### Licensing
-
-Endpoint Privilege Management requires an add-on license beyond the *Microsoft Intune Plan 1* license. You can choose between a stand-alone license that adds only EPM, or license EPM as part of the Microsoft Intune Suite. For more information, see [Use Intune Suite add-on capabilities](../fundamentals/add-ons.md).
-
-### Requirements
+:::row:::
+:::column span="1":::
+[!INCLUDE [licensing](../includes/requirements/licensing.md)]
-Endpoint Privilege Management has the following requirements:
+:::column-end:::
+:::column span="3":::
-- Microsoft Entra joined *or* Microsoft Entra hybrid joined
-- Microsoft Intune Enrollment *or* Microsoft Configuration Manager [co-managed](../configmgr/comanage/overview.md) devices (no workload requirements)
-- Supported Operating System
-- Clear line of sight (without SSL-Inspection) to the [required endpoints](../fundamentals/endpoints.md#microsoft-intune-endpoint-privilege-management)
+>[!INCLUDE [additional-licensing](../includes/licensing/additional-licensing.md)]
+:::column-end:::
+:::row-end:::
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../includes/requirements/platform.md)]
-Endpoint Privilege Management supports the following operating systems:
+:::column-end:::
+:::column span="3":::
-- Windows 11, version 24H2
-- Windows 11, version 23H2 (22631.2506 or later) with [KB5031455](https://support.microsoft.com/topic/october-31-2023-kb5031455-os-builds-22621-2506-and-22631-2506-preview-6513c5ec-c5a2-4aaf-97f5-44c13d29e0d4)
-- Windows 11, version 22H2 (22621.2215 or later) with [KB5029351](https://support.microsoft.com/topic/august-22-2023-kb5029351-os-build-22621-2215-preview-9af25662-083a-43f5-b3a7-975fe25cc692)
-- Windows 11, version 21H2 (22000.2713 or later) with [KB5034121](https://support.microsoft.com/topic/january-9-2024-kb5034121-os-build-22000-2713-f5847e32-0b71-4151-8190-54d3e36386f0)
-- Windows 10, version 22H2 (19045.3393 or later) with [KB5030211](https://support.microsoft.com/topic/september-12-2023-kb5030211-os-builds-19044-3448-and-19045-3448-c0dee353-f025-4f03-bcc1-336f74fb992c)
-- Windows 10, version 21H2 (19044.3393 or later) with [KB5030211](https://support.microsoft.com/topic/september-12-2023-kb5030211-os-builds-19044-3448-and-19045-3448-c0dee353-f025-4f03-bcc1-336f74fb992c)
-
-Endpoint Privilege Management supports the following virtual platforms:
+>Endpoint Privilege Management supports the following operating systems:
+>
+>- Windows 11, version 24H2
+>- Windows 11, version 23H2 (22631.2506 or later) with [KB5031455](https://support.microsoft.com/topic/october-31-2023-kb5031455-os-builds-22621-2506-and-22631-2506-preview-6513c5ec-c5a2-4aaf-97f5-44c13d29e0d4)
+>- Windows 11, version 22H2 (22621.2215 or later) with [KB5029351](https://support.microsoft.com/topic/august-22-2023-kb5029351-os-build-22621-2215-preview-9af25662-083a-43f5-b3a7-975fe25cc692)
+>- Windows 11, version 21H2 (22000.2713 or later) with [KB5034121](https://support.microsoft.com/topic/january-9-2024-kb5034121-os-build-22000-2713-f5847e32-0b71-4151-8190-54d3e36386f0)
+>- Windows 10, version 22H2 (19045.3393 or later) with [KB5030211](https://support.microsoft.com/topic/september-12-2023-kb5030211-os-builds-19044-3448-and-19045-3448-c0dee353-f025-4f03-bcc1-336f74fb992c)
+>- Windows 10, version 21H2 (19044.3393 or later) with [KB5030211](https://support.microsoft.com/topic/september-12-2023-kb5030211-os-builds-19044-3448-and-19045-3448-c0dee353-f025-4f03-bcc1-336f74fb992c)
+>
+>Endpoint Privilege Management supports the following virtual platforms:
+>
+>- Azure Virtual Desktop (AVD) single-session virtual machines (VMs)
+>- Windows 365
+>
+>> [!IMPORTANT]
+>> [!INCLUDE [windows-10-support](../includes/windows-10-support.md)]
+>
+>> [!IMPORTANT]
+>>
+>> - Elevation settings policies report as 'not applicable' for devices that don't run a supported operating system version.
+>> - Endpoint Privilege Management is only compatible with 64-bit Operating System Architectures, including Arm64.
-- Azure Virtual Desktop (AVD) single-session virtual machines (VMs)
-- Windows 365
+:::column-end:::
+:::row-end:::
-> [!IMPORTANT]
-> [!INCLUDE [windows-10-support](../includes/windows-10-support.md)]
+:::row:::
+:::column span="1":::
+[!INCLUDE [device-configuration](../includes/requirements/device-configuration.md)]
+:::column-end:::
+:::column span="3":::
-> [!IMPORTANT]
+>To use Endpoint Privilege Management, devices must be:
>
-> - Elevation settings policies report as 'not applicable' for devices that don't run a supported operating system version.
-> - Endpoint Privilege Management is only compatible with 64-bit Operating System Architectures, including Arm64.
-
-### Government cloud support
-
-Endpoint Privilege Management is supported with the following sovereign cloud environments:
-
-- U.S. Government Community Cloud (GCC) High
-- U.S. Department of Defense (DoD)
+>- Microsoft Entra joined *or* Microsoft Entra hybrid joined
+>- Enrolled in Intune *or* Microsoft Configuration Manager [co-managed](../configmgr/comanage/overview.md) (no workload requirements)
+>
+>Devices must also have clear line of sight (without SSL-Inspection) to the [required endpoints](../fundamentals/endpoints.md#microsoft-intune-endpoint-privilege-management) for Endpoint Privilege Management.
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [cloud](../includes/requirements/cloud.md)]
+
+:::column-end:::
+:::column span="3":::
+> Specialty device management is supported in the following cloud environments:
+> - Public cloud
+> - Sovereign cloud environments:
+> - U.S. Government Community Cloud (GCC) High
+> - U.S. Department of Defense (DoD)
+:::column-end:::
+:::row-end:::
For more information, see [Microsoft Intune for US Government GCC service description](../fundamentals/government-service.md).
diff --git a/intune/epm/frequently-asked-questions.md b/intune/epm/frequently-asked-questions.md
index da73e2f7753..2832b940ddd 100644
--- a/intune/epm/frequently-asked-questions.md
+++ b/intune/epm/frequently-asked-questions.md
@@ -13,10 +13,6 @@ ms.collection:
# Frequently asked questions for Endpoint Privilege Management
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
The following sections of this article discuss frequently asked questions for Endpoint Privilege Management (EPM).
## Frequently asked questions
@@ -30,7 +26,7 @@ Endpoint Privilege Management is supported with the following virtual devices:
### Why is my elevation settings policy showing error/not applicable?
-The elevation settings policy controls the enablement of EPM and the configuration of the client side components. When this policy is in error or shows not applicable, it indicates the device had an issue enabling EPM. The two most common reasons are missing the [required Windows updates](./deployment-planning.md#requirements) or failure to communicate with required [Intune Endpoints for Endpoint Privilege Management](../fundamentals/endpoints.md#microsoft-intune-endpoint-privilege-management).
+The elevation settings policy controls the enablement of EPM and the configuration of the client side components. When this policy is in error or shows not applicable, it indicates the device had an issue enabling EPM. The two most common reasons are missing the [required Windows updates](./deployment-planning.md#prerequisites) or failure to communicate with required [Intune Endpoints for Endpoint Privilege Management](../fundamentals/endpoints.md#microsoft-intune-endpoint-privilege-management).
### What happens when someone with administrative privileges uses a device that is enabled for EPM?
@@ -54,7 +50,7 @@ EPM allows standard users to perform tasks that require elevated privileges with
### Do I need additional licensing for EPM?
-Yes, Endpoint Privilege Management requires specific licensing. For more information, see [Intune add-ons](../fundamentals/add-ons.md).
+Yes, Endpoint Privilege Management requires specific licensing. For more information, see [Microsoft Intune advanced capabilities](../fundamentals/advanced-capabilities.md).
### How does EPM and Windows Defender Application Control (WDAC) differ?
diff --git a/intune/epm/includes/intune-epm-overview.md b/intune/epm/includes/intune-epm-overview.md
deleted file mode 100644
index e14e91eb462..00000000000
--- a/intune/epm/includes/intune-epm-overview.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.topic: include
-ms.date: 09/03/2025
----
-
-With Microsoft Intune **Endpoint Privilege Management (EPM)** your organization's users can run as a standard user (without administrator rights) and complete tasks that require elevated privileges. For more information, see [EPM Overview](../overview.md).
-
-Applies to:
-
-- Windows
diff --git a/intune/epm/manage-elevation-settings.md b/intune/epm/manage-elevation-settings.md
index 0b008c736a2..6ceb23ef90b 100644
--- a/intune/epm/manage-elevation-settings.md
+++ b/intune/epm/manage-elevation-settings.md
@@ -13,8 +13,6 @@ ms.collection:
# Managing elevation settings with Endpoint Privilege Management
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
To configure Endpoint Privilege Management (EPM) on devices, deploy *Windows elevation settings policy* to users or devices:
- Enable or disable EPM on a device.
diff --git a/intune/epm/manage-support-approvals.md b/intune/epm/manage-support-approvals.md
index f1c054b2b54..fd58cb71df4 100644
--- a/intune/epm/manage-support-approvals.md
+++ b/intune/epm/manage-support-approvals.md
@@ -15,10 +15,6 @@ ms.collection:
# Support approved file elevations for Endpoint Privilege Management
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
This article explains how to use the **support approved** workflow with Endpoint Privilege Management.
Support approved elevations allow you to require approval before an elevation being allowed. You can use the support approved functionality as part of an elevation rule, or as default client behavior. Requests that are submitted require Intune administrators to approve the request on a case-by-case basis.
diff --git a/intune/epm/monitor-reports.md b/intune/epm/monitor-reports.md
index 486b1b9cc0d..662a8aeba02 100644
--- a/intune/epm/monitor-reports.md
+++ b/intune/epm/monitor-reports.md
@@ -13,11 +13,6 @@ ms.collection:
# Reports for Endpoint Privilege Management
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
The information available in Endpoint Privilege Management (EPM) reports depends on the *reporting scope* of a device. The reporting scope for each device is configured as part of a [Windows elevation settings policy](./manage-elevation-settings.md), and different devices can have different reporting scope configurations.
EPM reports are found within the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) at **Endpoint security** > **Endpoint Privilege Management**, and available through the Overview tab and the Reports tab. The [**Overview** tab](#overview-dashboard) is a readiness dashboard for moving admin users to standard users. The [**Reports**](#available-reports) tab presents several report tiles for different aspects of EPM, which also help power the readiness dashboard. EPM report data is retained for 30 days.
diff --git a/intune/epm/overview.md b/intune/epm/overview.md
index 5ccabd74fd0..2eaf3454a46 100644
--- a/intune/epm/overview.md
+++ b/intune/epm/overview.md
@@ -14,8 +14,6 @@ ms.collection:
# Use Endpoint Privilege Management with Microsoft Intune
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
With Microsoft Intune **Endpoint Privilege Management (EPM)** your organization's users can run as a standard user (without administrator rights) and complete tasks that require elevated privileges. Tasks that commonly require administrative privileges are application installs (like Microsoft 365 Applications), updating device drivers, and running certain Windows diagnostics.
Endpoint Privilege Management supports your [Zero Trust](/security/zero-trust/zero-trust-overview) journey by helping your organization achieve a broad user base running with least privilege, while still elevating selected tasks when necessary to remain productive. For more information, see [Zero Trust with Microsoft Intune](../fundamentals/zero-trust.md).
@@ -135,7 +133,7 @@ EPM includes reports to help you prepare for, monitor, and use the service. Repo
Endpoint Privilege Management (EPM) is administered from the [Microsoft Intune Admin Center](https://intune.microsoft.com). When organizations get started with EPM, they use the following high-level process:
- **License EPM and Plan**
- - **License EPM** - Before you can use Endpoint Privilege Management policies, you must license EPM in your tenant as an Intune add-on. For licensing information, see [Use Intune Suite add-on capabilities](../fundamentals/add-ons.md).
+ - **License EPM** - Before you can use Endpoint Privilege Management policies, you must license EPM in your tenant. For licensing information, see [Microsoft Intune advanced capabilities](../fundamentals/advanced-capabilities.md).
- **Plan for EPM** - Before you start using EPM, there are some key requirements and concepts you should consider. For more information, see [Plan for EPM](./deployment-planning.md).
- **Deploy EPM** - To deploy EPM, enable auditing, create rules, and monitor the deployment. For more information, see [Deploy EPM](./deploy.md).
diff --git a/intune/epm/ref-data-collection.md b/intune/epm/ref-data-collection.md
index 87702ebe9c2..ddf32ce2118 100644
--- a/intune/epm/ref-data-collection.md
+++ b/intune/epm/ref-data-collection.md
@@ -13,10 +13,6 @@ ms.collection:
# Data collection and privacy for Endpoint Privilege Management
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
This article provides information about the data that EPM can collect from devices.
## Overview of data collection
diff --git a/intune/epm/troubleshoot-known-issues.md b/intune/epm/troubleshoot-known-issues.md
index 4d5c038f652..4b2e9e26ebd 100644
--- a/intune/epm/troubleshoot-known-issues.md
+++ b/intune/epm/troubleshoot-known-issues.md
@@ -15,10 +15,6 @@ ms.collection:
# Known Issues for Endpoint Privilege Management
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
This article lists known issues with Endpoint Privilege Management.
## Windows 10 devices might not immediately receive confirmation of support approvals
diff --git a/intune/epm/tutorial-admin-to-standard-user.md b/intune/epm/tutorial-admin-to-standard-user.md
index 8e1e83412e0..9ccd1a9dfd7 100644
--- a/intune/epm/tutorial-admin-to-standard-user.md
+++ b/intune/epm/tutorial-admin-to-standard-user.md
@@ -13,10 +13,6 @@ ms.collection:
# Use Endpoint Privilege Management to transition users from administrator to standard user
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [intune-epm-overview](./includes/intune-epm-overview.md)]
-
A common scenario for customers who want to use Endpoint Privilege Management is to reduce the number of local administrators in their environment. This scenario adheres to the Zero Trust principle of least privilege. This document steps through the steps a customer could follow to use EPM to move users from administrators to standard users with minimal disruption.
## Phase 1: Auditing
diff --git a/intune/fundamentals/account-sign-up.md b/intune/fundamentals/account-sign-up.md
index 47b65412f9c..f6c358ec9ea 100644
--- a/intune/fundamentals/account-sign-up.md
+++ b/intune/fundamentals/account-sign-up.md
@@ -53,6 +53,10 @@ After you sign up for a new subscription, you receive an email message that cont
After completing the sign-up process, you're directed to the Microsoft 365 admin center to add users and assign them licenses. If you only have cloud-based accounts using your default *onmicrosoft.com* domain name, then you can go ahead and add users and assign licenses at this point. However, if you plan to use your organization's [custom domain name](configure-custom-domain.md) or [synchronize user account information](tenant-administration/add-users.md#sync-active-directory-and-add-users-to-intune) from on-premises Active Directory, then you can close that browser window.
+### Microsoft Intune Onboarding benefit
+
+Microsoft offers an Intune Onboarding benefit for eligible services. The benefit lets you work remotely with Microsoft specialists to prepare your Intune environment for use. For more information, see [Microsoft Intune Onboarding Benefit Description](/microsoft-365/fasttrack/introduction).
+
## Sign in to Microsoft Intune
After signing up for Intune, use any device with a [supported browser](./ref-supported-platforms.md#intune-supported-web-browsers) to sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) to administer the service. Administration of Intune requires your account to have sufficient RBAC permissions within Intune for the tasks you want to manage. Initially, you might use an account that is assigned the Microsoft Entra ID built-in role of [Intune Administrator](/entra/identity/role-based-access-control/permissions-reference#intune-administrator).
@@ -73,6 +77,18 @@ Microsoft 365 Business: `https://portal.microsoft.com/adminportal`
Microsoft 365 Mobile Device Management: `https://admin.microsoft.com/adminportal/home#/MifoDevices`
+## Buy Microsoft Intune
+
+You can purchase Microsoft Intune Plan 1, Plan 2, Suite, and standalone capability licenses through any of the following:
+
+- A Microsoft partner or reseller
+- Microsoft Volume License Servicing Center (VLSC)
+- Web direct purchase in the [Microsoft 365 admin center](https://admin.microsoft.com)
+
+After purchase, the licenses appear in your tenant and the corresponding capability status updates to **Active**. Each capability has its own license-count requirements based on the users you target.
+
+For information on assigning licenses, see [Assign Microsoft Intune licenses](assign-licenses.md).
+
## Related content
- [Configure domains](./configure-custom-domain.md)
diff --git a/intune/fundamentals/add-ons.md b/intune/fundamentals/add-ons.md
deleted file mode 100644
index 5ba6ef0e0b7..00000000000
--- a/intune/fundamentals/add-ons.md
+++ /dev/null
@@ -1,159 +0,0 @@
----
-title: Use Intune Suite add-on capabilities
-description: Microsoft Intune Suite unifies a series of mission-critical advanced endpoint management and security capabilities. The capabilities of the suite are integrated with Microsoft 365 and Microsoft Security across endpoint platforms for both cloud and on-premises co-managed devices.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 03/05/2026
-ms.topic: how-to
-ms.reviewer: aanavath
-ms.subservice: suite
-ms.collection:
-- M365-identity-device-management
----
-
-# Use Microsoft Intune Suite add-on capabilities
-
-Microsoft Intune Suite provides mission-critical advanced endpoint management and security capabilities into Microsoft Intune. You can find add-ons to Intune in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) under **Tenant administration** > **Intune add-ons**. The **Summary** blade shows all available Intune add-ons, a short description, and the status of the add-on. Each add-on shows a status of either **Active** or **Available for trial or purchase**.
-
-Licenses for the Intune add-ons can be added for an additional cost to the licensing options that include Microsoft Intune or Microsoft Configuration Manager. For more information, see [Licenses available for Microsoft Intune](./licensing/index.md).
-
-> [!NOTE]
-> Intune add-ons are currently not supported in Sovereign clouds.
-
-## Available add-ons
-
-Some capabilities are available to buy as a standalone add-on. Other capabilities are only available with Intune Plan 2 or the Intune Suite.
-
-The following table provides a list of add-on capabilities and associated Intune Plans. For information about Microsoft Intune Plans and pricing, see [Intune Plans and pricing](https://aka.ms/IntuneSuitePricing).
-
-| Capability | Standalone add-on | Intune Plan 2 | Intune Suite |
-|:-|:-:|:-:|:-:|
-| [Endpoint Privilege Management](../epm/overview.md) | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-| [Enterprise App Management](../app-management/deployment/enterprise-app-management.md) | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-| [Advanced Analytics](../advanced-analytics/index.md) | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-| [Remote Help](../remote-help/index.md) | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-| [Microsoft Tunnel for Mobile Application Management](../device-security/microsoft-tunnel/mam.md) | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-| [Microsoft Cloud PKI](../cloud-pki/index.md) | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-| [Firmware-over-the-air update](../device-updates/android/setup-zebra-lifeguard.md) | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-| [Specialized devices management](../device-management/specialty-devices.md) | | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: | :::image type="icon" source="../media/icons/16/check.svg" border="false"::: |
-
-> [!TIP]
-> For a customized experience based on your environment, you can access the [Intune Suite add-ons guide](https://go.microsoft.com/fwlink/?linkid=2314706) in the Microsoft 365 admin center.
-
-### Microsoft Intune Endpoint Privilege Management
-
-Endpoint Privilege Management supports your zero-trust journey by helping your organization achieve a broad user base running with least privilege, while allowing users to still run tasks allowed by your organization to remain productive.
-
-For more information, see [Endpoint Privilege Management](../epm/overview.md).
-
-### Microsoft Intune Enterprise App Management
-
-Enterprise App Management is an Intune Suite add-on that is available for trial and purchase. Enterprise Application Management provides an Enterprise App Catalog of Win32 applications that are easily accessible in Intune. You can add these applications to your tenant by selecting them from the Enterprise App Catalog. When you add an Enterprise App Catalog app to your Intune tenant, default installation, requirements, and detection settings are automatically provided. You can modify these settings as well. In addition, Intune hosts Enterprise App Catalog apps in Microsoft storage. For more information, see [Microsoft Intune Enterprise Application Management](../app-management/deployment/enterprise-app-management.md).
-
-### Microsoft Intune Advanced Analytics
-
-Microsoft Intune Advanced Analytics is set of analytics-driven capabilities that help IT admins understand, anticipate, and improve the end-user experience.
-
-For more information, see [Intune Advanced Analytics](../advanced-analytics/index.md).
-
-### Microsoft Intune Remote Help
-
-Remote Help is a cloud-based solution for secure help desk connections with role-based access controls. For more information, see [Remote Help](../remote-help/index.md).
-
-### Microsoft Tunnel for Mobile Application Management
-
-When you use the Microsoft Tunnel VPN Gateway, you can extend Tunnel support by adding Tunnel for Mobile Application Management (MAM). Tunnel MAM extends the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that aren't enrolled with Microsoft Intune.
-
-For more information, see [Microsoft Tunnel for Mobile Application Management](../device-security/microsoft-tunnel/mam.md).
-
-### Microsoft Cloud PKI
-
-Microsoft Cloud PKI is a cloud-based service that simplifies and automates certificate lifecycle management for Intune-managed devices. It provides a dedicated public key infrastructure (PKI) for your organization and handles the certificate issuance, renewal, and revocation for all Intune-supported platforms.
-
-For more information, see [Overview of Microsoft Cloud PKI](../cloud-pki/index.md).
-
-### Mobile Firmware-over-the-air update
-
-Firmware over-the-air (FOTA) update allows you to remotely update the firmware of supported devices wirelessly with more control.
-
-For more information, see [Zebra LifeGuard Over-the-Air Integration with Microsoft Intune](../device-updates/android/setup-zebra-lifeguard.md)
-
-### Managing specialty devices with Microsoft Intune
-
-Specialized devices management is a set of device management, configuration, and protection capabilities for special, purpose-built devices such as AR/VR headsets, large smart-screen devices, and conference room meeting devices.
-
-For more information, see [Managing specialized devices with Microsoft Intune](../device-management/specialty-devices.md).
-
-## Using the Intune add-ons page
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as a Global or Billing administrator.
-
-2. Navigate to **Tenant administration** > **Intune add-ons**.
-
-3. The **Your add-ons** tab shows a list of all Intune add-ons in trial or purchased for a billing account in your organization.
-
-4. The **All add-ons** tab shows you a list of all Intune add-ons that are available for trial or purchase. For more information on how to Try or buy Intune add-ons, see [Try or buy Intune add-ons](#try-or-buy-intune-add-ons).
-
-5. The **Capabilities** tab provides details about each of the Intune add-on capabilities that are available for trial or purchase. For more information, select **Learn more**.
-
-> [!NOTE]
-> If you are not a global or billing admin, the **your add-ons** tab is not visible. However, the **Capabilities** tab allows you to see what you are eligible to use.
-
-## Try or buy Intune add-ons
-
-Global and Billing administrators can choose to start free trials or purchase licenses for Intune add-ons through the [Microsoft 365 admin center](https://admin.microsoft.com). Administrators who aren't Global or Billing administrators can still see the status of their tenant's Intune add-ons trial or active licenses in the centralized Intune add-on page in the Intune admin center. However, they can't start a free trial or purchase licenses.
-
-Starting a free trial gives you a 90-day period to use the Intune add-on capability without any charge. Trials can be up to 250 users per tenant. At the end of the trial period, there's a 30-day grace period. After this point, you'll be unable to use the Intune add-on capability in Microsoft Intune for users within your tenant unless you've purchased the appropriate licenses. There's a one-time limit to start a trial for each tenant.
-
-Purchasing licenses lets you use the Intune add-on capability in your tenant for the duration in which the licenses are active on your tenant based on the option selected during the Billing process.
-
-Intune add-on capabilities are disabled in [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) unless you are in the free trial period or have purchased licenses.
-
-### How to start a trial through the Microsoft 365 admin center
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as a Global or Billing administrator.
-
-2. Navigate to **Tenant administration** > **Intune add-ons**.
-
-3. Select **All add-ons** tab. The list of Intune add-ons that are available for trial or purchase is displayed. Identify the Intune add-ons that you require. The list of add-ons includes a short description, the subscription status of the add-on, and a link to view details.
-
- - **Subscription status** - Each add-on shows a status of either *Active* or *Available for trial or purchase*. For add-ons that say *Available for trial or purchase* in the **Subscription status** column, you can start the free trial or purchase licenses.
-
- - **Try or Buy** - Select **View details** in the **Try or Buy** column to know more about what's included and the trial and purchase information.
-
- - Select **To try or buy, go to Purchase services** link to navigate to the Microsoft 365 admin center. A new tab opens on the **Product details** page for the selected Intune add-on.
-
-4. In the Microsoft 365 Admin Center, follow the prompts to **Start free trial** and confirm your order.
-
-5. Navigate to **Tenant administration** > **Intune add-ons** and see that the Intune add-on capability you added is now **Active**.
-
-### How to purchase Intune add-ons
-
-Licenses for Intune add-ons can be purchased just as you would purchase Intune Plan 1 licenses through the following ways:
-
-- Web direct purchase in the Microsoft 365 Admin Center
-- Microsoft Volume License Servicing Center (VLSC)
-- Existing relationships with Microsoft partners/resellers
-
-After you buy licenses via any source, the licenses are available in your tenant and the status of the Intune add-ons capability will update accordingly.
-
-## How to assign licenses
-
-For information on how to assign licenses in the Microsoft Intune admin center, see [Assign Microsoft Intune licenses](./licensing/assign-licenses.md).
-
-## Monitor license use
-
-Each of the Intune add-ons have their own requirements for how many licenses need to be purchased.
-
-## Next steps
-
-Learn more about:
-
-- [Remote Help](../remote-help/index.md)
-- [Microsoft Tunnel for Mobile Application Management](../device-security/microsoft-tunnel/mam.md)
-- [Managing Mobile Firmware-over-the-air updates with Microsoft Intune](../device-updates/android/setup-zebra-lifeguard.md)
-- [Intune Advanced Analytics](../advanced-analytics/index.md)
-- [Endpoint Privilege Management](../epm/overview.md).
-- [Microsoft Tunnel for Mobile Application Management](../device-security/microsoft-tunnel/mam.md)
-- [Remote Help](../remote-help/index.md)
-- [Managing specialized devices with Microsoft Intune](../device-management/specialty-devices.md)
diff --git a/intune/fundamentals/advanced-capabilities.md b/intune/fundamentals/advanced-capabilities.md
new file mode 100644
index 00000000000..60a1ba641c1
--- /dev/null
+++ b/intune/fundamentals/advanced-capabilities.md
@@ -0,0 +1,118 @@
+---
+title: Microsoft Intune advanced capabilities
+description: Microsoft Intune advanced capabilities deliver advanced endpoint management and security. Learn what they are, which licenses include them, and how to get them.
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/20/2026
+ms.topic: overview
+ms.reviewer: aanavath
+ms.subservice: suite
+ms.collection: M365-identity-device-management
+---
+
+# Microsoft Intune advanced capabilities
+
+Intune includes capabilities that extend endpoint management and security across Microsoft 365 and Microsoft Security. This article describes each capability, shows which licenses include them, and explains how to try them.
+
+## Capabilities
+
+Intune offers the following advanced capabilities:
+
+:::row:::
+ :::column:::
+> [!div class="nextstepaction"]
+> [Firmware Over-the-Air updates](../device-updates/android/manage-fota.md)
+
+> Remotely deliver firmware updates to Android devices over the air, without user action.
+
+ :::column-end:::
+ :::column:::
+> [!div class="nextstepaction"]
+> [Specialty device management](../device-management/specialty-devices.md)
+
+> Manage AR/VR headsets, large smart-screen devices, and conference room meeting devices.
+
+ :::column-end:::
+:::row-end:::
+
+:::row:::
+ :::column:::
+
+> [!div class="nextstepaction"]
+> [Microsoft Tunnel for MAM](../device-security/microsoft-tunnel/mam.md)
+
+> Extend the Microsoft Tunnel VPN to Android and iOS devices that aren't enrolled in Intune.
+ :::column-end:::
+ :::column:::
+> [!div class="nextstepaction"]
+> [Advanced Analytics](../advanced-analytics/index.md)
+
+> Get analytics-driven insights to understand and improve the user experience across your endpoints.
+ :::column-end:::
+:::row-end:::
+
+:::row:::
+ :::column:::
+> [!div class="nextstepaction"]
+> [Remote Help](../remote-help/index.md)
+
+> Securely connect to user devices for cloud-based help-desk support with role-based access controls.
+ :::column-end:::
+ :::column:::
+> [!div class="nextstepaction"]
+> [Microsoft Cloud PKI](../cloud-pki/index.md)
+
+> Use a managed certificate authority for issuance, renewal, and revocation across Intune platforms.
+ :::column-end:::
+:::row-end:::
+
+:::row:::
+ :::column:::
+> [!div class="nextstepaction"]
+> [Endpoint Privilege Management](../epm/overview.md)
+
+> Run users with least privilege while still allowing approved tasks that require elevation.
+ :::column-end:::
+ :::column:::
+> [!div class="nextstepaction"]
+> [Enterprise Application Management](../app-management/deployment/enterprise-app-management.md)
+
+> Deploy curated Win32 apps from a Microsoft-hosted Enterprise App Catalog with built-in install settings.
+ :::column-end:::
+:::row-end:::
+
+## Intune plans and advanced capabilities
+
+Advanced capabilities are available through Microsoft Intune Plan 2, the Microsoft Intune Suite, and select Microsoft 365 bundles. For what's included in each plan, current pricing, and how to buy, see [Microsoft Intune plans and pricing](https://www.microsoft.com/security/business/microsoft-intune-pricing).
+
+For licensing concepts and admin-access requirements, see [Microsoft Intune licensing](licensing.md).
+
+## Trial subscriptions for advanced capabilities
+
+A free trial of an advanced capability lasts 90 days, with up to 250 users per tenant. Each tenant can start a trial of any given capability once. After the trial ends, you have a 30-day grace period before the capability becomes unavailable in the admin center.
+
+> [!NOTE]
+> If your organization has Microsoft 365 E3, E5, E7, or Microsoft Intune Suite, you already have access to the included capabilities and don't need a trial. Start a trial only for capabilities not included in your current licenses.
+
+To start a capability trial:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as a Global or Billing administrator.
+1. Select **Tenant administration** > **Intune add-ons**.
+1. Select the **All add-ons** tab and find the capability you want.
+1. Select **View details** in the **Try or Buy** column, then select **To try or buy, go to Microsoft 365 admin center**.
+1. In the Microsoft 365 admin center, complete the **Start free trial** flow.
+1. Return to **Tenant administration** > **Intune add-ons**. The capability now shows **Active**.
+
+> [!NOTE]
+> If you're not a Global or Billing admin, the **Your add-ons** tab isn't visible. The **Capabilities** tab still shows what your tenant is eligible for.
+
+To try Microsoft Intune itself (rather than an advanced capability), see [Sign Up for Microsoft Intune Free Trial Setup Guide](free-trial-sign-up.md).
+
+## Related content
+
+- [Microsoft Intune licensing](licensing.md)
+- [What is Microsoft Intune?](what-is-intune.md)
+- [Microsoft Intune architecture](architecture.md)
+- [Sign up or sign in to Microsoft Intune](account-sign-up.md)
+- [Sign Up for Microsoft Intune Free Trial Setup Guide](free-trial-sign-up.md)
+- [Assign Microsoft Intune licenses](assign-licenses.md)
diff --git a/intune/fundamentals/architecture.md b/intune/fundamentals/architecture.md
index 49310089348..3508a18520c 100644
--- a/intune/fundamentals/architecture.md
+++ b/intune/fundamentals/architecture.md
@@ -1,19 +1,182 @@
---
-title: High-Level Architecture for Microsoft Intune
-description: This reference architecture shows options for integrating Microsoft Intune in your Azure environment with Microsoft Entra ID.
-author: nicholasswhite
-ms.author: nwhite
-ms.date: 02/25/2025
-ms.topic: article
+title: Microsoft Intune architecture
+description: Reference architecture for a Microsoft Intune deployment, including cloud and on-premises components and Microsoft and third-party integrations.
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/12/2026
+ms.topic: concept-article
ms.reviewer: davidra
-#ms.custom:
ms.collection:
- M365-identity-device-management
- triage
---
-# High-Level Architecture for Microsoft Intune
-This reference architecture shows options for integrating Microsoft Intune in your Azure environment with Microsoft Entra ID.
-:::image type="content" source="./media/architecture/intunearchitecture_wh.png" alt-text="High-level architectural diagram for Microsoft Intune" lightbox="./media/architecture/intunearchitecture_wh.png":::
+# Microsoft Intune architecture
-
+This article describes the architecture of a Microsoft Intune deployment: the cloud and on-premises components and the Microsoft and third-party products Intune integrates with.
+
+For an introduction to what Intune does, see [What is Microsoft Intune?](what-is-intune.md). For a conceptual walkthrough of how Intune manages identities, devices, and apps, see [Microsoft Intune core concepts](core-concepts.md).
+
+:::image type="content" source="./media/architecture/intune-reference-architecture.png" alt-text="Diagram that shows Microsoft Intune in a reference architecture with Microsoft Entra, Microsoft 365, Configuration Manager, on-premises connectors, and managed endpoints." lightbox="./media/architecture/intune-reference-architecture.png" border="false":::
+
+The diagram organizes a typical Intune deployment into seven tiers:
+
+1. **Cloud control plane**: Microsoft-hosted Intune services.
+1. **Managed endpoints**: devices that Intune manages.
+1. **Endpoint family services**: Microsoft products whose primary purpose is endpoint management.
+1. **Connectors and extensions**: cloud-based external services Intune integrates with.
+1. **Peer integrations**: other Microsoft products that integrate with Intune.
+1. **Partner ecosystem**: third-party products and services that integrate with Intune.
+1. **On-premises services**: customer-operated infrastructure that integrates with the Intune cloud.
+
+Each tier is described in the following sections.
+
+## Cloud control plane
+
+:::row:::
+ :::column:::
+ The cloud control plane is the set of Microsoft-hosted services that constitute the Intune tenant. They store configurations, deliver policy, expose programmatic interfaces, and surface the admin and user experiences.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="media/architecture/cloud-control-plane.png" alt-text="Diagram of the cloud control plane." border="false" lightbox="media/architecture/cloud-control-plane-on.png":::
+ :::column-end:::
+:::row-end:::
+
+| Component | Role |
+|---|---|
+| **Microsoft Intune service** | The cloud control plane that stores configurations and orchestrates policy delivery. |
+| **[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** | Web console for administrators. |
+| **[Microsoft Graph API](/graph/intune-concept-overview)** | Public programming interface. Every admin center action is backed by a Graph API call. |
+| **[Microsoft Intune Company Portal app and website](../app-management/configuration/configure-company-portal.md)** | User-facing surface that enrolls devices, surfaces required apps, and shows compliance status. |
+
+## Managed endpoints
+
+:::row:::
+ :::column:::
+ Intune supports the following platforms: Android, iOS, iPadOS, Linux, macOS, tvOS, visionOS, and Windows. Specialty scenarios include kiosks, frontline devices, and rugged hardware managed through platform-specific enrollment paths.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="media/architecture/managed-endpoints.png" alt-text="Diagram of managed endpoints as they relate to the cloud control plane." border="false" lightbox="media/architecture/managed-endpoints-on.png":::
+ :::column-end:::
+:::row-end:::
+
+Devices come under management through several modes:
+
+- **Mobile device management (MDM)**: typical for organization-owned devices; Intune manages the entire device.
+- **Mobile application management (MAM)**: typical for personal (BYOD) devices; Intune manages only work apps and data.
+- **Automated enrollment** for organization-owned hardware: Windows Autopilot, Apple Automated Device Enrollment, and Android Enterprise.
+
+For the full supported-OS matrix, see [Supported operating systems and browsers for Intune](ref-supported-platforms.md).
+
+## Endpoint family services
+
+:::row:::
+ :::column:::
+ Endpoint family services are Microsoft products whose primary purpose is endpoint management. Each specializes in a specific aspect of the endpoint lifecycle.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="media/architecture/endpoint-family-services.png" alt-text="Diagram of endpoint family services as they relate to the cloud control plane." border="false" lightbox="media/architecture/endpoint-family-services-on.png":::
+ :::column-end:::
+:::row-end:::
+
+
+
+| Service | What it does | When to use |
+|---|---|---|
+| **[Windows Autopilot](/autopilot/overview)** | Cloud-based provisioning for new and existing Windows devices, with options for user-driven, self-deploying (zero-touch), pre-provisioning, and reset | Shipping devices directly from OEM to end users, or repurposing existing devices at scale |
+| **[Windows 365](/windows-365/enterprise/overview)** | Cloud-hosted Windows desktops (Cloud PCs) | Remote workers, BYOD, contractors, regulated workloads |
+| **[Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)** | Managed update service for Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, Microsoft Teams, and device drivers and firmware | Reducing manual update administration |
+| **[Endpoint analytics](../endpoint-analytics/index.md)** | Telemetry and recommendations on device health and performance | Identifying performance issues and reducing help-desk volume |
+
+## Connectors and extensions
+
+:::row:::
+ :::column:::
+ Connectors and extensions are cloud-based external services that Intune integrates with. They have no on-premises footprint. Intune communicates with them over the internet.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="media/architecture/connectors-and-extensions.png" alt-text="Diagram of connectors and extensions as they relate to the cloud control plane." border="false" lightbox="media/architecture/connectors-and-extensions-on.png":::
+ :::column-end:::
+:::row-end:::
+
+| Connector | Role |
+|---|---|
+| **[Microsoft Cloud PKI](../cloud-pki/index.md)** | Cloud-hosted PKI that issues, renews, and revokes SCEP certificates for Intune-managed devices without requiring on-premises AD CS, NDES, or the certificate connector. Supports a fully cloud-hosted hierarchy or anchoring to your existing private root (BYOCA). |
+| **[Apple Business / VPP](../app-management/deployment/manage-vpp-apple.md)** | Token-based integration for Apple app delivery. |
+| **[Apple Push Notification service (APNs)](../device-enrollment/apple/create-mdm-push-certificate.md)** | Required for Apple device management. |
+| **[Managed Google Play](../app-management/deployment/add-managed-google-play.md)** | Android Enterprise app catalog. |
+| **[Microsoft Store](../app-management/deployment/add-microsoft-store.md)** | Built-in catalog for Windows apps. |
+
+## Peer integrations
+
+:::row:::
+ :::column:::
+ Peer integrations are Microsoft products that work alongside Intune. They have their own primary purpose; integration with Intune is one of many uses.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="media/architecture/peer-integrations.png" alt-text="Diagram of peer integrations as they relate to the cloud control plane." border="false" lightbox="media/architecture/peer-integrations-on.png":::
+ :::column-end:::
+:::row-end:::
+
+| Product | Role |
+|---|---|
+| **[Microsoft 365 apps](../app-management/deployment/add-microsoft-365-windows.md)** | Deployed to managed endpoints via Intune. |
+| **[Endpoint security in Microsoft Defender](../device-security/microsoft-defender/configure-integration.md)** | Feeds real-time device risk signals into Intune compliance evaluation and Conditional Access decisions. Also serves as a mobile threat defense (MTD) source for iOS, iPadOS and Android. |
+| **[Copilot in Intune](../copilot/index.md)** | Microsoft Security Copilot capabilities surfaced inside the Microsoft Intune admin center. |
+| **[Microsoft Purview](/purview/device-onboarding-mdm)** | Sensitivity labels and endpoint data loss prevention (DLP) policies that apply to data on Intune-managed devices. |
+
+## Partner ecosystem
+
+:::row:::
+ :::column:::
+ The partner ecosystem includes third-party products and services that integrate with Intune through documented APIs, connectors, or configuration patterns.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="media/architecture/partner-ecosystem.png" alt-text="Diagram of the partner ecosystem as it relates to the cloud control plane." border="false" lightbox="media/architecture/partner-ecosystem-on.png":::
+ :::column-end:::
+:::row-end:::
+
+| Category | Description and examples |
+|---|---|
+| **[Mobile threat defense (MTD) partners](../device-security/mobile-threat-defense/overview.md)** | Third-party services that feed device risk signals into Intune. Examples: Lookout, Zimperium, Check Point. Endpoint security in Microsoft Defender is also an MTD source: see [Peer integrations](#peer-integrations). |
+| **[Device compliance partners](../device-security/compliance/third-party-partners.md)** | Non-Intune MDMs that become the MDM authority for assigned user groups and report device compliance state into Microsoft Entra ID for Intune Conditional Access. Supported on Android, iOS, iPadOS, and macOS. Examples: Jamf Pro, Ivanti EPMM, BlackBerry UEM, Omnissa Workspace ONE, Kandji, SOTI MobiControl. |
+| **IT service management (ITSM) partners** | Incident and asset integration. Examples: [ServiceNow](../device-management/tools/setup-servicenow.md), Jira. |
+| **Remote support partners** | Remote control and assistance. Example: [TeamViewer](../device-management/tools/setup-teamviewer.md). |
+| **Device vendor portals** | Vendor-specific management for specialty hardware. Examples: [Surface Management Portal](/surface/surface-management-portal), Lenovo, Intel vPro. |
+| **Network access control (NAC) partners** | Network-tier access enforcement. Examples: Cisco ISE, Aruba ClearPass. |
+
+## On-premises services
+
+:::row:::
+ :::column:::
+ On-premises services are customer-operated infrastructure that runs on your network and integrates with the Intune cloud control plane.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="media/architecture/on-premises-services.png" alt-text="Diagram of on-premises services as they relate to the cloud control plane." border="false" lightbox="media/architecture/on-premises-services-on.png":::
+ :::column-end:::
+:::row-end:::
+
+| Component | Role |
+|---|---|
+| **[Microsoft Tunnel Gateway](../device-security/microsoft-tunnel/overview.md)** | VPN gateway for iOS, iPadOS and Android Enterprise devices and apps. Runs in a container on Linux. |
+| **[Certificate Connector for Microsoft Intune](certificates/connector/overview.md)** | Bridges Intune to your on-premises certificate services to issue SCEP and PKCS certificates, import PFX certificates for S/MIME, and revoke certificates. |
+| **[Microsoft Configuration Manager](../configmgr/core/understand/introduction.md)** | On-premises peer to Intune for Windows clients and servers. Integrates with Intune through co-management and tenant attach. See [Co-management and tenant attach](#co-management-and-tenant-attach). |
+
+### Co-management and tenant attach
+
+Microsoft Configuration Manager is the on-premises peer to Intune for Windows clients and servers. It manages desktops, Windows servers, and laptops on your network or connected over the internet via cloud management gateway. Configuration Manager and Intune integrate through:
+
+- **[Co-management](../configmgr/comanage/overview.md)**: lets Configuration Manager and Intune both manage Windows clients. You move workloads to the cloud at your own pace.
+- **[Tenant attach](../configmgr/tenant-attach/prerequisites.md)**: brings Configuration Manager-managed devices into the Intune admin center for visibility, remote actions, cloud-based reporting, endpoint security policy authoring (Antivirus, ASR), CMPivot, PowerShell scripts, application installs, and a unified device timeline.
+
+By using co-management and tenant attach, organizations that already run Configuration Manager can add Intune capabilities without rebuilding their environment.
+
+## Related content
+
+- [What is Microsoft Intune?](what-is-intune.md)
+- [Microsoft Intune core concepts](core-concepts.md)
+- [Network endpoints for Microsoft Intune](endpoints.md)
+- [Common ways to deploy Microsoft Intune](deploy-setup-step-1.md)
+- [Cloud-native endpoints](../solutions/cloud-native-endpoints/overview.md)
+- [Microsoft Intune advanced capabilities](advanced-capabilities.md)
+- [Passwordless authentication with Microsoft Intune](../solutions/passwordless.md)
\ No newline at end of file
diff --git a/intune/fundamentals/licensing/assign-licenses.md b/intune/fundamentals/assign-licenses.md
similarity index 96%
rename from intune/fundamentals/licensing/assign-licenses.md
rename to intune/fundamentals/assign-licenses.md
index e4f60df65ed..b39a18cf888 100644
--- a/intune/fundamentals/licensing/assign-licenses.md
+++ b/intune/fundamentals/assign-licenses.md
@@ -2,15 +2,17 @@
title: Assign Microsoft Intune licenses
description: Assign licenses to users so they can enroll in Intune
+author: paolomatarazzo
+ms.author: paoloma
ms.date: 01/24/2025
ms.topic: how-to
ms.collection:
- M365-identity-device-management
---
-# Assign licenses to users so they can enroll devices in Intune
+# Assign licenses to users
-Whether you manually add users or synchronize from your on-premises Active Directory, you must first assign each user license before users can enroll their devices in Intune. For a list of licenses, see [Microsoft Intune licensing](index.md).
+Whether you manually add users or synchronize from your on-premises Active Directory, you must first assign each user license before users can enroll their devices in Intune. For a list of licenses, see [Microsoft Intune licensing](licensing.md).
> [!NOTE]
> Users assigned Intune app protection policy and not enrolling their devices into Microsoft Intune will also require an Intune license to receive the policy.
@@ -21,7 +23,7 @@ You can use the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?
1. In the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?LinkId=698854), select **Users** > **Active users** > *choose an unlicensed user* > **Licenses and apps**.
-2. Choose the box for **Intune** > **Save changes**. If you want to use the Enterprise Mobility + Security E5 or other license, choose that box instead. For more information about Microsoft Intune licenses, see [Microsoft Intune licensing](index.md).
+2. Choose the box for **Intune** > **Save changes**. If you want to use the Enterprise Mobility + Security E5 or other license, choose that box instead. For more information about Microsoft Intune licenses, see [Microsoft Intune licensing](licensing.md).
The user account now has the permissions needed to use the service and enroll devices into Intune management.
@@ -102,7 +104,7 @@ To view the number of free and used licenses on a Microsoft Intune subscription,
A list of the **Account ID**, the **Active Units**, and the **Consumed Units** will appear. Note that this will also display any Microsoft Office 365 licenses on the subscription.
> [!NOTE]
-> To confirm your Microsoft Entra ID P1 or P2 and Microsoft Intune using Microsoft Intune admin center, see [Confirm your licenses](index.md#confirm-your-licenses).
+> To confirm your Microsoft Entra ID P1 or P2 and Microsoft Intune using Microsoft Intune admin center, see [Confirm your licenses](licensing.md#confirm-your-licenses).
## Use PowerShell to selectively manage EMS user licenses
@@ -156,6 +158,6 @@ Verify with:
## Related content
-- [Assign Microsoft Intune roles to groups of users for role-based access control](../role-based-access-control/assign-role.md)
-- [Set the MDM authority](../../fundamentals/setup-mdm-authority.md)
+- [Assign Microsoft Intune roles to groups of users for role-based access control](./role-based-access-control/assign-role.md)
+- [Set the MDM authority](./setup-mdm-authority.md)
diff --git a/intune/fundamentals/core-concepts.md b/intune/fundamentals/core-concepts.md
new file mode 100644
index 00000000000..121dc0aa323
--- /dev/null
+++ b/intune/fundamentals/core-concepts.md
@@ -0,0 +1,144 @@
+---
+title: Microsoft Intune core concepts
+description: Learn how Microsoft Intune works across identities, devices, and apps, and how the three pillars come together to drive access decisions.
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/14/2026
+ms.topic: concept-article
+ms.collection:
+- M365-identity-device-management
+---
+
+# Microsoft Intune core concepts
+
+Microsoft Intune is built around three pillars: the **identities** that sign in, the **devices** they sign in from, and the **apps** they use to get work done. Intune orchestrates these pillars on top of Microsoft Entra ID and feeds device and app posture back to Microsoft Entra Conditional Access, which gates access to corporate resources.
+
+For an introduction to what Intune does and why, see [What is Microsoft Intune?](what-is-intune.md). For the components, integrations, and deployment view, see [Microsoft Intune architecture](architecture.md).
+
+:::image type="content" source="./media/shared/intune-overview.png" alt-text="Diagram showing Microsoft Intune managing identities, devices, and apps, with signals from Endpoint security in Microsoft Defender. Intune is extended by advanced capabilities, automated by Copilot, and uses Microsoft Entra ID for Conditional Access to corporate resources." lightbox="./media/shared/intune-overview.png" border="false":::
+
+## The three pillars
+
+| Pillar | What Intune does | What Intune relies on |
+|---|---|---|
+| **Identities** | Targets policies to users and groups, scopes admin access through role-based access control (RBAC), and creates user affinity at enrollment. | [Microsoft Entra ID](/entra/fundamentals/whatis) for accounts, groups, authentication, and Conditional Access. |
+| **Devices** | Enrolls, configures, protects, and retires the hardware that runs your organization's work. Reports compliance state for Conditional Access. | Platform enrollment programs (Windows Autopilot, Apple Automated Device Enrollment, Android Enterprise). |
+| **Apps** | Deploys, configures, protects, and updates the apps users need, on enrolled and personal devices. | App stores and vendor catalogs (Microsoft Store, App Store, Managed Google Play, Apple Business). |
+
+The rest of this article walks through each pillar and ends with a worked example that traces a single sign-in across all three.
+
+## Identities
+
+Intune doesn't store user identities. It uses [Microsoft Entra ID](/entra/fundamentals/whatis) for accounts, groups, authentication, and Conditional Access. Within Intune, identities surface in three places.
+
+### User affinity at enrollment
+
+When a user signs into a device for the first time, the device becomes associated with that user. This association is called **user affinity**. Policies assigned to the user follow them across all of their associated devices, and the user can access their email, files, and apps from any of those devices.
+
+When no user is associated with a device, the device is **user-less**. This pattern is common for kiosks dedicated to a single task and for shared devices used by multiple people.
+
+Decide the device's intended purpose before enrollment so you can choose the right enrollment method. For platform-specific guidance, see [Device enrollment in Microsoft Intune](../device-enrollment/guide.md).
+
+### Role-based access for admins
+
+Intune uses role-based access control (RBAC) to determine what each admin can see and do in the admin center. Built-in roles such as **Application Manager** and **Policy and Profile Manager** scope permissions to specific endpoint-management tasks. Because Intune uses Microsoft Entra ID, the built-in Microsoft Entra roles (including **Intune Administrator**) are also available.
+
+Pair RBAC with **scope tags** to narrow what an admin can see, not just what they can do. For example, give a regional help desk a role that allows device wipes, but tag it so they can only see and wipe devices in their region.
+
+For details, see [Role-based access control with Microsoft Intune](role-based-access-control/overview.md) and [Use scope tags to filter policies](role-based-access-control/scope-tags.md).
+
+### Targeting policies and assignments
+
+Intune is cloud-based and targets policies directly to users or groups. There's no hierarchy of containers like organizational units. You create a policy, then **assign** it to one or more Microsoft Entra groups.
+
+You can target a policy to:
+
+- **User groups**, when the setting should follow the user across their devices. For example, an email profile or an app deployment.
+- **Device groups**, when the setting should apply regardless of who's signed in For example, a kiosk configuration or a frontline-worker policy.
+- **Built-in virtual groups** (**All users**, **All devices**) when a setting applies tenant-wide.
+
+For details, see [Add groups to organize users and devices](tenant-administration/add-groups.md) and [Assign device profiles in Microsoft Intune](../device-configuration/assign-device-profile.md).
+
+## Devices
+
+Intune manages and secures the desktops, laptops, tablets, and phones your organization relies on across Android, iOS, iPadOS, Linux, macOS, tvOS, visionOS, and Windows. For the full supported-OS matrix, see [Supported operating systems and browsers](ref-supported-platforms.md).
+
+### Device lifecycle
+
+Every managed device passes through four stages, all handled in the same admin center.
+
+- **Enroll**: Bring devices under management. Organization-owned hardware typically uses automated enrollment through Windows Autopilot, Apple Automated Device Enrollment, or Android Enterprise. Personal devices enroll through the Company Portal app.
+- **Configure**: Apply settings for Wi-Fi, VPN, certificates, email, device features, and platform-specific options. The settings catalog exposes thousands of platform settings.
+- **Protect**: Enforce compliance rules, encrypt disks, deploy security baselines, and integrate with mobile threat defense. Compliance state feeds Microsoft Entra Conditional Access.
+- **Retire**: When a device is lost, replaced, or no longer needed, remote actions let you wipe organization data, factory-reset the device, or unenroll it.
+
+### MDM and MAM
+
+Intune supports two management modes. You can use them independently or together.
+
+- **Mobile device management (MDM)** brings the entire device under Intune control: settings, apps, and data. MDM is typical for organization-owned hardware.
+- **Mobile application management (MAM)** manages only the work apps and the data inside them. The user keeps control of the rest of the device. MAM is typical for bring-your-own-device (BYOD) scenarios.
+
+You can combine the two on the same device. For example, an enrolled corporate phone (MDM) can also have app protection policies (MAM) on apps that handle especially sensitive data.
+
+For details, see [Device enrollment in Microsoft Intune](../device-enrollment/guide.md) and [App protection policies overview](../app-management/protection/overview.md).
+
+### Organization-owned and personal devices
+
+Most organizations manage two device populations: hardware they own and personal devices that employees use for work. Intune supports both with different controls.
+
+- **Organization-owned devices** should be enrolled in MDM. Don't rely on users to manage these devices themselves.
+- **Personal devices** can be MDM-enrolled when users want full access to organizational resources, or they can use only MAM policies that protect data inside Outlook, Teams, and other managed apps.
+
+### Device groups
+
+Device groups are Microsoft Entra groups that contain only devices. They're useful when a setting should apply regardless of who's signed in: kiosks, shared PCs, frontline-worker devices, or specialty hardware.
+
+Membership can be **static** or **dynamic**:
+
+- **Static groups** require manual addition and removal of devices. They're useful for small, stable sets of devices.
+- **Dynamic groups** automatically add and remove devices based on criteria you define. They're useful for large, changing fleets of devices
+
+## Apps
+
+Intune covers the full app lifecycle (deploy, configure, protect, update) across every supported platform.
+
+### App lifecycle
+
+- **Deploy** apps from public stores, vendor catalogs, your own line-of-business (LOB) packages, or built-in entries in the admin center.
+- **Configure** apps before users open them, using app configuration policies. Set the app language, add your organization's logo, block personal accounts, and more.
+- **Protect** the data inside apps using app protection policies. Require a PIN, block copy-paste to personal apps, prevent backups to personal cloud services, encrypt at-rest data, and selectively wipe organization data.
+- **Update** apps automatically as new versions become available. For Microsoft 365 apps, Microsoft Edge, and Microsoft Teams on Windows, you can hand updates to Windows Autopatch.
+
+### App protection without enrollment (MAM-WE)
+
+App protection policies don't require MDM enrollment. They work on three device populations:
+
+- **Personal devices** that aren't enrolled in any MDM (BYOD).
+- **Devices enrolled in another MDM provider**: Intune can still protect the data inside its managed apps.
+- **Intune-enrolled devices**, for apps that need an extra layer beyond MDM.
+
+For details, see [App protection policies overview](../app-management/protection/overview.md).
+
+### Apps by platform
+
+Intune supports public store apps, line-of-business (LOB) apps, web apps, and platform-specific app types across Android, iOS, iPadOS, macOS, and Windows. For the per-platform breakdown of app types and where they come from, see [Add and update apps in Microsoft Intune](../app-management/deployment/index.md).
+
+## How the pillars fit together
+
+A typical access decision touches all three pillars:
+
+1. A user signs in to a managed device and **Microsoft Entra ID** authenticates the user.
+1. The device checks in with **Intune** and reports its compliance state and inventory.
+1. Intune forwards the compliance state to Microsoft Entra ID.
+1. The user opens a corporate app. **Microsoft Entra Conditional Access** evaluates the request using the user, the device's compliance state, the app, the location, and signals from **Endpoint security in Microsoft Defender**.
+1. Conditional Access allows or blocks access. If access is allowed and the app is a managed app, **app protection policies** enforce in-app controls (PIN, copy-paste restrictions, selective wipe).
+
+Every access decision exercises all three pillars together: the user's identity, the device's compliance, and the app the user is opening.
+
+## Related content
+
+- **Identities**: [Microsoft Entra ID fundamentals](/entra/fundamentals/whatis), [Use Conditional Access with Microsoft Intune](../device-security/conditional-access-integration/overview.md), [Role-based access control with Microsoft Intune](role-based-access-control/overview.md)
+- **Devices**: [Device enrollment in Microsoft Intune](../device-enrollment/guide.md), [Use compliance policies to set rules for devices you manage](../device-security/compliance/overview.md), [Manage endpoint security in Microsoft Intune](../device-security/endpoint-security-policies.md)
+- **Apps**: [Add and update apps in Microsoft Intune](../app-management/deployment/index.md), [App configuration policies](../app-management/configuration/overview.md), [App protection policies overview](../app-management/protection/overview.md)
+- **Architecture**: [Microsoft Intune architecture](architecture.md)
diff --git a/intune/fundamentals/deploy-configuration-step-4.md b/intune/fundamentals/deploy-configuration-step-4.md
index c6e70f783d6..bef8cae3e2c 100644
--- a/intune/fundamentals/deploy-configuration-step-4.md
+++ b/intune/fundamentals/deploy-configuration-step-4.md
@@ -442,9 +442,9 @@ This level expands on what you configured in levels 1 and 2. It adds extra secur
Microsoft Tunnel uses Intune, Microsoft Entra ID, and Active Directory Federation Services (AD FS). For more information, see [Microsoft Tunnel for Microsoft Intune](../device-security/microsoft-tunnel/overview.md).
- - **Use Microsoft Tunnel for Mobile Application Management** (Tunnel for MAM) to extend tunnel capabilities to Android and iOS/iPad devices that are *not enrolled* with Intune. [Tunnel for MAM](../device-security/microsoft-tunnel/mam.md) is available as an Intune add-on that requires an extra license.
+ - **Use Microsoft Tunnel for Mobile Application Management** (Tunnel for MAM) to extend tunnel capabilities to Android and iOS/iPad devices that are *not enrolled* with Intune. [Tunnel for MAM](../device-security/microsoft-tunnel/mam.md) is an advanced capability that requires additional licensing beyond Microsoft Intune.
- For more information, see [Use Intune Suite add-on capabilities](./add-ons.md).
+ For more information, see [Microsoft Intune advanced capabilities](./advanced-capabilities.md).
- **Use Local Administrator Password Solution (LAPS) policy** to manage and back up the local administrator account on your devices.
@@ -470,7 +470,7 @@ This level expands on what you configured in levels 1 and 2. It adds extra secur
- Support requests by users to elevate a managed process.
- Allow for automatic elevations of files that just need to run without any user interruption.
- [Endpoint Privilege Management](../epm/overview.md) is available as an Intune add-on that requires an extra license. For more information, see [Use Intune Suite add-on capabilities](./add-ons.md).
+ [Endpoint Privilege Management](../epm/overview.md) is an advanced capability that requires additional licensing. For more information, see [Microsoft Intune advanced capabilities](./advanced-capabilities.md).
- **Use Android Common Criteria mode** on Android devices that are used by highly sensitive organizations, like government establishments.
diff --git a/intune/fundamentals/deploy-protect-apps-step-2.md b/intune/fundamentals/deploy-protect-apps-step-2.md
index 21626185dee..a893efc43d3 100644
--- a/intune/fundamentals/deploy-protect-apps-step-2.md
+++ b/intune/fundamentals/deploy-protect-apps-step-2.md
@@ -98,7 +98,7 @@ Before adding apps to Intune, consider reviewing the support app types and asses
### Add Microsoft apps
-Intune includes a number of Microsoft apps based on the Microsoft license that you use for Intune. To learn more about the different Microsoft enterprise licenses available that include Intune, see [Microsoft Intune licensing](./licensing/index.md). To compare the different Microsoft apps that are available with Microsoft 365, see the [licensing options available with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans). To see all the options for each plan (including the available Microsoft apps), download the full [Microsoft subscription comparison table](https://go.microsoft.com/fwlink/?linkid=2139145) and locate the plans that include Microsoft Intune.
+Intune includes a number of Microsoft apps based on the Microsoft license that you use for Intune. To learn more about the different Microsoft enterprise licenses available that include Intune, see [Microsoft Intune licensing](./licensing.md). To compare the different Microsoft apps that are available with Microsoft 365, see the [licensing options available with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans). To see all the options for each plan (including the available Microsoft apps), download the full [Microsoft subscription comparison table](https://go.microsoft.com/fwlink/?linkid=2139145) and locate the plans that include Microsoft Intune.
One of the available app types is Microsoft 365 apps for Windows devices. By selecting this app type in Intune, you can assign and install Microsoft 365 apps to devices you manage that run Windows. You can also assign and install apps for the Microsoft Project Online desktop client and Microsoft Visio Online Plan 2, if you own licenses for them. The available Microsoft 365 apps are displayed as a single entry in the list of apps in the Intune console within Azure.
@@ -273,7 +273,7 @@ For more information about protecting Exchange Online, go to the following topic
The following list provides the end-user requirements to use app protection policies on apps managed by Intune include the following:
- The end user must have a Microsoft Entra account. See [Add users and give administrative permission to Intune](tenant-administration/add-users.md) to learn how to create Intune users in Microsoft Entra ID.
-- The end user must have a license for Microsoft Intune assigned to their Microsoft Entra account. See [Manage Intune licenses](./licensing/assign-licenses.md) to learn how to assign Intune licenses to end users.
+- The end user must have a license for Microsoft Intune assigned to their Microsoft Entra account. See [Manage Intune licenses](./assign-licenses.md) to learn how to assign Intune licenses to end users.
- The end user must belong to a security group that is targeted by an app protection policy. The same app protection policy must target the specific app being used. App protection policies can be created and deployed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). Security groups can currently be created in the [Microsoft 365 admin center](https://admin.microsoft.com).
- The end user must sign into the app using their Microsoft Entra account.
diff --git a/intune/fundamentals/deploy-setup-step-1.md b/intune/fundamentals/deploy-setup-step-1.md
index b3e1b53f599..c572819d98c 100644
--- a/intune/fundamentals/deploy-setup-step-1.md
+++ b/intune/fundamentals/deploy-setup-step-1.md
@@ -108,22 +108,22 @@ Intune is available with different subscriptions, including as a stand-alone ser
:::image type="icon" source="../media/icons/16/check.svg" border="false"::: **Determine your license needs**
-Microsoft Intune is available for different organization sizes and needs. It offers a simple-to-use management experience for schools and small businesses, and more advanced functionality required by enterprise customers. An admin must have a license assigned to them to administer Intune unless [unlicensed admin access](./licensing/unlicensed-admins.md) is available. Tenants created after July 2021 support unlicensed admins by default.
+Microsoft Intune is available for different organization sizes and needs. It offers a simple-to-use management experience for schools and small businesses, and more advanced functionality required by enterprise customers. An admin must have a license assigned to them to administer Intune unless [unlicensed admin access](./licensing.md#unlicensed-admin-access) is available. Tenants created after July 2021 support unlicensed admins by default.
-For guidance, see [Microsoft Intune licensing](./licensing/index.md).
+For guidance, see [Microsoft Intune licensing](./licensing.md).
:::image type="icon" source="../media/icons/16/check.svg" border="false"::: **Get started with assigning licenses to users**
Whether you add users one at a time or all at once, you must assign each user an Intune license before users can enroll their devices in Intune. The [Microsoft Intune's free trial](try-overview.md) provides 25 Intune licenses. For a list of licenses, see Licenses that include Intune.
Give users permission to use Intune. Each user or userless device requires an Intune license to access the service.
-For guidance, see [Assign licenses](./licensing/assign-licenses.md).
+For guidance, see [Assign licenses](./assign-licenses.md).
:::image type="icon" source="../media/icons/16/check.svg" border="false"::: **Unlicensed admins**
Intune supports unlicensed administrator access, which lets administrators manage Intune without an assigned Intune license. Tenants created after July 2021 have this enabled by default. Tenants created before July 2021 can enable it manually. This feature applies to any administrator, including Intune administrators, Microsoft Entra administrators, and so on.
-For guidance, see [Unlicensed admins](./licensing/unlicensed-admins.md).
+For guidance, see [Unlicensed admins](./licensing.md#unlicensed-admin-access).
## 7 - Manage roles and grant admin permissions for Intune
diff --git a/intune/fundamentals/endpoint-management.md b/intune/fundamentals/endpoint-management.md
deleted file mode 100644
index c38fa332d02..00000000000
--- a/intune/fundamentals/endpoint-management.md
+++ /dev/null
@@ -1,177 +0,0 @@
----
-title: Endpoint management services and solutions at Microsoft
-description: Microsoft Intune is a family of on-premises products and cloud services. It includes Intune, Configuration Manager, co-management, Endpoint Analytics, Windows Autopilot, and the admin center to manage cloud devices and on on-premises.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 08/20/2024
-ms.topic: overview
-ms.collection:
- - M365-identity-device-management
----
-
-# Endpoint management at Microsoft
-
-This article provides an overview of endpoint management solutions at Microsoft.
-
-:::image type="content" source="./media/endpoint-management-microsoft.png" alt-text="Endpoint management for Microsoft includes Microsoft Intune, Windows Autopilot, and Endpoint analytics. It integrates with Microsoft Entra ID, on-premises Configuration Manager, mobile threat defense partners, Security Copilot, and Microsoft 365 apps." lightbox="./media/endpoint-management-microsoft.png":::
-
-## Microsoft Intune
-
-Microsoft Intune is a family of products and services. The Intune family includes:
-
-- Microsoft Intune service
-- Configuration Manager and co-management
-- Endpoint Analytics
-- Windows Autopilot
-- Intune admin center
-
-These products and services offer a **cloud-based unified endpoint management** solution. It simplifies management across multiple operating systems, cloud, on-premises, mobile, desktop, and virtualized endpoints. It also:
-
-- Uses the Intune service for **cloud-native mobile device management (MDM) and mobile application management (MAM)**. End users and devices only need internet access; no need for on-premises infrastructure.
-- **Supports data protection on company-owned and bring your own devices** through nonintrusive mobile application management.
-- Empowers organizations to **provide data protection and endpoint compliance** that support a Zero Trust security model.
-- Brings together **device visibility, endpoint security, and data-driven insights** to increase IT efficiency. In hybrid work environments, admin tasks and end user experiences are improved.
-
-Intune integrates with other services, including Microsoft Entra, on-premises Configuration Manager, mobile threat defense (MTD) apps & services, Win32 & custom LOB apps, and more.
-
-If you're moving to the cloud or are adopting more cloud-based services, then use Intune.
-
-For more information, go to:
-
-- [What is Microsoft Intune?](./what-is-intune.md)
-- [Get started with Microsoft Intune](./get-started.md)
-
-## Configuration Manager and co-management
-
-Configuration Manager is an on-premises management solution that uses Active Directory and Group Policy Objects (GPOs). It can **manage desktops, Windows servers, and laptops** that are on your network or are internet-based. You can use Configuration Manager to manage data centers, apps, software updates, and operating systems.
-
-To benefit from everything that's happening in Microsoft Intune, connect your Configuration Manager to the cloud with co-management. Co-management combines your existing on-premises Configuration Manager investment with some of the cloud-based features in Intune, including using the web-based Microsoft Intune admin center.
-
-Co-management is a great way to get started with cloud-based device management, and to start moving some workloads to the cloud.
-
-For more information, go to:
-
-- [What is Configuration Manager?](../configmgr/core/understand/introduction.md)
-- [What is co-management?](../configmgr/comanage/overview.md)
-- [Tenant attach: Prerequisites](../configmgr/tenant-attach/prerequisites.md)
-
-## Intune Suite
-
-The Intune Suite is a collection of add-on features that are available in Intune. The suite includes features that **expand device management capabilities**, including:
-
-- Remote help for secure help desk connections
-- Microsoft Tunnel VPN for mobile application management of devices that aren't enrolled in Intune
-- Endpoint Privilege Management (EPM) so standard nonadmin users can complete tasks that require elevated privileges
-- Support for specialty devices, like AR/VR headsets, large smart-screen devices, and select conference room meeting devices
-
-The suite and its individual features are available as add-ons to your existing licenses and are also licensed individually.
-
-There's also a free trial to help you determine if these features can help your organization.
-
-For more information, go to:
-
-- [Intune Suite add-on capabilities](./add-ons.md)
-
-## Intune admin center
-
-The [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) is a **one-stop web site**. Use the admin center to add users & groups, create & manage policies, and monitor your policies using report data. If you use Configuration Manager tenant-attach or co-management, you can see your on-premises devices and run some actions on these devices.
-
-The admin center also plugs-in other key device management services, including:
-
-- [**Microsoft Entra Privileged Identity Management** to monitor access to important resources](/azure/active-directory/privileged-identity-management/pim-configure)
-- [**Microsoft Tunnel** VPN gateway solution that runs on Linux](../device-security/microsoft-tunnel/overview.md)
-- [**Mobile threat defense** partners](../device-security/mobile-threat-defense/overview.md)
-- [**Remote Help** for remote assistance](../remote-help/index.md)
-- [**TeamViewer** for remote administration](../device-management/tools/teamviewer-legacy.md)
-- [**Windows 365** for your Windows virtual machines](/windows-365/overview)
-- [**Windows Autopatch** to automate updates](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)
-
-## Microsoft Entra ID
-
-Microsoft Entra ID, previously known as Azure Active Directory (Azure AD), is a cloud-native service that's used by Intune to **manage the identities of users, devices, and groups**. The Intune policies you create are assigned to these users, devices, and groups. When devices are enrolled in Intune, your users sign in to their devices with their Microsoft Entra accounts (`user@contoso.com`).
-
-**Microsoft Entra** has [different license plans that include more features](https://www.microsoft.com/security/business/microsoft-entra-pricing) to help protect devices, apps, and data, including dynamic groups, automatic enrollment in Intune, and Conditional Access.
-
-For more information, go to:
-
-- [Add users](./tenant-administration/add-users.md)
-- [Set up auto enrollment](../device-enrollment/windows/enable-automatic-mdm.md)
-- [Learn about Conditional Access and Intune](../device-security/conditional-access-integration/overview.md)
-
-## Windows Autopilot
-
-Windows Autopilot is a cloud-native service that **sets up and preconfigures devices**, getting them ready for use. It can also reset and repurpose existing devices. Windows Autopilot is designed to simplify the lifecycle of Windows devices from initial deployment through end of life, which benefits IT and end users.
-
-Use Windows Autopilot to preconfigure devices, automatically join devices to Microsoft Entra, automatically enroll the devices in Intune, customize the out of box experience (OOBE), and more. You can also integrate Windows Autopilot with Configuration Manager and co-management for more device configurations.
-
-If you constantly provision new devices or repurpose existing devices, then use Windows Autopilot.
-
-For more information, go to:
-
-- [Get an overview of Windows Autopilot](/autopilot/overview)
-- [Enroll Windows devices in Intune](/autopilot/enrollment-autopilot)
-
-## Microsoft Copilot in Intune
-
-[Microsoft Copilot in Intune](../copilot/index.md) is a **cloud-native service that uses AI to get information quickly**. Intune has capabilities that are powered by [Microsoft Copilot for Security](/copilot/security/microsoft-security-copilot). These capabilities access your Intune data, and can:
-
-- Help you manage your policies and settings.
-- Understand your security posture.
-- Troubleshoot device issues.
-- Create Kusto Query Language (KQL) queries.
-
-For more information, go to [Microsoft Copilot in Intune](../copilot/index.md).
-
-## Windows 365
-
-Windows 365 Cloud PCs are **virtual machines that are hosted in the cloud-native Windows 365 service**. They're accessible from anywhere and from any device that has internet access. Cloud PCs include a Windows desktop experience and are associated with a user.
-
-You enroll and manage these devices with Intune, just like any other device. On these Cloud PCs, you can use Intune to deploy apps, configure settings, install updates, and more.
-
-If you have remote workers, want to provide a secure way for your users to access corporate resources, and/or looking for a way to provide a Windows desktop experience, then Windows 365 is a great solution.
-
-For more information, go to:
-
-- [Windows 365 Cloud PC overview - Enterprise](/windows-365/enterprise/overview)
-- [Windows 365 Cloud PC overview - Business](/windows-365/business/)
-
-## Windows Autopatch
-
-Windows Autopatch is a cloud-native service that **automates patching** of Windows devices and Microsoft 365 apps, including Microsoft Teams & Microsoft Edge. To use Windows Autopatch, devices must be enrolled in Intune or managed using co-management (Intune + Configuration Manager).
-
-When you're planning your update strategy, you can use the update policies in Intune, or use Windows Autopatch. Intune gives more granular control, including when updates are installed. Windows Autopatch automatically applies updates as soon as they're available and lets admins focus on other tasks.
-
-For more information, go to:
-
-- [Windows Autopatch overview](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)
-- [Windows Autopatch prerequisites](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites)
-- [Windows Autopatch FAQ](/windows/deployment/windows-autopatch/overview/windows-autopatch-faq)
-
-## Endpoint analytics
-
-Endpoint analytics is a cloud-native service that provides **metrics and recommendations on the health and performance** of your Windows client devices. If you use Configuration Manager, you can benefit from Endpoint Analytics insights by connecting to the cloud.
-
-You can get data on:
-
-- Startup performance
-- Device restart frequencies
-- A list of apps that affect end-user productivity
-- Recommendations on how to improve performance
-
-This information and more is shown in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-You can use Endpoint Analytics on devices that are managed with Intune or Configuration Manager connected to the cloud.
-
-For more information, go to:
-
-- [Endpoint analytics overview](../endpoint-analytics/index.md)
-- [Endpoint analytics scores, baselines, and insights](../endpoint-analytics/scores.md)
-- [Tutorial: Walkthrough the Microsoft Intune admin center](./tutorial-admin-center-walkthrough.md)
-- [Quickstart - Enroll Configuration Manager devices](../endpoint-analytics/configure.md)
-
-## Learn more
-
-- [Learn more about cloud-native endpoints](../solutions/cloud-native-endpoints/overview.md)
-- [Compare Microsoft 365 features and licensing](https://www.microsoft.com/licensing/product-licensing/microsoft-365-enterprise)
-- [Learn more about Microsoft Intune licensing](../fundamentals/licensing/index.md)
-- [Get started with Microsoft Intune](./get-started.md)
diff --git a/intune/fundamentals/free-trial-sign-up.md b/intune/fundamentals/free-trial-sign-up.md
index dbaabab7dab..eb847838527 100644
--- a/intune/fundamentals/free-trial-sign-up.md
+++ b/intune/fundamentals/free-trial-sign-up.md
@@ -18,7 +18,7 @@ Sign up for a Microsoft Intune free trial to evaluate mobile device management f
When you complete the signup process, you automatically create a new tenant. A tenant is a dedicated instance of Microsoft Entra ID that hosts your Intune subscription. After creating the tenant, you can add users and groups, and assign licenses to users.
-The free trial is an Enterprise Mobility + Security (EMS) subscription, which includes Microsoft Entra ID P1 or P2 and Microsoft Intune. After the free trial is configured, you can [confirm your free trial licenses](./licensing/index.md#confirm-your-licenses).
+The free trial is an Enterprise Mobility + Security (EMS) subscription, which includes Microsoft Entra ID P1 or P2 and Microsoft Intune. After the free trial is configured, you can [confirm your free trial licenses](./licensing.md#confirm-your-licenses).
You also get access to the following admin centers, which are used by Intune admins:
diff --git a/intune/fundamentals/get-started.md b/intune/fundamentals/get-started.md
index 8d46622dab5..5bf5aa738ce 100644
--- a/intune/fundamentals/get-started.md
+++ b/intune/fundamentals/get-started.md
@@ -37,7 +37,7 @@ This article provides an overview of the steps to start your Intune deployment.
- Determine your license needs and any other prerequisites for your Intune deployment. The following list provides some of the most common prerequisites:
- - **[Intune subscription](./licensing/index.md)**: Included with some Microsoft 365 subscriptions. You also get access to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), which is a web-based console for managing your devices, apps, and users.
+ - **[Intune subscription](./licensing.md)**: Included with some Microsoft 365 subscriptions. You also get access to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), which is a web-based console for managing your devices, apps, and users.
- **[Microsoft 365 apps](https://www.microsoft.com/licensing/product-licensing/microsoft-365-apps)**: Included with Microsoft 365 and is used for productivity apps, including Outlook and Teams.
- **[Microsoft Entra ID](https://www.microsoft.com/security/business/microsoft-entra-pricing)**: Microsoft Entra ID is used for the identity management for users, groups, and devices. It comes with your Intune subscription and possibly your Microsoft 365 subscription.
diff --git a/intune/fundamentals/government-service.md b/intune/fundamentals/government-service.md
index eb789a0e857..d39e5748917 100644
--- a/intune/fundamentals/government-service.md
+++ b/intune/fundamentals/government-service.md
@@ -75,7 +75,7 @@ The following features are available and supported in Microsoft GCC High and/or
| Platform support | ✅
You can use the same operating systems - Android, Android Open Source Project (AOSP), iOS/iPadOS, Linux, macOS, and Windows.
- **Android (AOSP)**: There are some device restrictions. For more information, go to [Supported operating systems and browsers in Intune - AOSP](ref-supported-platforms.md#android). - **Linux**: Generally available (GA) in February 2024.|
| Windows Autopilot device preparation | ✅
Some features are available now, such as user-driven deployments, and some are still [in the planning phase](#in-the-planning-phase). For more information on the recent changes to Windows Autopilot device preparation, go to [Blog: Windows deployment with the next generation of Windows Autopilot](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/windows-deployment-with-the-next-generation-of-windows-autopilot/ba-p/4148169).
To get started with Windows Autopilot device preparation, go to [Windows Autopilot Device Preparation overview](/autopilot/device-preparation/overview). |
| Log Analytics | ✅
You can send Intune log data to Azure Storage, Event Hubs, or Log Analytics.
For more information on this feature, go to [Send log data to storage, event hubs, or log analytics from Intune](../governance/integrate-azure-monitor.md). |
-| Microsoft Intune Plan 2 and Microsoft Intune Suite | For more information on these plans, go to [Use Intune Suite add-on capabilities](add-ons.md).
The following Plan 2 features support the GCC High and DoD environments: - [Microsoft Tunnel for Mobile Application Management](../device-security/microsoft-tunnel/mam.md) - [Firmware-over-the-air update](../device-updates/android/manage-fota.md) - [Specialty devices management](../device-management/specialty-devices.md) The following Microsoft Intune Suite features support the GCC High and DoD environments: - [Endpoint Privilege Management](../epm/overview.md) - [Advanced Analytics](../advanced-analytics/index.md)|
+| Microsoft Intune Plan 2 and Microsoft Intune Suite | For more information on these plans, go to [Microsoft Intune advanced capabilities](advanced-capabilities.md).
The following Plan 2 features support the GCC High and DoD environments: - [Microsoft Tunnel for Mobile Application Management](../device-security/microsoft-tunnel/mam.md) - [Firmware-over-the-air update](../device-updates/android/manage-fota.md) - [Specialty devices management](../device-management/specialty-devices.md) The following Microsoft Intune Suite features support the GCC High and DoD environments: - [Endpoint Privilege Management](../epm/overview.md) - [Advanced Analytics](../advanced-analytics/index.md)|
### In the planning phase
diff --git a/intune/fundamentals/includes/mfa-console.md b/intune/fundamentals/includes/mfa-console.md
index 07cd08d878b..25a48560d46 100644
--- a/intune/fundamentals/includes/mfa-console.md
+++ b/intune/fundamentals/includes/mfa-console.md
@@ -7,13 +7,13 @@ ms.author: brenduns
> [!IMPORTANT]
>
-> On October 15, 2024, Microsoft began enforcement of the Azure sign-in requirement to use multifactor authentication (MFA). When enforced, MFA is required for all users who sign-in to Intune admin center regardless of any roles they have or don’t have. The MFA requirements also apply to services that you access through the admin center, like Windows 365 Cloud PC, and to use of the Microsoft Azure portal and Microsoft Entra admin center. MFA requirements don’t apply to end users who access applications, websites, or services hosted on Azure where those users don’t sign-in to the admin center.
+> On October 15, 2024, Microsoft began enforcement of the Azure sign-in requirement to use multifactor authentication (MFA). When enforced, MFA is required for all users who sign-in to Intune admin center regardless of any roles they have or don't have. The MFA requirements also apply to services that you access through the admin center, like Windows 365 Cloud PC, and to use of the Microsoft Azure portal and Microsoft Entra admin center. MFA requirements don't apply to end users who access applications, websites, or services hosted on Azure where those users don't sign-in to the admin center.
>
-> The requirement to sign-in using MFA applies to all Intune subscriptions, including Plan 1 subscriptions with or without add-ons, and free trial subscriptions. The prerequisites and process required to configure MFA depend on the MFA method you choose to use for your tenant. Shortly after MFA is enabled for a tenant, subsequent sign-in attempts require the user to complete setup for using the configured MFA solution.
+> The requirement to sign-in using MFA applies to all Intune subscriptions, including free trial subscriptions. The prerequisites and process required to configure MFA depend on the MFA method you choose to use for your tenant. Shortly after MFA is enabled for a tenant, subsequent sign-in attempts require the user to complete setup for using the configured MFA solution.
>
> To learn more about the MFA requirement, see [Planning for mandatory multifactor authentication for Azure and admin portals](/entra/identity/authentication/concept-mandatory-multifactor-authentication) in the Microsoft Entra documentation.
>
-> In the Microsoft Entra planning article, you’ll find guidance and resources to help you [Prepare for multifactor authentication](/entra/identity/authentication/concept-mandatory-multifactor-authentication#prepare-for-multifactor-authentication), including methods to configure MFA including but not limited to:
+> In the Microsoft Entra planning article, you'll find guidance and resources to help you [Prepare for multifactor authentication](/entra/identity/authentication/concept-mandatory-multifactor-authentication#prepare-for-multifactor-authentication), including methods to configure MFA including but not limited to:
>
> - Conditional Access policies
> - The *MFA Wizard for Microsoft Entra ID* from the Microsoft 365 admin center
diff --git a/intune/fundamentals/index.yml b/intune/fundamentals/index.yml
index 3b9eab75584..8de38abeffc 100644
--- a/intune/fundamentals/index.yml
+++ b/intune/fundamentals/index.yml
@@ -55,7 +55,7 @@ landingContent:
- linkListType: concept
links:
- text: Identity management
- url: tenant-administration/identities.md
+ url: core-concepts.md#identities
- title: Plan and deploy
linkLists:
@@ -76,20 +76,20 @@ landingContent:
- text: Set up migration
url: setup-migration.md
- - title: Licensing and add-ons
+ - title: Plans and licensing
linkLists:
- linkListType: overview
links:
- text: Microsoft Intune licensing
- url: licensing/index.md
- - text: Intune Suite add-on capabilities
- url: add-ons.md
+ url: licensing.md
+ - text: Microsoft Intune advanced capabilities
+ url: advanced-capabilities.md
- linkListType: how-to-guide
links:
- text: Assign licenses to users
- url: licensing/assign-licenses.md
- - text: Allow unlicensed admins
- url: licensing/unlicensed-admins.md
+ url: assign-licenses.md
+ - text: Unlicensed admins access
+ url: licensing.md#unlicensed-admin-access
- title: Role-based access control
linkLists:
diff --git a/intune/fundamentals/licensing.md b/intune/fundamentals/licensing.md
new file mode 100644
index 00000000000..b35f815efb6
--- /dev/null
+++ b/intune/fundamentals/licensing.md
@@ -0,0 +1,135 @@
+---
+title: Microsoft Intune Licensing Plans and Options
+description: Microsoft Intune licensing options, plans, and the capabilities included with each Intune plan and Microsoft 365 license tier.
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer: paoloma
+ms.date: 05/13/2026
+ms.topic: overview
+ms.collection: M365-identity-device-management
+---
+
+# Microsoft Intune licensing
+
+Microsoft Intune is licensed through three plans and is included in several Microsoft 365 bundles. This article describes the plans, license requirements for users and administrators, and how to confirm your licenses.
+
+## Microsoft Intune plans
+
+Intune capabilities are organized into three plans. The Intune documentation and the Microsoft Intune admin center use these names to indicate which capabilities require which plan:
+
+- **Microsoft Intune Plan 1**: the base service.\
+ Cloud-based unified endpoint management for devices and apps.
+- **Microsoft Intune Plan 2**: additive to Plan 1.\
+ Advanced endpoint management capabilities, including Remote Help and Advanced Analytics.
+- **Microsoft Intune Suite**: additive to Plan 1.\
+ Unifies advanced endpoint management and security capabilities. Includes Plan 2.
+
+Most organizations get Intune as part of a Microsoft 365 bundle (such as Microsoft 365 E3, E5, or E7) rather than buying these plans directly. For what each bundle includes, current pricing, and how to buy, see:
+
+- [Microsoft Intune plans and pricing](https://www.microsoft.com/security/business/microsoft-intune-pricing)
+- [Licensing options available with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans)
+
+Administrators don't always need an Intune license. For more information, see [Unlicensed admin access](#unlicensed-admin-access).
+
+## License requirements
+
+An Intune license is required for any user or device that benefits directly or indirectly from the Microsoft Intune service, including access through a [Microsoft API](/legal/microsoft-apis/terms-of-use). Intune is included only with the licenses listed on the [Microsoft Intune plans and pricing](https://www.microsoft.com/security/business/microsoft-intune-pricing) page.
+
+## Microsoft Intune for Education
+
+Intune Plan 1 for Education is included in the following licenses:
+
+- Microsoft 365 Education A5
+- Microsoft 365 Education A3
+
+For licensing information about Intune for Education, see [Microsoft 365 Education](/office365/servicedescriptions/office-365-platform-service-description/microsoft-365-education).
+
+## Device-only licenses
+
+Intune offers a *device-only subscription* for managing devices that aren't affiliated with specific users, such as kiosks, dedicated devices, phone-room devices, IoT, and other single-use devices.
+
+Assign device licenses based on your estimated usage. Device licenses apply when a device is enrolled through any of the following methods:
+
+- [Windows Autopilot Self-Deploying mode](/autopilot/self-deploying)
+- [Apple Device Enrollment Program without user affinity](../device-enrollment/apple/setup-automated-ios.md)
+- [Apple School Manager without user affinity](../device-enrollment/apple/school-manager.md)
+- [Apple Configurator without user affinity](../device-enrollment/apple/setup-configurator-ios.md)
+- [Android Enterprise dedicated](../device-enrollment/android/setup-dedicated.md)
+- [Using a device enrollment manager account](../device-enrollment/setup-enrollment-manager.md)
+
+### Device-only license limitations
+
+When a device is enrolled by using a device license, the following Intune functions aren't supported:
+
+- [Intune app protection policies](../app-management/protection/overview.md)
+- [Conditional Access](../device-security/conditional-access-integration/overview.md)
+- User-based management features, such as email and calendaring
+
+## Unlicensed admin access
+
+Administrators can sign in to and manage Microsoft Intune without an assigned Intune license. This access is enabled by default for tenants created after July 2021 and applies to all administrator roles, including Intune administrators and Microsoft Entra administrators. Tenants created before July 2021 can enable this option manually.
+
+Unlicensed admin access grants sign-in and management access to the Microsoft Intune admin center. It doesn't replace license requirements for other features and services. For example, features that depend on Microsoft Entra ID P1 or P2 still require the appropriate license.
+
+Whether you need to enable this setting depends on when your tenant was created:
+
+- **Tenants created after July 2021**: Unlicensed administrator access is supported by default. No action is required.
+- **Tenants created before July 2021**: Administrators require an Intune license unless the **Allow access to unlicensed admins** setting is enabled. This setting can't be undone after it's turned on.
+
+> [!IMPORTANT]
+> - Intune supports up to 1000 unlicensed admins per security group. If more than 1000 administrators are needed for a role assignment, use multiple security groups.
+> - Members of nested security groups aren't included in unlicensed admins access. If you keep nested security groups, admins in those nested groups still require an Intune license even when the unlicensed admins access is enabled.
+> - It can take up to 48 hours for access changes to take effect.
+
+### Enable unlicensed admin access for pre-July 2021 tenants
+
+Tenants created after July 2021 already have unlicensed admin access enabled by default. The following steps apply only to tenants created before July 2021.
+
+To enable this setting, use an account assigned the [Intune Administrator](/entra/identity/role-based-access-control/permissions-reference#intune-administrator) Microsoft Entra role. Because this role is privileged, use it only when necessary.
+
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Tenant administration** > **Roles** > **Administrator Licensing**.
+1. Select **Allow access to unlicensed admins**.
+1. Select **Yes** to allow access to unlicensed admins.
+
+After you enable this setting, users who sign in to the Microsoft Intune admin center don't require an Intune license. Roles assigned to users define their scope of access.
+
+## Co-management with Configuration Manager
+
+Most licenses that include Microsoft Intune also grant the rights to use Microsoft Configuration Manager, as long as the subscription remains active.
+
+To enroll existing Configuration Manager-managed devices into Intune at scale without user interaction, co-management uses a Microsoft Entra feature called auto-enrollment. This scenario requires:
+
+- **Microsoft Entra ID P1 or P2** assigned to each user.
+- **Microsoft Intune Plan 1**: included automatically with Microsoft Intune. You no longer need to assign individual Intune licenses for this scenario.
+
+You still need to assign Intune licenses for other enrollment scenarios.
+
+## Confirm your licenses
+
+A Microsoft Intune license is created for you when you sign up for the Intune free trial. As part of this trial, you also get a trial Enterprise Mobility + Security (EMS) subscription, which includes both Microsoft Entra ID P1 or P2 and Microsoft Intune.
+
+> [!NOTE]
+> If you don't have an Intune license, sign up for the [Intune free trial](./free-trial-sign-up.md).
+
+To confirm your Microsoft Intune license or trial:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Tenant administration** > **Tenant status**. Under the **Tenant details** tab, you can see the **MDM authority**, the **Total licensed users**, and the **Total Intune licenses**.
+1. Select **Tenant administration** > **Roles** > **My permissions**.
+1. Confirm that you're an **administrator** with **full** permissions to **all** Intune resources.
+
+To confirm your Microsoft Entra ID P1 or P2 license:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select **Microsoft Entra ID**.
+1. Select **Overview**. On the **Overview** pane, select the **Overview** tab if it isn't already selected.
+1. Under **Basic information**, view your license.
+
+If you don't have a license for Microsoft Entra ID P1 or P2, see [Sign up for Microsoft Entra ID P1 or P2 editions](/azure/active-directory/fundamentals/active-directory-get-started-premium).
+
+## Related content
+
+- [Assign Intune licenses to your user accounts](assign-licenses.md)
+- [Microsoft Intune advanced capabilities](./advanced-capabilities.md)
+- [Set up Microsoft Intune (training module)](/training/modules/set-up-microsoft-intune?azure-portal=true)
+- [Microsoft Licensing portal](https://www.microsoft.com/licensing/default): latest information about product editions, licensing updates, and volume licensing plans.
\ No newline at end of file
diff --git a/intune/fundamentals/licensing/index.md b/intune/fundamentals/licensing/index.md
deleted file mode 100644
index 5ee6f0b9378..00000000000
--- a/intune/fundamentals/licensing/index.md
+++ /dev/null
@@ -1,131 +0,0 @@
----
-title: Licenses available for Microsoft Intune
-description: Intune is available with these licenses
-ms.date: 05/09/2024
-ms.topic: overview
-ms.collection:
-- M365-identity-device-management
----
-
-# Microsoft Intune licensing
-
-Microsoft Intune is available for different customer needs and organization sizes, from a simple-to-use management experience for schools and small businesses, to more advanced functionality required by enterprise customers. Most licenses that include Microsoft Intune also grant the rights to use Microsoft Configuration Manager, as long as the subscription remains active. An admin must have a license assigned to them to administer Intune unless [unlicensed admin access](unlicensed-admins.md) is available. Tenants created after July 2021 support unlicensed admins by default.
-
-## Microsoft Intune
-
-The following plans are available for Microsoft Intune.
-
-> [!IMPORTANT]
-> In addition to the plans described in this topic, see the following information about plans and pricing:
-> - [Discover Microsoft Intune Plans and Pricing](https://www.microsoft.com/security/business/microsoft-intune-pricing)
-> - [Licensing options available with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans)
- - Download the full Microsoft subscription comparison table and locate the plans that include Microsoft Intune
-
-### Microsoft Intune Plan 1
-
-A cloud-based unified endpoint management solution that is included in the following licenses:
-
-- Microsoft 365 E5
-- Microsoft 365 E3
-- Enterprise Mobility + Security E5
-- Enterprise Mobility + Security E3
-- Microsoft 365 Business Premium
-- Microsoft 365 F1
-- Microsoft 365 F3
-- Microsoft 365 Government G5
-- Microsoft 365 Government G3
-- Microsoft Intune for Education
-
-> [!NOTE]
-> For additional licensing information about Intune for Education, see [Microsoft 365 Education](/office365/servicedescriptions/office-365-platform-service-description/microsoft-365-education).
-
-### Microsoft Intune Plan 2
-
-An add-on to Microsoft Intune Plan 1 that offers advanced endpoint management capabilities. Intune Plan 2 is included in Microsoft Intune Suite.
-
-For information about trial and purchasing, see [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md).
-
-### Microsoft Intune Suite
-
-An add-on to Microsoft Intune Plan 1 that unifies mission-critical advanced endpoint management and security solutions.
-
-For information about trial and purchasing, see [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md).
-
-## Microsoft Intune for Education
-
-Intune Plan 1 for Education is included in the following licenses:
-
-- Microsoft 365 Education A5
-- Microsoft 365 Education A3
-
-## Licensing for Configuration Manager-managed devices in Intune
-
-For existing Configuration Manager-managed devices to enroll into Intune for co-management at scale without user interaction, co-management uses a Microsoft Entra feature called auto-enrollment. Auto-enrollment with co-management requires licenses for both Microsoft Entra ID P1 or P2 (AADP1) and Microsoft Intune Plan 1. Starting on December 1, 2019, you no longer need to assign individual Intune licenses for this scenario. Microsoft Intune now includes the Intune licenses for co-management. The separate AADP1 licensing requirement remains the same for this scenario to work. You still need to assign Intune licenses for other enrollment scenarios.
-
-## Additional information
-
-- A Microsoft Intune user and device subscription is available as a standalone, in addition to the bundles listed above.
-- A Microsoft Intune device-only subscription is available to manage kiosks, dedicated devices, phone-room devices, IoT, and other single-use devices that don't require user-based security and management features. For more information, see [Device-only licenses](#device-only-licenses).
-- The appropriate Microsoft Intune license is required if a user or device benefits directly or indirectly from the Microsoft Intune service, including access to the Microsoft Intune service through a [Microsoft API](/legal/microsoft-apis/terms-of-use).
-- Intune isn't included in licenses not in the previous tables.
-
-## Unlicensed admins
-
-For more information about giving administrators access to the Microsoft Intune admin center without them having an Intune license, see [Unlicensed admins](unlicensed-admins.md).
-
-## Device-only licenses
-
-Microsoft Intune offers a device-only subscription service that helps organizations manage devices that aren't affiliated with specific users.
-
-You can purchase device licenses based on your estimated usage. Microsoft Intune device licenses are applicable when a device is enrolled through any of the following methods:
-
-- [Windows Autopilot Self-Deploying mode](/autopilot/self-deploying)
-- [Apple Device Enrollment Program without user affinity](../../device-enrollment/apple/setup-automated-ios.md)
-- [Apple School Manager without user affinity](../../device-enrollment/apple/school-manager.md)
-- [Apple Configurator without user affinity](../../device-enrollment/apple/setup-configurator-ios.md)
-- [Android Enterprise dedicated](../../device-enrollment/android/setup-dedicated.md)
-- [Using a device enrollment manager account](../../device-enrollment/setup-enrollment-manager.md)
-
-> [!NOTE]
-> Visit the [Microsoft Licensing](https://www.microsoft.com/licensing/default) page, or contact your account representative if you have any questions or you would like to receive the latest information about product editions, product licensing updates, volume licensing plans, and other information related to your specific use cases.
-
-### Device-only license limitations
-
-When a device is enrolled by using a device license, the following Intune functions aren't supported:
-
-- [Intune app protection policies](../../app-management/protection/overview.md)
-- [Conditional Access](../../device-security/conditional-access-integration/overview.md)
-- User-based management features, such as email and calendaring
-
-## Confirm your licenses
-
-A Microsoft Intune license is created for you when you sign up for the Intune free trial. As part of this trial, you'll also have a trial Enterprise Mobility + Security (EMS) subscription. An Enterprise Mobility + Security (EMS) subscription includes both Microsoft Entra ID P1 or P2 and Microsoft Intune.
-
-> [!NOTE]
-> If you are unable to access this portal using the step below, or if you don't have an Intune license, you can sign up now for the [Intune free trial](../../fundamentals/free-trial-sign-up.md). When setting up Intune, you can give an administrators access to the Microsoft Intune admin center [without them requiring an Intune license](./unlicensed-admins.md).
-
-To confirm your Microsoft Intune license or trial, use the following steps:
-
-1. Sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Select **Tenant administration** > **Tenant status**.
- Under the **Tenant details** tab, you will see the **MDM authority**, the **Total licenses users**, and the **Total Intune licenses**.
-3. Select **Tenant administration** > **Roles** > **My permissions**.
-4. Confirm you are an **administrator** with **full** permissions to **all** Intune resources.
-
-> [!NOTE]
-> For more in-depth information about Microsoft Intune, see the learning module: [Set up Microsoft Intune](/training/modules/set-up-microsoft-intune?azure-portal=true).
-
-To check on your Microsoft Entra ID P1 or P2 license, use the following steps:
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **Microsoft Entra ID**.
-3. Select **Overview**. On the **Overview** pane, select the **Overview** tab if it isn't already selected.
-4. Under **Basic information**, view your license.
-
-If you don't have a license for Microsoft Entra ID P1 or P2, see [Sign up for Microsoft Entra ID P1 or P2 editions](/azure/active-directory/fundamentals/active-directory-get-started-premium).
-
-## Next steps
-
-For the latest information about product editions, product licensing updates, volume licensing plans, and other information related to your specific use cases, see the [Microsoft Licensing](https://www.microsoft.com/licensing/default) page.
-
-For information about how user and device licenses affect access to services, as well as how to assign a license to a user, see the [Assign Intune licenses to your user accounts article](assign-licenses.md).
diff --git a/intune/fundamentals/licensing/media/unlicensed-admins/unlicensed-admins-01.png b/intune/fundamentals/licensing/media/unlicensed-admins/unlicensed-admins-01.png
deleted file mode 100644
index 879dac4952f..00000000000
Binary files a/intune/fundamentals/licensing/media/unlicensed-admins/unlicensed-admins-01.png and /dev/null differ
diff --git a/intune/fundamentals/licensing/toc.yml b/intune/fundamentals/licensing/toc.yml
deleted file mode 100644
index 963e2eb3d54..00000000000
--- a/intune/fundamentals/licensing/toc.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-items:
-- name: Manage Intune licenses
- items:
- - name: Determine license needs
- href: ./index.md
- - name: Assign licenses
- href: ./assign-licenses.md
- - name: Allow access to unlicensed admins
- href: ./unlicensed-admins.md
diff --git a/intune/fundamentals/licensing/unlicensed-admins.md b/intune/fundamentals/licensing/unlicensed-admins.md
deleted file mode 100644
index d0bf3e9e113..00000000000
--- a/intune/fundamentals/licensing/unlicensed-admins.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-title: Unlicensed administrator access to Microsoft Intune
-description: Learn about unlicensed administrator access in Microsoft Intune, including default behavior for newer tenants and how to enable it for older tenants.
-ms.date: 04/29/2026
-ms.topic: how-to
-ai-usage: ai-assisted
-ms.collection:
-- M365-identity-device-management
----
-
-# Unlicensed administrator access to Microsoft Intune
-
-Administrators can sign in to and manage Microsoft Intune without an assigned Intune license. This access is enabled by default for tenants created after July 2021 and applies to all administrator roles, including Intune administrators and Microsoft Entra administrators. Tenants created before July 2021 can enable this access manually.
-
-Unlicensed admin access grants sign-in and management access to the Microsoft Intune admin center. It doesn't replace license requirements for other features and services. For example, features that depend on Microsoft Entra ID P1 or P2 still require the appropriate license.
-
-Whether you need to enable this setting depends on when your tenant was created:
-
-- **Tenants created after July 2021**: Unlicensed administrator access is supported by default. No action is required.
-- **Tenants created before July 2021**: Administrators require an Intune license unless the **Allow access to unlicensed admins** setting is enabled. This setting can't be undone after it's turned on.
-
-## Prerequisites
-
-:::row:::
-:::column span="1":::
-[!INCLUDE [rbac](../../includes/requirements/rbac.md)]
-
-:::column-end:::
-:::column span="3":::
-> To enable this setting, use an account assigned the [Intune Administrator](/entra/identity/role-based-access-control/permissions-reference#intune-administrator) :::image type="icon" source="../../media/icons/16/privileged-label.svg" border="false"::: Microsoft Entra role. Because this role is privileged, use it only when necessary.
-:::column-end:::
-:::row-end:::
-
-> [!IMPORTANT]
-> - Intune supports up to 1000 unlicensed admins per security group. If more than 1000 administrators are needed for a role assignment, you can use multiple security groups.
-- Members of nested security groups aren't included in the unlicensed admins feature. If you prefer to retain nested security groups, admins in those nested groups still require an Intune license even when unlicensed admins setting is enabled.
-- It can take up to 48 hours for access changes to take effect.
-
-
-## Enable the setting for pre-July 2021 tenants
-
-Tenants created after July 2021 already have unlicensed admin access enabled by default. The following steps apply only to tenants created before July 2021.
-
-1. In the [Microsoft Intune admin center], select **Tenant administration** > **Roles** > **Administrator Licensing**.
-1. Select **Allow access to unlicensed admins**.
-
- > [!WARNING]
- > You can't undo this setting after selecting **Yes**.
-
-1. Select **Yes** to allow access to unlicensed admins.
-
- :::image type="content" alt-text="Screenshot of administrator licensing to allow unlicensed admins." source="./media/unlicensed-admins/unlicensed-admins-01.png" :::
-
-After you enable this setting, users who sign in to the Microsoft Intune admin center don't require an Intune license. Roles assigned to users define their scope of access.
-
-## Related content
-
-- [Role-based access control (RBAC) with Microsoft Intune](../../fundamentals/role-based-access-control/overview.md)
-- [Microsoft Intune licensing](../../fundamentals/licensing/index.md)
-
-
-
-[Microsoft Intune admin center]: https://go.microsoft.com/fwlink/?linkid=2109431
-[Intune role administrator]: ../../fundamentals/role-based-access-control-reference.md
-[Custom role]: ../../fundamentals/create-custom-role.md
diff --git a/intune/fundamentals/manage-apps.md b/intune/fundamentals/manage-apps.md
deleted file mode 100644
index f9096ed1a9a..00000000000
--- a/intune/fundamentals/manage-apps.md
+++ /dev/null
@@ -1,162 +0,0 @@
----
-title: Manage and secure apps overview
-description: Get an overview of the concepts and features you should know when managing apps that access organization resources in Microsoft Intune. You can deploy apps used by your organization, including Microsoft Edge and Microsoft 365. You can also configure apps, protect apps on organizations owned and BYOD personal devices, and update apps that you deploy.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 02/19/2025
-ms.topic: article
-ms.collection:
-- M365-identity-device-management
----
-
-# Learn about managing your apps and app data in Microsoft Intune
-
-Managing and protecting apps and their data is a significant part of any endpoint management strategy and solution. In most environments, users can install public retail apps and possibly access organization data from these apps. Many organizations also have their own private apps and line-of-business apps that need to be deployed & managed. They must make sure this app data stays within the organization.
-
-App management can be challenging and Intune can help. [Microsoft Intune is a cloud-based service](what-is-intune.md) that can manage many apps types. Using Intune, admins can deploy, configure, protect, and update apps that access your organization resources.
-
-:::image type="content" source="./media/manage-apps/manage-apps-with-intune.png" alt-text="Diagram that shows app management in the Microsoft Intune admin center, including deploying apps, and using app configuration policies & app protection policies for managed apps & personal apps." lightbox="./media/manage-apps/manage-apps-with-intune.png":::
-
-Microsoft Intune can manage apps on Android, iOS/iPadOS, macOS, and Windows client devices. So, you can use Intune's app management features across your many devices.
-
-From a service perspective, Intune uses Microsoft Entra ID for identity management. To use some apps, these Microsoft Entra user identities must have licenses assigned to them. The Microsoft Intune admin center can also help you manage licensing.
-
-This article discusses concepts and features you should consider when managing and securing apps.
-
-## Deploy apps your organization uses
-
-Organizations use many different types of apps, including store apps, line-of-business (LOB) apps, web apps, and more. You can add apps to Intune and then use its app policy management to deploy these apps to your devices.
-
-The app features in the Intune admin center make it easier to deploy these different kinds of apps.
-
-### ✅ Android devices
-
-The Intune admin center automatically connects to the public Play Store and gives you the ability to search for apps. You can also sync with your Managed Google Play account to access your Android Enterprise apps, including private apps.
-
-On Android devices, you can deploy:
-
-- Public and retail apps from the public Play Store
-- Managed Google Play apps to Android Enterprise devices
-- Web links to web apps
-- Built-in apps, which are apps automatically included and available in the Intune admin center
-- Custom line-of-business apps your organization creates
-- Android Enterprise system apps, which are apps typically included on Android devices
-
-If you use [Google Mobile Services (GMS)](https://www.android.com/gms/) (opens Android's web site), you can purchase licenses to GMS, which typically happens when you purchase Android devices. GMS gives users access to the public Play Store and its public apps.
-
-If your organization doesn't use [Google Mobile Services (GMS)](https://www.android.com/gms/) (opens Android's web site), then Intune can also manage devices using the Android Open Source Project (AOSP) platform.
-
-For more specific information, go to:
-
-- [How to use Intune in environments without Google Mobile Services](../app-management/manage-without-gms.md)
-- [Add Managed Google Play apps to Android Enterprise devices](../app-management/deployment/add-managed-google-play.md)
-- [Manage private Android apps in Google Play](https://support.google.com/a/answer/2494992) (opens Google's web site)
-- [Add built-in apps](../app-management/deployment/add-built-in.md)
-
-### ✅ iOS/iPadOS devices
-
-The Intune admin center automatically connects to the public App Store and gives you the ability to search for apps. You can also sync with your Apple Business Manager or Apple School Manager account to access your volume-licensed apps. When you sync, the apps you purchase (your licensed apps) are automatically shown in the Intune admin center.
-
-On iOS/iPadOS devices, you can deploy:
-
-- Public and retail apps from the public App Store
-- Volume-licensed apps using Apple Business Manager or Apple School Manager
-- Web clips, which are shortcuts to web site links that you can add to the home screen
-- Web links to web apps
-- Built-in apps, which are apps automatically included and available in the Intune admin center
-- Custom line-of-business apps your organization creates
-
-For more specific information, go to:
-
-- [Add iOS store apps](../app-management/deployment/add-store-ios.md)
-- [Manage iOS/iPadOS and macOS apps purchased through Apple Business Manager](../app-management/deployment/manage-vpp-apple.md)
-- [Add iOS/iPadOS LOB apps](../app-management/deployment/add-lob-ios.md)
-- [Add built-in apps](../app-management/deployment/add-built-in.md)
-
-### ✅ macOS devices
-
-The Intune admin center has built-in features that include apps commonly deployed to macOS, including Microsoft Edge and Microsoft 365 apps. You can also sync with your Apple Business Manager or Apple School Manager account to access your volume-licensed apps. When you sync, the apps you purchase (your licensed apps) are automatically shown in the Intune admin center.
-
-On macOS devices, you can deploy:
-
-- Volume-licensed apps using Apple Business Manager or Apple School Manager
-- Microsoft 365 apps, which include Word, Excel, PowerPoint, Outlook, OneNote, Teams, and OneDrive
-- Microsoft Edge version 77 and newer, which is the modern chromium version
-- Microsoft Defender for Endpoint, which is a cloud service that detects malicious intent and can help remediate security threats
-- Web links to web apps
-- Custom line-of-business apps your organization creates
-- Apple disk image (DMG) apps, which is a file that includes one or more apps to deploy
-- Unmanaged PKG Files (custom packages, unsigned packages, packages without a payload)
-
-For more specific information, go to:
-
-- [Manage iOS/iPadOS and macOS apps purchased through Apple Business Manager](../app-management/deployment/manage-vpp-apple.md)
-- [Assign Microsoft 365 to macOS devices](../app-management/deployment/add-microsoft-365-macos.md)
-- [Add macOS LOB apps](../app-management/deployment/add-lob-macos.md)
-- [Add macOS PKG apps](../app-management/deployment/add-unmanaged-pkg-macos.md)
-- [Add Microsoft Store apps to Microsoft Intune](../app-management/deployment/add-microsoft-store.md)
-
-### ✅ Windows devices
-
-The Intune admin center automatically connects to the public Microsoft Store and gives you the ability to search for apps.
-
-On Windows devices, you can deploy:
-
-- Public and retail apps from the Microsoft Store
-- Microsoft 365 apps, which include Word, Excel, PowerPoint, Outlook, OneNote, Teams, and OneDrive
-- Microsoft Edge version 77 and newer, which is the modern chromium version
-- Web links to web apps
-- Custom line-of-business apps your organization creates
-- Win32 apps
-
-For more specific information, go to:
-
-- [Add Microsoft 365 apps to Windows client devices](../app-management/deployment/add-microsoft-365-windows.md)
-- [Win32 app management](../app-management/deployment/win32.md)
-- [Add Microsoft Store apps to Microsoft Intune](../app-management/deployment/add-microsoft-store.md)
-
-## Configure apps before they're installed
-
-When an Android or iOS/iPadOS app is deployed to your users and devices, your users can be prompted for configuration information. Users might not know what to enter or you might have organization settings you want configured a certain way.
-
-App configuration policies give you these features. You can create app configuration policies that automatically configure apps. Depending on your policy settings, users might not need to enter any configuration information when they open the app.
-
-For example, in an app configuration policy, you can enter the app language, add your organization's logo, block apps from using personal accounts, and more.
-
-Your app configuration policies can be deployed at any time. If you want to configure apps before users open them the first time, then include the app configuration policy when users enroll their devices. During enrollment, your app configuration policies are automatically deployed and the apps include your configuration settings.
-
-For more specific information, go to [App configuration policies in Intune](../app-management/configuration/overview.md).
-
-## Protect apps on organization owned and personal devices
-
-App protection policies are a key part to protecting data in apps that access organization data. If user-owned personal devices are accessing your organization data, then you need app protection policies. Use these policies to protect email, protect shared files, protect access to meetings, and more.
-
-You can use Intune to create, configure, and deploy app protection policies to your users and your devices, including personally owned devices and devices managed by another MDM provider. Typically, organization owned devices are managed by your organization. If there are apps on these managed devices that require extra security, then you can also use app protection policies on these devices.
-
-App protection policies also help separate personal data from organization data. For example, you can create policies that block copy-and-paste between apps, require a PIN when opening an app, block backups to personal cloud services, and more.
-
-For more specific information, go to:
-
-- [App protection policies overview and benefits](../app-management/protection/overview.md)
-- [How to create and assign app protection policies](../app-management/protection/create-policy.md)
-
-## Update apps to the latest version
-
-Apps are often updated to include bug fixes, feature improvements, security updates, and more. When apps are deployed using Intune, most apps are automatically updated when there's an app update available. So, it's recommended to use Intune to deploy apps used by your organization.
-
-You can also use Windows Autopatch for automatic patching of Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams.
-
-If users install apps themselves, including from a public app store, then these apps need updated manually. In this situation, you can use app protection policies to enforce a minimum app version, and even wipe organization data on devices that don't meet your standards.
-
-For more information, go to:
-
-- [Add and update apps](../app-management/deployment/index.md)
-- [Windows Autopatch overview](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)
-- [Wipe corporate data from Intune-managed apps](../app-management/protection/wipe-corporate-data.md)
-- [Selectively wipe data using app protection policy conditional launch actions](../app-management/protection/configure-conditional-launch.md)
-
-## Related articles
-
-- [Learn about managing identities in Intune](tenant-administration/identities.md)
-- [Learn about managing devices in Intune](manage-devices.md)
-- [Frequently asked questions about application management and app protection](../app-management/protection/mam-faq.yml)
diff --git a/intune/fundamentals/manage-devices.md b/intune/fundamentals/manage-devices.md
deleted file mode 100644
index a965a874d4e..00000000000
--- a/intune/fundamentals/manage-devices.md
+++ /dev/null
@@ -1,137 +0,0 @@
----
-title: Manage and secure devices overview
-description: Get an overview of the concepts and features you should know when managing devices that access organization resources in Microsoft Intune. You can manage new and existing devices, including BYOD personal devices, check health compliance and view reports, configure device features, and secure devices using mobile threat solutions.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 02/20/2025
-ms.topic: article
-ms.collection:
-- M365-identity-device-management
----
-
-# Learn about managing and securing your devices in Microsoft Intune
-
-Managing devices is a significant part of any endpoint management strategy and solution. Organizations have to manage desktops, laptops, tablets, mobile phones, wearables, and more. It can be a large task, especially if you're not sure where to start.
-
-Microsoft Intune can help. [Intune is a cloud-based service](what-is-intune.md) that can control devices through policy, including security policies.
-
-The goal of any organization that's managing devices is to secure devices and the data they access.
-
-:::image type="content" source="./media/manage-devices/manage-devices-with-intune.png" alt-text="Diagram that shows organization owned and personal devices in the Microsoft Intune admin center and using compliance policies and Conditional Access for resource access." lightbox="./media/manage-devices/manage-devices-with-intune.png":::
-
-Device management involves:
-
-- Configuring features built into the device, like enabling Bluetooth and preventing automatic connections to Wi-Fi hotspots
-- Securing the devices and preventing unauthorized access to organization resources from the devices, like using mobile threat defense and encrypting hard disks
-- Creating compliance rules that maintain device integrity, like setting a minimum OS version and preventing simple passwords
-- Being responsible for organization owned devices and personally owned devices that access your organization resources
-
-From a service perspective, Intune uses Microsoft Entra ID for device storage and permissions. Using the [Microsoft Intune admin center](tutorial-admin-center-walkthrough.md), you can manage device tasks and policies in a central location designed for endpoint management.
-
-This article discusses concepts and features you should consider when managing your devices.
-
-## Manage organization owned and personal devices
-
-Many organizations allow personally owned devices to access organization resources, including email and meetings. There are different options available and these options depend on how strict your organization is.
-
-You can require personal devices be enrolled in your organization's device management services. On these personal devices, your admins can deploy policies, set rules, and configure device features. Or, you can use app protection policies that focus on protecting app data, such as Outlook, Teams, and Sharepoint. You can also use a combination of device enrollment and app protection policies.
-
-Devices owned by your organization should be enrolled in your MDM service, like Intune. When enrolled, your admins create policies and set rules that protect data. Don't rely on end users to manage these devices.
-
-For more information and guidance, go to:
-
-- [Microsoft Intune planning guide](planning-guide.md)
-- [Deployment guide: Setup or move to Microsoft Intune](setup-migration.md)
-
-## Use your existing devices and use new devices
-
-You can manage new devices and existing devices. Intune supports Android, iOS/iPadOS, Linux, macOS, and Windows devices.
-
-There are some things you should know. For example, if another MDM provider manages your existing devices, then these devices might need to be factory reset. If the devices are using an older OS version, they might not be supported.
-
-If your organization is investing in new devices, then we recommend you start with a cloud approach using Intune.
-
-For more information and guidance, go to:
-
-- [Microsoft Intune planning guide](planning-guide.md)
-- [Deployment guide: Setup or move to Microsoft Intune](setup-migration.md)
-
-For more specific information by platform, go to:
-
-- [Android platform deployment guide](platform-guide-android.md)
-- [iOS/iPadOS platform deployment guide](platform-guide-ios-ipados.md)
-- [Linux enrollment deployment guide](../device-enrollment/guide-linux.md)
-- [macOS platform deployment guide](platform-guide-macos.md)
-- [Windows enrollment deployment guide](../device-enrollment/windows/guide.md)
-
-## Check the compliance health of your devices
-
-Device compliance is a significant part of managing devices. Your organization should set password/PIN rules and check for security features on these devices. You want to know which devices don't meet your rules. This task is where compliance comes in.
-
-You can create compliance policies that block simple passwords, require a firewall, set the minimum OS version, and more. You can use these policies and built-in reporting to see noncompliant devices and see the noncompliant settings on these devices. This information gives you an idea of the overall health of the devices accessing your organization resources.
-
-Conditional Access is a feature of Microsoft Entra ID. With Conditional Access, you can enforce compliance. For example, if a device doesn't meet your compliance rules, then you can block access to organization resources, including Outlook, SharePoint, and Teams. Conditional Access helps your organization secure your data and protect your devices.
-
-For more information, go to:
-
-- [Use compliance policies to set rules for devices you manage](../device-security/compliance/overview.md)
-- [Monitor results of your device compliance policies](../device-security/compliance/monitor-policy.md)
-- [Learn about Conditional Access and Intune](../device-security/conditional-access-integration/overview.md)
-
-## Control device features and assign policies to device groups
-
-All devices have features that you can control and manage using policies. For example, you can block the built-in camera, allow Bluetooth pairing, and manage the power button.
-
-For many organizations, it's common to create device groups. Device groups are Microsoft Entra groups that only include devices. They don't include user identities.
-
-When you have device groups, you create policies that focus on the device experience or task, like running a single app or scanning bar codes. You can also create policies that include settings that you want to always be on the device, regardless of who's using the device.
-
-You can group devices by OS platform, by function, by location, and other features you prefer.
-
-Device groups can also include devices that are shared with many users or aren't associated with a specific user. These dedicated or kiosk devices are typically used by frontline workers (FLW) and can also be managed by Intune.
-
-When the groups are ready, you can assign your policies to these device groups.
-
-For more information, go to:
-
-- [FLW device management in Intune](../solutions/frontline-worker/index.md)
-- [Get started with Microsoft 365 for frontline workers](/microsoft-365/frontline/flw-overview)
-- [Windows device settings to run as a dedicated kiosk using Intune](../device-configuration/templates/configure-kiosk.md)
-- [Control access, accounts, and power features on shared PC or multi-user devices using Intune](../device-configuration/templates/configure-shared-device.md)
-
-## Secure your devices
-
-To help secure your devices, you can install antivirus, scan & react to malicious activity, and enable security features.
-
-In Intune, some common security tasks include:
-
-- **Integrate with Mobile Threat Defense** (MTD) partners to help protect organization owned devices and personally owned devices. These MTD services scan the devices and can help remediate vulnerabilities.
-
- The MTD partners support different platforms, including Android, iOS/iPadOS, macOS, and Windows.
-
- For more specific information, go to [Mobile Threat Defense integration with Intune](../device-security/mobile-threat-defense/overview.md)
-
-- **Use security baselines** on your Windows devices. Security baselines are preconfigured settings that you can deploy to your devices. These baseline settings focus on security at a granular level and can also be changed to meet any organization specific requirements.
-
- If you're not sure where to start, then look at security baselines.
-
- For more specific information, go to:
-
- - [Use security baselines to configure Windows devices in Intune](../device-security/security-baselines/overview.md)
-
-- **Manage software updates, encrypt hard disks, configure built-in firewalls**, and more using built-in policy settings. You can also use Windows Autopatch for automatic patching of Windows, including Windows quality updates and Windows feature updates.
-
- For more information, go to:
-
- - [Manage endpoint security in Microsoft Intune](../device-security/endpoint-security-policies.md)
- - [Manage device security with endpoint security policies in Microsoft Intune](../device-configuration/endpoint-security/manage-policies.md)
- - [Windows Autopatch overview](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)
-
-- **Manage devices remotely** using the Intune admin center. You can remotely lock, restart, locate a lost device, and restore a device to its factory settings. These tasks are helpful if a device is lost or stolen, or if you're remotely troubleshooting a device.
-
- For more information, go to [Remote actions in Intune](../device-management/actions/index.md).
-
-## Related articles
-
-- [Learn about managing identities in Intune](tenant-administration/identities.md)
-- [Learn about managing apps in Intune](manage-apps.md)
diff --git a/intune/fundamentals/media/architecture/cloud-control-plane-on.png b/intune/fundamentals/media/architecture/cloud-control-plane-on.png
new file mode 100644
index 00000000000..94bd1cb61b4
Binary files /dev/null and b/intune/fundamentals/media/architecture/cloud-control-plane-on.png differ
diff --git a/intune/fundamentals/media/architecture/cloud-control-plane.png b/intune/fundamentals/media/architecture/cloud-control-plane.png
new file mode 100644
index 00000000000..6819005a640
Binary files /dev/null and b/intune/fundamentals/media/architecture/cloud-control-plane.png differ
diff --git a/intune/fundamentals/media/architecture/connectors-and-extensions-on.png b/intune/fundamentals/media/architecture/connectors-and-extensions-on.png
new file mode 100644
index 00000000000..419b386ef6a
Binary files /dev/null and b/intune/fundamentals/media/architecture/connectors-and-extensions-on.png differ
diff --git a/intune/fundamentals/media/architecture/connectors-and-extensions.png b/intune/fundamentals/media/architecture/connectors-and-extensions.png
new file mode 100644
index 00000000000..c97085c9989
Binary files /dev/null and b/intune/fundamentals/media/architecture/connectors-and-extensions.png differ
diff --git a/intune/fundamentals/media/architecture/endpoint-family-services-on.png b/intune/fundamentals/media/architecture/endpoint-family-services-on.png
new file mode 100644
index 00000000000..c89a5b0390b
Binary files /dev/null and b/intune/fundamentals/media/architecture/endpoint-family-services-on.png differ
diff --git a/intune/fundamentals/media/architecture/endpoint-family-services.png b/intune/fundamentals/media/architecture/endpoint-family-services.png
new file mode 100644
index 00000000000..62302ceaf51
Binary files /dev/null and b/intune/fundamentals/media/architecture/endpoint-family-services.png differ
diff --git a/intune/fundamentals/media/architecture/intune-reference-architecture.png b/intune/fundamentals/media/architecture/intune-reference-architecture.png
new file mode 100644
index 00000000000..a557379b1ca
Binary files /dev/null and b/intune/fundamentals/media/architecture/intune-reference-architecture.png differ
diff --git a/intune/fundamentals/media/architecture/intunearchitecture_wh.png b/intune/fundamentals/media/architecture/intunearchitecture_wh.png
deleted file mode 100644
index f75ec978d86..00000000000
Binary files a/intune/fundamentals/media/architecture/intunearchitecture_wh.png and /dev/null differ
diff --git a/intune/fundamentals/media/architecture/managed-endpoints-on.png b/intune/fundamentals/media/architecture/managed-endpoints-on.png
new file mode 100644
index 00000000000..9bddc3b6117
Binary files /dev/null and b/intune/fundamentals/media/architecture/managed-endpoints-on.png differ
diff --git a/intune/fundamentals/media/architecture/managed-endpoints.png b/intune/fundamentals/media/architecture/managed-endpoints.png
new file mode 100644
index 00000000000..91d85ac149f
Binary files /dev/null and b/intune/fundamentals/media/architecture/managed-endpoints.png differ
diff --git a/intune/fundamentals/media/architecture/on-premises-services-on.png b/intune/fundamentals/media/architecture/on-premises-services-on.png
new file mode 100644
index 00000000000..d5e032fef39
Binary files /dev/null and b/intune/fundamentals/media/architecture/on-premises-services-on.png differ
diff --git a/intune/fundamentals/media/architecture/on-premises-services.png b/intune/fundamentals/media/architecture/on-premises-services.png
new file mode 100644
index 00000000000..80a6db79da7
Binary files /dev/null and b/intune/fundamentals/media/architecture/on-premises-services.png differ
diff --git a/intune/fundamentals/media/architecture/partner-ecosystem-on.png b/intune/fundamentals/media/architecture/partner-ecosystem-on.png
new file mode 100644
index 00000000000..2ddafd1e54e
Binary files /dev/null and b/intune/fundamentals/media/architecture/partner-ecosystem-on.png differ
diff --git a/intune/fundamentals/media/architecture/partner-ecosystem.png b/intune/fundamentals/media/architecture/partner-ecosystem.png
new file mode 100644
index 00000000000..947f7a0ca6f
Binary files /dev/null and b/intune/fundamentals/media/architecture/partner-ecosystem.png differ
diff --git a/intune/fundamentals/media/architecture/peer-integrations-on.png b/intune/fundamentals/media/architecture/peer-integrations-on.png
new file mode 100644
index 00000000000..65c5d7fde3d
Binary files /dev/null and b/intune/fundamentals/media/architecture/peer-integrations-on.png differ
diff --git a/intune/fundamentals/media/architecture/peer-integrations.png b/intune/fundamentals/media/architecture/peer-integrations.png
new file mode 100644
index 00000000000..f776fbdae07
Binary files /dev/null and b/intune/fundamentals/media/architecture/peer-integrations.png differ
diff --git a/intune/fundamentals/licensing/media/assign-licenses/i4e-sds-profile-setup-setting.png b/intune/fundamentals/media/assign-licenses/i4e-sds-profile-setup-setting.png
similarity index 100%
rename from intune/fundamentals/licensing/media/assign-licenses/i4e-sds-profile-setup-setting.png
rename to intune/fundamentals/media/assign-licenses/i4e-sds-profile-setup-setting.png
diff --git a/intune/fundamentals/licensing/media/assign-licenses/i4e-set-licenses.png b/intune/fundamentals/media/assign-licenses/i4e-set-licenses.png
similarity index 100%
rename from intune/fundamentals/licensing/media/assign-licenses/i4e-set-licenses.png
rename to intune/fundamentals/media/assign-licenses/i4e-set-licenses.png
diff --git a/intune/fundamentals/licensing/media/assign-licenses/posh-addlic-verify.png b/intune/fundamentals/media/assign-licenses/posh-addlic-verify.png
similarity index 100%
rename from intune/fundamentals/licensing/media/assign-licenses/posh-addlic-verify.png
rename to intune/fundamentals/media/assign-licenses/posh-addlic-verify.png
diff --git a/intune/fundamentals/media/device-lifecycle/device-lifecycle.png b/intune/fundamentals/media/device-lifecycle/device-lifecycle.png
deleted file mode 100644
index 9efed5908b6..00000000000
Binary files a/intune/fundamentals/media/device-lifecycle/device-lifecycle.png and /dev/null differ
diff --git a/intune/fundamentals/media/endpoint-management-microsoft.png b/intune/fundamentals/media/endpoint-management-microsoft.png
deleted file mode 100644
index 852e5ca957a..00000000000
Binary files a/intune/fundamentals/media/endpoint-management-microsoft.png and /dev/null differ
diff --git a/intune/fundamentals/media/manage-apps/manage-apps-with-intune.png b/intune/fundamentals/media/manage-apps/manage-apps-with-intune.png
deleted file mode 100644
index 384601684cf..00000000000
Binary files a/intune/fundamentals/media/manage-apps/manage-apps-with-intune.png and /dev/null differ
diff --git a/intune/fundamentals/media/manage-devices/manage-devices-with-intune.png b/intune/fundamentals/media/manage-devices/manage-devices-with-intune.png
deleted file mode 100644
index 9387ce65d43..00000000000
Binary files a/intune/fundamentals/media/manage-devices/manage-devices-with-intune.png and /dev/null differ
diff --git a/intune/fundamentals/media/shared/intune-overview.png b/intune/fundamentals/media/shared/intune-overview.png
new file mode 100644
index 00000000000..2f4ea9303d8
Binary files /dev/null and b/intune/fundamentals/media/shared/intune-overview.png differ
diff --git a/intune/fundamentals/media/docs-feedback.png b/intune/fundamentals/media/use-docs/docs-feedback.png
similarity index 100%
rename from intune/fundamentals/media/docs-feedback.png
rename to intune/fundamentals/media/use-docs/docs-feedback.png
diff --git a/intune/fundamentals/media/docs-filter-toc.gif b/intune/fundamentals/media/use-docs/docs-filter-toc.gif
similarity index 100%
rename from intune/fundamentals/media/docs-filter-toc.gif
rename to intune/fundamentals/media/use-docs/docs-filter-toc.gif
diff --git a/intune/fundamentals/media/docs-github-edit.png b/intune/fundamentals/media/use-docs/docs-github-edit.png
similarity index 100%
rename from intune/fundamentals/media/docs-github-edit.png
rename to intune/fundamentals/media/use-docs/docs-github-edit.png
diff --git a/intune/fundamentals/media/docs-search-engine.png b/intune/fundamentals/media/use-docs/docs-search-engine.png
similarity index 100%
rename from intune/fundamentals/media/docs-search-engine.png
rename to intune/fundamentals/media/use-docs/docs-search-engine.png
diff --git a/intune/fundamentals/media/docs-search-field.png b/intune/fundamentals/media/use-docs/docs-search-field.png
similarity index 100%
rename from intune/fundamentals/media/docs-search-field.png
rename to intune/fundamentals/media/use-docs/docs-search-field.png
diff --git a/intune/fundamentals/media/docs-search-rss.png b/intune/fundamentals/media/use-docs/docs-search-rss.png
similarity index 100%
rename from intune/fundamentals/media/docs-search-rss.png
rename to intune/fundamentals/media/use-docs/docs-search-rss.png
diff --git a/intune/fundamentals/media/what-is-device-management/device-management-features-mdm-mam.png b/intune/fundamentals/media/what-is-device-management/device-management-features-mdm-mam.png
deleted file mode 100644
index 33d758d5765..00000000000
Binary files a/intune/fundamentals/media/what-is-device-management/device-management-features-mdm-mam.png and /dev/null differ
diff --git a/intune/fundamentals/media/what-is-intune/what-is-intune.png b/intune/fundamentals/media/what-is-intune/what-is-intune.png
deleted file mode 100644
index 7176e9c30a5..00000000000
Binary files a/intune/fundamentals/media/what-is-intune/what-is-intune.png and /dev/null differ
diff --git a/intune/fundamentals/migrate-from-other-mdm.md b/intune/fundamentals/migrate-from-other-mdm.md
index b7723a3f0ae..bc4ce55e859 100644
--- a/intune/fundamentals/migrate-from-other-mdm.md
+++ b/intune/fundamentals/migrate-from-other-mdm.md
@@ -58,7 +58,7 @@ This article helps you move your mobile device management (MDM) from Microsoft 3
Before you move from Basic Mobility and Security device management to Intune device management:
-1. Make sure you have enough [Intune licenses](./licensing/index.md) to cover all your users managed by Basic Mobility and Security. If you don't have enough licenses, group your users by priority and assign licenses in stages.
+1. Make sure you have enough [Intune licenses](./licensing.md) to cover all your users managed by Basic Mobility and Security. If you don't have enough licenses, group your users by priority and assign licenses in stages.
1. Review the existing Basic Mobility and Security policies and [remove any policies](/microsoft-365/admin/security-and-compliance/m365b-devices-basic-mobility-security-turn-off) that you no longer need. Deleting unneeded policies reduces the number of new Intune policies you create.
The following articles list and describe the Basic Mobility and Security policies:
@@ -120,7 +120,7 @@ Next, assign the Intune policies to the groups you choose. Keep the following po
- Assign licenses to **Users**. For more information, see [Assign licenses to users](/microsoft-365/admin/manage/assign-licenses-to-users).
- Assign licenses to **Groups**. For more information, see [Assign licenses to a group](/microsoft-365/admin/manage/manage-group-licenses).
- For more information on assigning licenses in Intune, see [Assign licenses to users so they can enroll devices in Intune](./licensing/assign-licenses.md).
+ For more information on assigning licenses in Intune, see [Assign licenses to users so they can enroll devices in Intune](./assign-licenses.md).
At the next [Intune device refresh cycle](../device-configuration/troubleshoot-device-profiles.md#policy-refresh-intervals), the devices automatically switch to Intune management and the new policies start affecting user devices.
diff --git a/intune/fundamentals/planning-guide.md b/intune/fundamentals/planning-guide.md
index b54530cf5c6..dd6acaa2b1b 100644
--- a/intune/fundamentals/planning-guide.md
+++ b/intune/fundamentals/planning-guide.md
@@ -1,9 +1,9 @@
---
title: Planning guide to move to Microsoft Intune
description: Plan, design, implement, adopt, and move to Microsoft Intune. Get guidance and advice to determine goals, use-case scenarios and requirements, and create rollout and communication plans, support, testing, and validation plans.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 05/19/2026
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/13/2026
ms.topic: upgrade-and-migration-article
ms.reviewer: davguy
ms.collection:
@@ -29,11 +29,6 @@ This guide:
Use this guide to plan your move or migration to Intune.
-> [!TIP]
->
-> - Want to print or save this guide as a PDF? In your web browser, use the **Print** option, **Save as PDF**.
-> - [!INCLUDE [tips-guidance-plan-deploy-guides](../device-enrollment/includes/tips-guidance-plan-deploy-guides.md)]
-
## Step 1 - Determine your objectives
Organizations use mobile device management (MDM) and mobile application management (MAM) to control organization data securely, and with minimal disruption to users. When evaluating an MDM/MAM solution, like Microsoft Intune, look at what the goal is, and what you want to achieve.
@@ -132,7 +127,7 @@ In Intune, distributed IT benefits from the following features:
- When admins create policies, you can require **[multiple admin approval](role-based-access-control/multi-admin-approval.md)** for specific policies, including policies that run scripts or deploy apps.
-- **[Endpoint Privilege Management](../epm/overview.md)** allows standard non-admin user complete tasks that require elevated privileges, like installing apps and updating device drivers. Endpoint Privilege Management is part of the [Intune Suite](add-ons.md).
+- **[Endpoint Privilege Management](../epm/overview.md)** allows standard non-admin user complete tasks that require elevated privileges, like installing apps and updating device drivers. Endpoint Privilege Management is part of the [Intune Suite](advanced-capabilities.md).
✅ **Task: Determine how you want to distribute your rules and settings**
@@ -317,14 +312,20 @@ Managing devices is a relationship with different services. Intune includes the
Copilot in Intune is licensed through Microsoft Security Copilot. For more information, go to [Get started with Microsoft Security Copilot](/copilot/security/get-started-security-copilot).
-- **[Intune Suite](add-ons.md)** provides advanced endpoint management and security features, like remote help, Microsoft Cloud PKI, Endpoint Privilege Management, and more. The Intune Suite is available as a separate license.
+- **[Intune Suite](advanced-capabilities.md)** provides advanced endpoint management and security features, like remote help, Microsoft Cloud PKI, Endpoint Privilege Management, and more.
+
+**Starting July 2026, Suite capabilities are distributed across Microsoft 365 license tiers:**
+
+- **Microsoft 365 E3** includes Plan 2, Remote Help, and Advanced Analytics.
+- **Microsoft 365 E5 and E7** include everything in E3, plus Endpoint Privilege Management, Microsoft Cloud PKI, and Enterprise Application Management.
+- For customers on other plans, Suite is available as a separate subscription.
For more information, go to:
-- [Microsoft Intune licensing](./licensing/index.md)
+- [Microsoft Intune licensing](./licensing.md)
- [Microsoft 365 for business](https://www.microsoft.com/licensing/product-licensing/microsoft-365-business)
- [Microsoft 365 enterprise licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans)
-- [Microsoft Intune Suite](add-ons.md)
+- [Microsoft Intune advanced capabilities](advanced-capabilities.md)
✅ **Task: Determine the licensed services your organization needs**
@@ -334,7 +335,7 @@ Some considerations:
- Intune
- Intune is available with different subscriptions, including as a stand-alone service. For more information, go to [Microsoft Intune licensing](./licensing/index.md).
+ Intune is available with different subscriptions, including as a stand-alone service. For more information, go to [Microsoft Intune licensing](./licensing.md).
You currently use Configuration Manager, and want to set up co-management for your devices. Intune is already included in your Configuration Manager license. If you want Intune to fully manage new devices or existing co-managed devices, then you need a separate Intune license.
diff --git a/intune/fundamentals/platform-guide-android.md b/intune/fundamentals/platform-guide-android.md
index 215d7ea5e4a..c7ac9850929 100644
--- a/intune/fundamentals/platform-guide-android.md
+++ b/intune/fundamentals/platform-guide-android.md
@@ -19,7 +19,7 @@ Intune supports the mobile device management (MDM) of Android devices to give pe
Before you begin, complete these prerequisites to enable Android device management in Intune. For more detailed information about how to set up, onboard, or move to Intune, see the [Intune setup deployment guide](setup-migration.md).
* [Add users](tenant-administration/add-users.md) and [groups](tenant-administration/add-groups.md)
-* [Assign licenses to users](./licensing/assign-licenses.md)
+* [Assign licenses to users](./assign-licenses.md)
* [Set mobile device management authority](setup-mdm-authority.md)
We recommend you use the least privileged role that's needed to complete tasks. For example, the least privileged role that can complete device enrollment tasks is the built-in **Policy and Profile Manager** Intune role.
diff --git a/intune/fundamentals/platform-guide-ios-ipados.md b/intune/fundamentals/platform-guide-ios-ipados.md
index 5ec728dda29..bcf3125217b 100644
--- a/intune/fundamentals/platform-guide-ios-ipados.md
+++ b/intune/fundamentals/platform-guide-ios-ipados.md
@@ -21,7 +21,7 @@ Intune supports mobile device management (MDM) of iPads and iPhones to give user
Before you begin, complete these prerequisites to enable iOS/iPadOS device management in Intune. For more detailed information about how to set up, onboard, or move to Intune, see the [Intune setup deployment guide](setup-migration.md).
* [Add users](tenant-administration/add-users.md) and [groups](tenant-administration/add-groups.md)
-* [Assign licenses to users](./licensing/assign-licenses.md)
+* [Assign licenses to users](./assign-licenses.md)
* [Set mobile device management authority](setup-mdm-authority.md)
* [Set up Apple MDM push (APNs) certificate](../device-enrollment/apple/create-mdm-push-certificate.md)
diff --git a/intune/fundamentals/platform-guide-linux.md b/intune/fundamentals/platform-guide-linux.md
index 2188ce280db..faf65b60054 100644
--- a/intune/fundamentals/platform-guide-linux.md
+++ b/intune/fundamentals/platform-guide-linux.md
@@ -29,7 +29,7 @@ For each section in this guide, review the associated tasks. Some tasks are requ
Complete the following prerequisites as an Intune administrator to enable your tenant's endpoint management capabilities:
* [Add users](tenant-administration/add-users.md) and [groups](tenant-administration/add-groups.md)
-* [Assign licenses to users](./licensing/assign-licenses.md)
+* [Assign licenses to users](./assign-licenses.md)
* [Set mobile device management authority](setup-mdm-authority.md)
We recommend you use the least privileged role that's needed to complete tasks. For example, the least privileged role that can complete device enrollment tasks is the built-in **Policy and Profile Manager** Intune role.
diff --git a/intune/fundamentals/platform-guide-macos.md b/intune/fundamentals/platform-guide-macos.md
index bcc1f54067b..714bcc7469f 100644
--- a/intune/fundamentals/platform-guide-macos.md
+++ b/intune/fundamentals/platform-guide-macos.md
@@ -20,7 +20,7 @@ Secure access to work email, data, and apps on macOS devices. This article guide
Complete the following prerequisites to enable macOS device management in Intune:
* [Add users](tenant-administration/add-users.md) and [groups](tenant-administration/add-groups.md)
-* [Assign licenses to users](./licensing/assign-licenses.md)
+* [Assign licenses to users](./assign-licenses.md)
* [Set mobile device management authority](setup-mdm-authority.md)
* [Set up Apple MDM push (APNs) certificate](../device-enrollment/apple/create-mdm-push-certificate.md)
diff --git a/intune/fundamentals/platform-guide-windows.md b/intune/fundamentals/platform-guide-windows.md
index daea73f9fcf..44278065743 100644
--- a/intune/fundamentals/platform-guide-windows.md
+++ b/intune/fundamentals/platform-guide-windows.md
@@ -21,7 +21,7 @@ For each section in this guide, review the associated tasks. Some tasks are requ
Complete the following prerequisites to enable your tenant's endpoint management capabilities:
* [Add users](tenant-administration/add-users.md) and [groups](tenant-administration/add-groups.md)
-* [Assign licenses to users](./licensing/assign-licenses.md)
+* [Assign licenses to users](./assign-licenses.md)
* [Set mobile device management authority](setup-mdm-authority.md)
We recommend you use the least privileged role that's needed to complete tasks. For example, the least privileged role that can complete device enrollment tasks is the built-in **Policy and Profile Manager** Intune role.
diff --git a/intune/fundamentals/protection-configuration-levels.md b/intune/fundamentals/protection-configuration-levels.md
index 616c7639412..7b7b45d377f 100644
--- a/intune/fundamentals/protection-configuration-levels.md
+++ b/intune/fundamentals/protection-configuration-levels.md
@@ -218,10 +218,7 @@ This level focuses on enterprise-level services and features, and it can require
- Expand password-less authentication to other services in your organization, including certificate-based authentication, single sign-on for apps, multifactor authentication (MFA), and the Microsoft Tunnel VPN gateway.
- Use multifactor authentication (MFA) for an extra layer of security. MFA can help protect your organization from phishing attacks.
-- Expand Microsoft Tunnel by deploying Microsoft Tunnel for Mobile Application Management (Tunnel for MAM), which extends Tunnel support to iOS/iPadOS and Android devices that aren't enrolled with Intune. Tunnel for MAM is available as an Intune add-on.
-
- For information, see [Use Intune Suite add-on capabilities](./add-ons.md).
-
+- Expand Microsoft Tunnel by deploying Microsoft Tunnel for Mobile Application Management (Tunnel for MAM), which extends Tunnel support to iOS/iPadOS and Android devices that aren't enrolled with Intune. Tunnel for MAM is an advanced capability of Intune. For more information, see [Microsoft Intune advanced capabilities](./advanced-capabilities.md).
- Use Intune policy for Local Administrator Password Solution (LAPS) on macOS and Windows devices. LAPS policies help secure the local administrator account on your managed devices.
For information, see:
@@ -231,7 +228,7 @@ This level focuses on enterprise-level services and features, and it can require
- Protect Windows devices using Endpoint Privilege Management (EPM). EPM helps you run your organization's users as standard users (without administrator rights) and enables those same users to complete tasks that require elevated privileges.
- EPM is available as an Intune add-on. For information, see [Use Intune Suite add-on capabilities](./add-ons.md).
+ EPM is an advanced capability of Intune. For information, see [Microsoft Intune advanced capabilities](./advanced-capabilities.md).
- Configure device features that apply to the Windows firmware layer. Use Android common criteria mode.
- Configure specialized devices like kiosks and shared devices.
diff --git a/intune/fundamentals/role-based-access-control/assign-role.md b/intune/fundamentals/role-based-access-control/assign-role.md
index 42509f45f12..5fb5cb0017e 100644
--- a/intune/fundamentals/role-based-access-control/assign-role.md
+++ b/intune/fundamentals/role-based-access-control/assign-role.md
@@ -63,7 +63,7 @@ Before you deploy Intune roles, be familiar with [About Intune role assignments]
> When you assign a role to a group, every member of that group receives the permissions granted by that role. Only assign roles to groups for which you know the membership, and which don't include users that shouldn't receive the administrative privileges provided by the role.
> [!NOTE]
- > If your tenant allows [unlicensed admins](../licensing/unlicensed-admins.md), Intune role assignments only apply to direct members of the assigned security group. Members of nested groups do not receive these assignments by default. However, if a user in a nested group has an Intune license, that user will receive the Intune role.
+ > If your tenant allows [unlicensed admins](../licensing.md#unlicensed-admin-access), Intune role assignments only apply to direct members of the assigned security group. Members of nested groups do not receive these assignments by default. However, if a user in a nested group has an Intune license, that user will receive the Intune role.
Select **Next**.
diff --git a/intune/fundamentals/role-based-access-control/multi-admin-approval.md b/intune/fundamentals/role-based-access-control/multi-admin-approval.md
index 1d801870892..384658a4b55 100644
--- a/intune/fundamentals/role-based-access-control/multi-admin-approval.md
+++ b/intune/fundamentals/role-based-access-control/multi-admin-approval.md
@@ -42,7 +42,7 @@ By default, the administrators who participate in the MAA workflow must have an
> [!CAUTION]
> **This setting is irreversible.** Once enabled, you can't turn it off. Make sure your organization understands this limitation before proceeding.
-Before enabling this setting, review [Unlicensed admins](../licensing/unlicensed-admins.md) for important limits and behavior details, including group membership caps and how long access changes take to take effect.
+Before enabling this setting, review [Unlicensed admins](../licensing.md#unlicensed-admin-access) for important limits and behavior details, including group membership caps and how long access changes take to take effect.
### Role 1: Access policy manager
diff --git a/intune/fundamentals/role-based-access-control/overview.md b/intune/fundamentals/role-based-access-control/overview.md
index f4f45fb2073..411df6cf9a9 100644
--- a/intune/fundamentals/role-based-access-control/overview.md
+++ b/intune/fundamentals/role-based-access-control/overview.md
@@ -28,7 +28,7 @@ To view a role in the **Intune admin center**, go to **Tenant administration** >
- **Assignments**: Select an [assignment for a role](assign-role.md) to view details about it including the groups and scopes that the assignment includes. A role can have multiple assignments, and a user can receive multiple assignments.
> [!NOTE]
-> In June 2021, Intune began supporting [unlicensed admins](../licensing/unlicensed-admins.md). User accounts created after this change can administer Intune without an assigned license. Accounts created before this change and administrator accounts in a nested security group assigned to a role still require a license to manage Intune.
+> In June 2021, Intune began supporting [unlicensed admins](../licensing.md#unlicensed-admin-access). User accounts created after this change can administer Intune without an assigned license. Accounts created before this change and administrator accounts in a nested security group assigned to a role still require a license to manage Intune.
### Built-in roles
diff --git a/intune/fundamentals/service-description.md b/intune/fundamentals/service-description.md
deleted file mode 100644
index 668969c7612..00000000000
--- a/intune/fundamentals/service-description.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: Microsoft Intune Service Description
-description: Microsoft Intune is a cloud-based service that helps you manage Windows, iOS/iPadOS, macOS, and Android devices.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 02/03/2026
-ms.topic: article
-ms.reviewer: mmikkelson, cacamp
-ms.collection:
-- M365-identity-device-management
-- triage
----
-
-# Microsoft Intune service description
-
-Intune is a cloud-based endpoint management service that helps you manage and secure your organization's devices, apps, and data. By using Intune, you can:
-
-* Manage the mobile devices your workforce uses to access organization data.
-* Manage the client apps your workforce uses, including Microsoft 365 apps and many third-party partner apps.
-* Protect your organization information and data by managing the way your workforce accesses and shares it.
-* Ensure devices and apps are compliant with organization security requirements.
-
-Intune integrates closely with Microsoft Entra ID for identity and access control, and native and partner services for data & endpoint protection. You can also integrate Intune with Configuration Manager to extend your management capabilities.
-
-To learn more about how you can manage devices, apps, and protect corporate data with Intune, see [Microsoft Intune securely manages identities, apps, and devices](what-is-intune.md).
-
-## 30-day free trial
-
-You can start to use Intune with a 30-day free trial. To start your free trial, [go to the Intune Sign up page](https://admin.microsoft.com/Signup/Signup.aspx?OfferId=40BE278A-DFD1-470a-9EF7-9F2596EA7FF9&dl=INTUNE_A&ali=1#0%20). If your organization has an Enterprise Agreement or equivalent volume licensing agreement, contact your Microsoft representative to set up your free trial.
-
-If your organization has a Microsoft Online Services work or school account, and you might continue with this Intune subscription in production after the trial period ends, select the **Sign in** option on that page and authenticate by using the Microsoft Entra Global Administrator account for your organization. This action ensures that your Intune trial links to your existing work or school account.
-
-> [!IMPORTANT]
-> [!INCLUDE [global-admin](../includes/global-admin.md)]
-
-## Intune Onboarding benefit
-
-Microsoft offers the Intune Onboarding benefit for eligible services in eligible plans. The Onboarding benefit lets you work remotely with Microsoft specialists to get your Intune environment ready for use. For more about this benefit, see [Microsoft Intune Onboarding Benefit Description](/microsoft-365/fasttrack/introduction).
-
-## Learn how Intune service updates affect you
-
-Because the mobile device management ecosystem changes frequently with operating system updates and mobile app releases, Microsoft regularly updates Intune. You can learn about changes in the Intune service through the following sources:
-
-* [What's new in Microsoft Intune](../whats-new/index.md) is updated monthly and can be updated weekly when, for example, apps such as the Company Portal app are updated.
-
-* The [Microsoft Intune admin center](https://intune.microsoft.com) and the [Microsoft 365 admin center](https://admin.microsoft.com/) message centers announce service change notices and service health notices, including any issues in your environment that require action.
-
- - [**Microsoft 365 admin center**](https://admin.microsoft.com) Message Center notices are shown at **Health** > **Message center**.
- - [**Microsoft Intune admin center**](https://intune.microsoft.com) notices are shown at **Tenant administration** > **Tenant status** > **Service health and message center**.
-
- A few helpful hints:
-
- * The messages are typically targeted. So, if your organization doesn't have an Intune for Education offer, you won't receive messages about Intune for Education.
-
- * Messages expire. For example, the notification that your service is updated with a link to the What's new page likely expires before the next service update notification. Otherwise, you'd have a large backlog of posts that might no longer be relevant.
-
- * Install the [Microsoft 365 Admin mobile app](/microsoft-365/admin/admin-overview/admin-mobile-app) to receive notifications on your mobile device. You can search through all the messages and forward the notification to share it with others in your organization.
-
- * Under **Edit message center preferences**, you might see an **Intune** toggle so you can look at those messages posted to an Intune subscription. If you see **Mobile Device Management for Microsoft 365**, that service is different, not Intune.
-
- * Learn more about how to work with the [Microsoft 365 Message Center](/microsoft-365/admin/manage/message-center).
-
-* The following blogs share new features, capabilities, and best practices for Microsoft Intune:
-
- * [Microsoft Intune Blog](https://aka.ms/IntuneBlog)
- * [Intune Customer Success Blog](https://aka.ms/IntuneCustomerSuccess)
-
-> [!NOTE]
-> You can monitor Intune service health in the [Microsoft 365 admin center](https://admin.microsoft.com). Choose **Service Health** in the left pane. You can also use the [Microsoft 365 Admin mobile app](/microsoft-365/admin/admin-overview/admin-mobile-app) to view service health.
-
-## Types of notices Microsoft provides about the Intune service
-
-To help you plan for service changes, Microsoft notifies you at least 7-90 days prior to the service change, depending on the impact of the change. These changes might include any of the following types of change:
-
-- Changes to the end-user experience that you might want to share with your helpdesk staff or your end users. Microsoft typically provides 7 to 30 days' notice of those changes. For something like a spelling error fix, Microsoft typically doesn't call out the change in documentation. For a change in the end-user enrollment experience that's significant enough in the UI, Microsoft posts a message to customers. So, you're notified of what's changing and have time to evaluate and update your end-user guidance before the changes roll out in production.
-
- Changes that require you to take action are called **Plan for Change** and typically provide about 30 days' notice. In the Intune and Microsoft 365 message centers, the category specifically says **Plan for Change**. If Microsoft has an exact date for when the change is in production, there's an **Act By** date. That date gives you a visual queue and an explanation mark.
-
-- For most deprecations, Microsoft prefers to provide 90 days' notice of that deprecation. For example, if Microsoft is no longer going to support a feature, the goal is to provide 90 days' notice. Deprecations get complicated when it's another company announcing the deprecation. So, Microsoft lets customers know we're removing support as soon as possible, but the Microsoft notification to customers might be under the 90-day period.
-
-- In the event of Intune service retirement, you are notified 12 months in advance.
-
-- In the rare event there's any post-incident action needed to get your service back to normal or a large change that Microsoft deems potentially disruptive based on customer feedback, Microsoft emails the service administrators using your [Microsoft 365 communication preferences](/microsoft-365/admin/manage/change-address-contact-and-more). Be sure your preferences include a valid work email address.
-
-## Language support
-
-Intune runs in the Azure portal, which supports the following languages: Chinese (Simplified), Chinese (Traditional), Czech, Dutch, English, French, German, Hungarian, Indonesian, Italian, Japanese, Korean, Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, and Turkish.
-
-In addition to all the languages that the Azure portal supports, the Microsoft Intune admin center and the user-facing mobile experiences support Danish, Greek, Finnish, Norwegian, and Romanian.
-
-## Related content
-
-- [Service information for Microsoft Intune release updates](servicing-information.md)
-- [What is Microsoft Intune](what-is-intune.md)
diff --git a/intune/fundamentals/servicing-information.md b/intune/fundamentals/servicing-information.md
index e8316231b4e..797d1045e12 100644
--- a/intune/fundamentals/servicing-information.md
+++ b/intune/fundamentals/servicing-information.md
@@ -39,7 +39,7 @@ In the following example, the tenant has the 2311 (November 2023) service releas
## Keep current with release features
-Keeping up to date about releases and changes is an important part of your Intune deployment. Intune provides several ways to stay current about latest updates:
+Microsoft updates Intune frequently to keep up with operating system updates and mobile app releases. Keeping up to date about releases and changes is an important part of your Intune deployment. Intune provides several ways to stay current about latest updates:
- **[What's new in Intune](../whats-new/index.md)**: Learn what's new in a Microsoft Intune release. When a feature is released, some information about that feature is added to this article. It also includes an overview of the current release, any notices, information about earlier releases, and other information.
@@ -55,13 +55,30 @@ Keeping up to date about releases and changes is an important part of your Intun
2. Go to **Tenant administration** > **Tenant status** > **Service health and message center**.
3. Under **Message center**, select any message to read it.
+- **[Microsoft 365 Admin mobile app](/microsoft-365/admin/admin-overview/admin-mobile-app)**: Receive service notifications on your mobile device.
- **Social media**: Get the latest announcements on X at `@IntuneSuppTeam`.
-For more information from the Intune support team, go to the following blog posts:
+For more information from the Intune support team and the broader Intune community, see the following blogs:
+- [Microsoft Intune Blog](https://aka.ms/IntuneBlog)
+- [Intune Customer Success Blog](https://aka.ms/IntuneCustomerSuccess)
- [Staying up to date on Intune new features, service changes, and service health](https://aka.ms/MEMServiceChangeBlog)
- [Tips and tricks for managing Intune](https://aka.ms/mem-tipsandtricks-blog)
+> [!NOTE]
+> Monitor Intune service health in the [Microsoft 365 admin center](https://admin.microsoft.com) under **Service Health**.
+
+## Advance notice for service changes
+
+| Type of change | Notice |
+|---|---|
+| End-user experience changes | 7–30 days |
+| **Plan for Change** notices that require admin action | About 30 days, with an **Act By** date when applicable |
+| Deprecations | Up to 90 days where possible (less when a third party announces the change) |
+| Service retirement | 12 months |
+
+For post-incident actions, Microsoft emails service administrators using the email address in your [Microsoft 365 communication preferences](/microsoft-365/admin/manage/change-address-contact-and-more).
+
## Privacy and personal data in Intune
You should understand how Intune collects, stores, retains, processes, secures, shares, audits, and exports personal data. Microsoft Intune doesn't use any personal data collected as part of providing the service for profiling, advertising, or marketing purposes.
@@ -79,3 +96,4 @@ The following resources can help you understand privacy and personal data in Int
- [Get started with Microsoft Intune](get-started.md)
- [Planning guide to move to Microsoft Intune](planning-guide.md)
- [Staying up to date on Intune new features, service changes, and service health](https://aka.ms/Intune/ServiceChangeBlog) *- Blog*
+- [Service information for Microsoft Intune release updates](servicing-information.md)
diff --git a/intune/fundamentals/setup-mdm-authority.md b/intune/fundamentals/setup-mdm-authority.md
index c3654a11636..47721d8e7f5 100644
--- a/intune/fundamentals/setup-mdm-authority.md
+++ b/intune/fundamentals/setup-mdm-authority.md
@@ -78,7 +78,7 @@ There are three major steps to enable coexistence:
Before enabling coexistence with Basic Mobility and Security, consider the following points:
-- Make sure you have sufficient [Intune licenses](./licensing/index.md) for the users you intend to manage through Intune.
+- Make sure you have sufficient [Intune licenses](./licensing.md) for the users you intend to manage through Intune.
- Review which users are assigned Intune licenses. After you enable coexistence, any user already assigned an Intune license will have their devices switch to Intune. To avoid unexpected device switches, we recommend not assigning any Intune licenses until you've enabled coexistence.
- Create and deploy Intune policies to replace device security policies that were originally deployed through the Office 365 Security & Compliance portal. This replacement should be done for any users you expect to move from Basic Mobility and Security to Intune. If there are no Intune policies assigned to those users, enabling coexistence may cause them to lose Basic Mobility and Security settings. These settings are lost without replacement, like managed email profiles. Even when replacing device security policies with Intune policies, users may be prompted to re-authenticate their email profiles after the device is moved to Intune management.
- You can't unprovision Basic Mobility and Security after you've set it up. However, there are steps you can take to turn off the policies. For more information, see [Turn off Basic Mobility and Security](/microsoft-365/admin/basic-mobility-security/turn-off).
diff --git a/intune/fundamentals/setup-migration.md b/intune/fundamentals/setup-migration.md
index 02ec0606668..ca7aad78c1b 100644
--- a/intune/fundamentals/setup-migration.md
+++ b/intune/fundamentals/setup-migration.md
@@ -26,9 +26,7 @@ Use this guide to determine the best migration approach, and get some guidance &
> [!TIP]
>
-> - [!INCLUDE [tips-guidance-plan-deploy-guides](../device-enrollment/includes/tips-guidance-plan-deploy-guides.md)]
->
-> - As a companion to this article, the Microsoft 365 admin center also has some setup guidance. The guide customizes your experience based on your environment. To access this deployment guide, go to the [Microsoft Intune setup guide in the Microsoft 365 admin center](https://go.microsoft.com/fwlink/?linkid=2224812), and sign in with the **Global Reader** (at a minimum). For more information on these deployment guides and the roles needed, go to [Advanced deployment guides for Microsoft 365 and Office 365 products](/microsoft-365/enterprise/setup-guides-for-microsoft-365).
+> As a companion to this article, the Microsoft 365 admin center also has some setup guidance. The guide customizes your experience based on your environment. To access this deployment guide, go to the [Microsoft Intune setup guide in the Microsoft 365 admin center](https://go.microsoft.com/fwlink/?linkid=2224812), and sign in with the **Global Reader** (at a minimum). For more information on these deployment guides and the roles needed, go to [Advanced deployment guides for Microsoft 365 and Office 365 products](/microsoft-365/enterprise/setup-guides-for-microsoft-365).
## Before you begin
diff --git a/intune/fundamentals/tenant-administration/add-groups.md b/intune/fundamentals/tenant-administration/add-groups.md
index 0a38dc046a7..7cefa72f129 100644
--- a/intune/fundamentals/tenant-administration/add-groups.md
+++ b/intune/fundamentals/tenant-administration/add-groups.md
@@ -148,5 +148,5 @@ Use the following steps to delete an existing group:
## Related content
-- [Assign users licenses to Intune](../licensing/assign-licenses.md)
+- [Assign users licenses to Intune](../assign-licenses.md)
- [Assign Microsoft Intune roles to groups of users for role-based access control](../role-based-access-control/assign-role.md)
\ No newline at end of file
diff --git a/intune/fundamentals/tenant-administration/add-users.md b/intune/fundamentals/tenant-administration/add-users.md
index 849c6721a96..2f9e3de79cd 100644
--- a/intune/fundamentals/tenant-administration/add-users.md
+++ b/intune/fundamentals/tenant-administration/add-users.md
@@ -16,7 +16,7 @@ Microsoft Entra ID, part of Microsoft Entra, is the identity service for Microso
Intune also supports use of user accounts that synchronize from Active Directory to any cloud-based service that shares the tenant with Intune and your Entra tenant.
-After a user is added or synchronized to Entra and [assigned a license to Intune](../licensing/assign-licenses.md), that user can enroll devices with Intune and begin to access company resources. Intune administrators can also [assign Intune RBAC roles](../role-based-access-control/assign-role.md) and permissions to discreet groups of users to enable those users to help administer your Intune subscription.
+After a user is added or synchronized to Entra and [assigned a license to Intune](../assign-licenses.md), that user can enroll devices with Intune and begin to access company resources. Intune administrators can also [assign Intune RBAC roles](../role-based-access-control/assign-role.md) and permissions to discreet groups of users to enable those users to help administer your Intune subscription.
The remainder of this article focuses on using the Intune admin center to manage user accounts.
@@ -34,7 +34,7 @@ The following Microsoft Entra built-in RBAC role is the least privileged built-i
- [**User Administrator**](/entra/identity/role-based-access-control/permissions-reference#user-administrator) – This role provides permissions sufficient to add and edit user accounts from within the admin centers for Microsoft Intune, Microsoft Entra, and Microsoft 365.
> [!TIP]
-> The Microsoft Entra *User Administrator* role also provides sufficient permissions to assign licenses to Intune and other products to users. However, license management is a task that can only be managed when using the Microsoft 365 admin center. For more information, see [Assign Intune licenses to users](../licensing/assign-licenses.md).
+> The Microsoft Entra *User Administrator* role also provides sufficient permissions to assign licenses to Intune and other products to users. However, license management is a task that can only be managed when using the Microsoft 365 admin center. For more information, see [Assign Intune licenses to users](../assign-licenses.md).
## Add users to Intune
@@ -165,4 +165,4 @@ To delete users from Entra, your administrative account must have permissions eq
## Related content
- [Add groups to organize users and devices](../tenant-administration/add-groups.md)
-- [Assign users licenses to Intune](../licensing/assign-licenses.md)
+- [Assign users licenses to Intune](../assign-licenses.md)
diff --git a/intune/fundamentals/tenant-administration/identities.md b/intune/fundamentals/tenant-administration/identities.md
deleted file mode 100644
index fd5857760a2..00000000000
--- a/intune/fundamentals/tenant-administration/identities.md
+++ /dev/null
@@ -1,147 +0,0 @@
----
-title: Manage and secure user and group identities overview
-description: Get an overview of the concepts and features you should know when managing identities in Microsoft Intune. Use existing users and groups, control access using RBAC, establish user affinity, and secure and authenticate users.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 02/19/2025
-ms.topic: article
-ms.collection:
-- M365-identity-device-management
----
-
-# Learn about managing user and group identities in Microsoft Intune
-
-Managing and protecting user identities is a significant part of any endpoint management strategy and solution. Identity management includes the user accounts and groups that access your organization resources.
-
-:::image type="content" source="./media/identities/identities-different-user-types.png" alt-text="Diagram that shows adding users to the Microsoft Intune admin center and assigning policies to different user and device types in Microsoft Intune." lightbox="./media/identities/identities-different-user-types.png":::
-
-Admins have to manage account membership, authorize and authenticate access to resources, manage settings that affect user identities, and secure & protect the identities from malicious intent.
-
-Microsoft Intune can do all these tasks, and more. [Intune is a cloud-based service](../what-is-intune.md) that can manage user identities through policy, including security and authentication policies.
-
-From a service perspective, Intune uses Microsoft Entra ID for identity storage and permissions. Using the [Microsoft Intune admin center](../tutorial-admin-center-walkthrough.md), you can manage these tasks in a central location designed for endpoint management.
-
-This article discusses concepts and features you should consider when managing your identities.
-
-> [!IMPORTANT]
-> [!INCLUDE [windows-10-support](../../includes/windows-10-support.md)]
-
-## Use your existing users and groups
-
-A large part of managing endpoints is managing users and groups. If you have existing users and groups or will create new users and groups, Intune can help.
-
-In on-premises environments, user accounts and groups are created and managed in on-premises Active Directory. You can update these users and groups using any domain controller in the domain.
-
-It's a similar concept in Intune.
-
-The Intune admin center includes a central location to manage users and groups. The admin center is web-based and can be accessed from any device that has an internet connection. Admins just need to sign into the admin center with their Intune administrator account.
-
-An important decision is to determine how to get the user accounts and groups into Intune. Your options:
-
-- If you **currently use Microsoft 365** and have your users and groups in the Microsoft 365 admin center, then these users and groups are also available in the Intune admin center.
-
- Microsoft Entra ID and Intune use a **tenant**, which is your organization, like Contoso or Microsoft. If you have multiple tenants, sign into the Intune admin center in the same Microsoft 365 tenant as your existing users and groups. Your users and groups are automatically shown and available.
-
- For more information on what a tenant is, go to [Quickstart: Set up a tenant](/azure/active-directory/develop/quickstart-create-new-tenant).
-
-- If you **currently use on-premises Active Directory**, then you can use Microsoft Entra Connect to synchronize your on-premises AD accounts to Microsoft Entra ID. When these accounts are in Microsoft Entra ID, then they're also available in the Intune admin center.
-
- For more specific information, go to [What is Microsoft Entra Connect Sync?](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
-
-- You can also **import existing users and groups** from a CSV file into the Intune admin center, or create the users and groups from scratch. When adding groups, you can add users and devices to these groups to organize them by location, department, hardware, and more.
-
- For more information on group management in Intune, go to [Add groups to organize users and devices](add-groups.md).
-
-By default, Intune automatically creates the **All users** and **All devices** groups. When your users and groups are available to Intune, then you can assign your policies to these users and groups.
-
-### Move from machine accounts
-
-When a Windows endpoint, like a Windows device, joins an on-premises Active Directory (AD) domain, a computer account is automatically created. The computer/machine account can be used to authenticate on-premises programs, services, and apps.
-
-These machine accounts are local to the on-premises environment and can't be used on devices that are joined to Microsoft Entra ID. In this situation, you need to switch to user-based authentication to authenticate to on-premises programs, services, and apps.
-
-For more information and guidance, go to [Known issues and limitations with cloud-native endpoints](../../solutions/cloud-native-endpoints/troubleshoot.md).
-
-## Roles and permissions control access
-
-For the different admin-type of tasks, Intune uses role-based access control (RBAC). The roles you assign determine the resources an admin can access in the Intune admin center, and what they can do with those resources. There are some built-in roles that focus on endpoint management, like Application Manager, and Policy and Profile Manager.
-
-Since Intune uses Microsoft Entra ID, you also have access to the built-in Microsoft Entra roles, like the Intune Service Administrator.
-
-Each role has its own create, read, update, or delete permissions as needed. You can also create custom roles if your admins need a specific permission. When you add or create your administrator-type of users and groups, you can assign these accounts to the different roles. The Intune admin center has this information in a central location and can be easily updated.
-
-For more information, go to [Role-based access control (RBAC) with Microsoft Intune](../role-based-access-control/overview.md)
-
-## Create user affinity when devices enroll
-
-When users sign into their devices the first time, the device becomes associated with that user. This feature is called **user affinity**.
-
-Any policies assigned or deployed to the user identity go with the user to all of their devices. When a user is associated with the device, they can access their email accounts, their files, their apps, and more.
-
-When you don't associate a user with a device, then the device is considered user-less. This scenario is common for kiosks devices dedicated to a specific task, and devices that are shared with multiple users.
-
-In Intune, you can create policies for both scenarios on Android, iOS/iPadOS, macOS, and Windows. When getting ready to manage these devices, be sure you know the intended purpose of the device. This information helps in the decision making process when devices are being enrolled.
-
-For more specific information, go to the enrollment guides for your platforms:
-
-- [Enrollment guide: Enroll Android devices in Microsoft Intune](../../device-enrollment/android/guide.md)
-- [Enrollment guide: Enroll iOS and iPadOS devices in Microsoft Intune](../../device-enrollment/apple/guide-ios-ipados.md)
-- [Enrollment guide: Enroll Linux desktop devices in Microsoft Intune](../../device-enrollment/guide-linux.md)
-- [Enrollment guide: Enroll macOS devices in Microsoft Intune](../../device-enrollment/apple/guide-macos.md)
-- [Enrollment guide: Enroll Windows devices in Microsoft Intune](../../device-enrollment/windows/guide.md)
-
-## Assign policies to users and groups
-
-On-premises, you work with domain accounts and local accounts, and then deploy group policies and permissions to these accounts at the local, site, domain, or OU level (LSDOU). An OU policy overwrites a domain policy, a domain policy overwrites a site policy, and so on.
-
-Intune is cloud-based. Policies created in Intune include settings that control device features, security rules, and more. These policies are assigned to your users and groups. There isn't a traditional hierarchy like LSDOU.
-
-The settings catalog in Intune includes thousands of settings to manage iOS/iPadOS, macOS, and Windows devices. If you currently use on-premises Group Policy Objects (GPOs), then using the settings catalog is a natural transition to cloud-based policies.
-
-For more information on policies in Intune, go to:
-
-- [Use the settings catalog to configure settings on Windows, iOS/iPadOS, and macOS devices](../../device-configuration/settings-catalog/index.md)
-- [Common questions and answers with device policies and profiles in Microsoft Intune](../../device-configuration/troubleshoot-device-profiles.md)
-
-## Secure your user identities
-
-Your user and group accounts access organization resources. You need to keep these identities secure and prevent malicious access to the identities. Here are some things to consider:
-
-- **Windows Hello for Business** replaces username and password sign-in and is part of a password-less strategy.
-
- Passwords are entered on a device and then transmitted over the network to the server. They can be intercepted and used by anyone and anywhere. A server breach can reveal stored credentials.
-
- With Windows Hello for Business, users sign in and authenticate with a PIN or biometric, like facial and fingerprint recognition. This information is stored locally on the device and isn't sent to external devices or servers.
-
- When Windows Hello for Business is deployed to your environment, you can use Intune to create Windows Hello for Business policies for your devices. These policies can configure PIN settings, allowing biometric authentication, use security keys, and more.
-
- For more information, go to:
-
- - [Windows Hello for Business Overview](/windows/security/identity-protection/hello-for-business/hello-overview)
- - [Manage Windows Hello for Business on devices when devices enroll with Intune](../../device-security/identity-protection/configure-tenant-wide-policy.md)
-
- To manage Windows Hello for Business, you use one of the following options:
-
- - [During device enrollment](../../device-security/identity-protection/configure-tenant-wide-policy.md): Configure tenant-wide policy that applies Windows Hello settings to devices at the time the device enrolls with Intune.
- - [Security baselines](../../device-security/security-baselines/overview.md): Some settings for Windows Hello can be managed through Intune's security baselines, like the **Microsoft Defender for Endpoint security** or **Security Baseline for Windows 10 and later** baselines.
- - [Settings catalog](../../device-configuration/settings-catalog/index.md): The settings from endpoint security account protection profiles are available in the Intune settings catalog.
-
-- **Certificate-based authentication** is also a part of a password-less strategy. You can use certificates to authenticate your users to applications and organization resources through a VPN, a Wi-Fi connection, or email profiles. With certificates, users don't need to enter usernames and passwords, and certificates can make access to these resources easier.
-
- For more information, go to [Use certificates for authentication in Microsoft Intune](../../fundamentals/certificates/overview.md).
-
-- **Multifactor authentication (MFA)** is a feature available with Microsoft Entra ID. For users to successfully authenticate, at least two different verification methods are required. When MFA is deployed to your environment, you can also require MFA when devices are enrolling into Intune.
-
- For more information, go to:
-
- - [Plan a Microsoft Entra multifactor authentication deployment](/azure/active-directory/authentication/howto-mfa-getstarted)
- - [Require multifactor authentication for Intune device enrollments](../../device-enrollment/configure-multifactor-authentication.md)
-
-- **Zero Trust** verifies all endpoints, including devices and apps. The idea is to help keep organization data in the organization, and prevent data leaks from accidental or malicious intent. It includes different feature areas, including Windows Hello for Business, using MFA, and more.
-
- For more information, see [Zero Trust with Microsoft Intune](../zero-trust.md).
-
-## Related articles
-
-- [Learn about managing devices in Intune](../manage-devices.md)
-- [Learn about managing apps in Intune](../manage-apps.md)
diff --git a/intune/fundamentals/tenant-administration/media/identities/identities-different-user-types.png b/intune/fundamentals/tenant-administration/media/identities/identities-different-user-types.png
deleted file mode 100644
index d9daf7a04b3..00000000000
Binary files a/intune/fundamentals/tenant-administration/media/identities/identities-different-user-types.png and /dev/null differ
diff --git a/intune/fundamentals/toc.yml b/intune/fundamentals/toc.yml
index dfccefad22f..00fda548088 100644
--- a/intune/fundamentals/toc.yml
+++ b/intune/fundamentals/toc.yml
@@ -5,28 +5,21 @@ items:
- name: What is Microsoft Intune
displayName: what is intune, mdm, mam, android, ios, ipados, macos, windows
href: ./what-is-intune.md
- - name: What is device management?
- href: ./what-is-device-management.md
- - name: Service description
- href: ./service-description.md
+ - name: Core concepts
+ href: ./core-concepts.md
+ displayName: identities, devices, apps, pillars, user affinity, RBAC, scope tags, MDM, MAM, MAM-WE, BYOD, app lifecycle, device groups, conditional access, zero trust
- name: Architecture
href: ./architecture.md
- displayName: architecture, diagram, components, design, svg, family, products,
- suite, on-premises, tunnel
- - name: Manage and secure identities
- displayName: what is intune, mdm, mam, android, ios, ipados, macos, windows
- href: ./tenant-administration/identities.md
- - name: Manage and secure devices
- displayName: what is intune, mdm, mam, android, ios, ipados, macos, windows
- href: ./manage-devices.md
- - name: Manage apps and protect data
- displayName: what is intune, mdm, mam, android, ios, ipados, macos, windows
- href: ./manage-apps.md
- - name: Endpoint management at Microsoft
- href: ./endpoint-management.md
- - name: Intune Suite add-ons
- href: ./add-ons.md
- displayName: intune suite, add-ons, premium
+ displayName: architecture, diagram, components, design, family, products,
+ suite, on-premises
+ - name: Intune advanced capabilities
+ href: ./advanced-capabilities.md
+ displayName: plans, intune suite, add-ons, premium, trial,
+ service description, advanced capabilities
+ - name: Microsoft Intune licensing
+ href: ./licensing.md
+ displayName: licensing, plans, pricing, EMS, education, configuration manager,
+ device-only, unlicensed admins, confirm license, language support
- name: Evaluate and try
items:
@@ -187,8 +180,8 @@ items:
href: ./tenant-administration/add-users.md
- name: Add groups
href: ./tenant-administration/add-groups.md
- - name: Manage Intune licenses
- href: ./licensing/toc.yml
+ - name: Assign licenses
+ href: ./assign-licenses.md
- name: Set the MDM authority
href: ./setup-mdm-authority.md
diff --git a/intune/fundamentals/tutorial-admin-center-walkthrough.md b/intune/fundamentals/tutorial-admin-center-walkthrough.md
index 6fab9e9deaf..dd5bbf5a483 100644
--- a/intune/fundamentals/tutorial-admin-center-walkthrough.md
+++ b/intune/fundamentals/tutorial-admin-center-walkthrough.md
@@ -31,13 +31,6 @@ Before setting up Microsoft Intune, review the following requirements:
- [Supported operating systems and browsers](ref-supported-platforms.md)
- [Network endpoints for Microsoft Intune](endpoints.md)
-## Sign up for a Microsoft Intune free trial
-
-Trying out Intune is free for 30 days. If you already have a work or school account, **sign in** with that account and add Intune to your subscription. Otherwise, you can [sign up for a free trial account](free-trial-sign-up.md) to use Intune for your organization.
-
-> [!IMPORTANT]
-> You can't combine an existing work or school account after you sign up for a new account.
-
## Tour Microsoft Intune in the Microsoft Intune admin center
Follow the steps below to better understand Intune in the Microsoft Intune admin center. Once you complete the tour, you'll have a better understanding of some of the major areas of Intune.
@@ -56,7 +49,7 @@ Follow the steps below to better understand Intune in the Microsoft Intune admin
Intune lets you manage your workforce's devices and apps, including how they access your company data. To use this mobile device management (MDM) service, the devices must first be enrolled in Intune. When a device is enrolled, it is issued an MDM certificate. This certificate is used to communicate with the Intune service.
- There are several methods to enroll your workforce's devices into Intune. Each method depends on the device's ownership (personal or corporate), device type (iOS/iPadOS, Windows, Android), and management requirements (resets, affinity, locking). However, before you can enable device enrollment, you must set up your Intune infrastructure. In particular, device enrollment requires that you [set your MDM authority](setup-mdm-authority.md). For more information about getting your Intune environment (tenant) ready, see [Set up Intune](deploy-setup-step-1.md). Once you have your Intune tenant ready, you can enroll devices. For more information about device enrollment, see [What is device enrollment?](/intune/device-enrollment/guide)
+ There are several methods to enroll your workforce's devices into Intune. Each method depends on the device's ownership (personal or corporate), platform (iOS/iPadOS, Windows, Android), and management requirements (resets, affinity, locking). However, before you can enable device enrollment, you must set up your Intune infrastructure. In particular, device enrollment requires that you [set your MDM authority](setup-mdm-authority.md). For more information about getting your Intune environment (tenant) ready, see [Set up Intune](deploy-setup-step-1.md). Once you have your Intune tenant ready, you can enroll devices. For more information about device enrollment, see [Enroll devices in Microsoft Intune](../device-enrollment/enroll-devices.md).
3. From the navigation pane, select **Devices** to display details about the enrolled devices in your Intune tenant.
@@ -230,9 +223,13 @@ The Microsoft Intune portal settings can be modified. On the **Microsoft Intune
:::image type="content" alt-text="Screenshot of the Microsoft Intune admin center - Portal settings." source="./media/tutorial-admin-center-walkthrough/tutorial-walkthrough-mem-17.png" lightbox="./media/tutorial-admin-center-walkthrough/tutorial-walkthrough-mem-17.png":::
+### Available languages
+
+The Microsoft Intune admin center and the user-facing mobile experiences are available in: Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, English, Finnish, French, German, Greek, Hungarian, Indonesian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Spanish, Swedish, and Turkish.
+
## Next steps
-To get running quickly on Microsoft Intune, step through the Intune Quickstarts by first setting up a free Intune account.
+After exploring the admin center, try the step-by-step Intune tasks to enroll a device, deploy a configuration profile, and assign an app.
> [!div class="nextstepaction"]
-> [Quickstart: Try Microsoft Intune for free](free-trial-sign-up.md)
+> [Try Intune tasks](try-overview.md)
diff --git a/intune/fundamentals/use-docs.md b/intune/fundamentals/use-docs.md
index 83b9cc056e6..a3f29570d3f 100644
--- a/intune/fundamentals/use-docs.md
+++ b/intune/fundamentals/use-docs.md
@@ -48,11 +48,11 @@ Use the following search tips to help you find the information that you need:
- **Search** in the upper right corner. To search all articles, enter terms in this field. Articles in this content library automatically include one of the following search scopes: `ConfigMgr`, `Intune`, or `Autopilot`.
- :::image type="content" source="media/docs-search-field.png" alt-text="Docs search field in header.":::
+ :::image type="content" source="media/use-docs/docs-search-field.png" alt-text="Docs search field in header.":::
- **Filter by title** above the left table of contents. To search the current table of contents, enter terms in this field. This field only matches terms that appear in the article titles for the current node. For example, **Configuration Manager Core Infrastructure** (`learn.microsoft.com/mem/configmgr/core`) or **Intune Apps** (`https://learn.microsoft.com/mem/intune/apps/`). The last item in the search results gives you the option to search for the terms in the entire content library.
- :::image type="content" source="media/docs-filter-toc.gif" alt-text="Animation of using the table of contents filter.":::
+ :::image type="content" source="media/use-docs/docs-filter-toc.gif" alt-text="Animation of using the table of contents filter.":::
Having problems finding something? [File feedback!](#about-feedback) When you file an issue about search results, provide the search engine you're using, the keywords you tried, and the target article. This feedback helps Microsoft optimize the content for better search.
@@ -79,7 +79,7 @@ With many modern web browsers, you can create a custom search engine. Use this f
>
> The Microsoft technical documentation search engine requires a locale in the address. For example, `en-us`. You can change your entry to use a different locale.
- :::image type="content" source="media/docs-search-engine.png" alt-text="Add to Microsoft Edge a custom search engine for Microsoft technical documentation.":::
+ :::image type="content" source="media/use-docs/docs-search-engine.png" alt-text="Add to Microsoft Edge a custom search engine for Microsoft technical documentation.":::
After you add this search engine, type your keyword in the browser address bar, press `Tab`, then type your search terms, and press `Enter`. It will automatically search Microsoft technical documentation for your specified terms using the defined scope.
@@ -87,7 +87,7 @@ After you add this search engine, type your keyword in the browser address bar,
Select the **Feedback** link in the upper right of any article or go to the Feedback section at the bottom.
-:::image type="content" source="media/docs-feedback.png" alt-text="Screenshot of the feedback section of a Microsoft Learn article.":::
+:::image type="content" source="media/use-docs/docs-feedback.png" alt-text="Screenshot of the feedback section of a Microsoft Learn article.":::
### Types of feedback
@@ -122,7 +122,7 @@ To receive notifications when content changes in the documentation library, use
1. At the bottom of the list of results, select the **RSS** link.
- :::image type="content" source="media/docs-search-rss.png" alt-text="Screenshot of search results and RSS link.":::
+ :::image type="content" source="media/use-docs/docs-search-rss.png" alt-text="Screenshot of search results and RSS link.":::
1. Use this feed in an RSS application to receive notifications when there's a change to any of the search results. Refer to the RSS application's documentation on how to configure and tune it.
@@ -141,7 +141,7 @@ The Microsoft Intune product family documentation library, like most Microsoft t
1. To edit the source file, select the pencil icon.
- :::image type="content" source="media/docs-github-edit.png" alt-text="Screenshot of GitHub source file header.":::
+ :::image type="content" source="media/use-docs/docs-github-edit.png" alt-text="Screenshot of GitHub source file header.":::
1. Make changes in the markdown source. For more information, see [How to use Markdown in Microsoft Learn articles](/contribute/markdown-reference).
diff --git a/intune/fundamentals/what-is-device-management.md b/intune/fundamentals/what-is-device-management.md
deleted file mode 100644
index 9d645f6ddb4..00000000000
--- a/intune/fundamentals/what-is-device-management.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-title: What is device management?
-description: Learn more about what device management means and how it can help organizations, including Microsoft 365 small & medium business, and enterprise. See a list of features and benefits, including mobile device management (MDM) and mobile application management (MAM), and learn about Microsoft Intune.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 02/26/2025
-ms.topic: overview
-ms.reviewer: davguy
-ms.collection:
-- M365-identity-device-management
----
-
-# What does device management mean for organizations?
-
-**Device management** enables organizations to administer and maintain devices, including virtual machines, physical computers, mobile devices, and IoT devices. Device management is a critical component of any organization's security strategy. It helps admins ensure that devices are secure, up-to-date, and compliant with organizational policies, with the goal of protecting the corporate network and data from unauthorized access.
-
-As organizations support remote and hybrid workforces, it's more important than ever to have a solid device management strategy. Organizations must protect and secure their resources and data on any device.
-
-:::image type="content" source="./media/what-is-device-management/device-management-features-mdm-mam.png" alt-text="Diagram that shows the features and benefits of modern device management using MDM and MAM with Microsoft Intune." lightbox="./media/what-is-device-management/device-management-features-mdm-mam.png":::
-
-This article describes the features and benefits of device management, and how it can help organizations, including Microsoft 365 small & medium business, and enterprise. It also describes the different approaches to device management, including mobile device management (MDM) and mobile application management (MAM), and how Microsoft Intune can help.
-
-## Features and benefits
-
-Device management solutions have the following features and benefits:
-
-> [!div class="checklist"]
->
-> * The toolset to manage devices, including the ability to deploy and update software, configure settings, enforce policies, and monitor with data and reports
-> * The ability to administer and manage virtual and physical devices, regardless of their physical location
-> * Maintain a network of devices running common operating systems, including Windows, macOS, iOS/iPadOS, Linux, and Android
-> * Automate policy management and deployment for apps, device features, security, and compliance
-> * Optimize device features for business use
-> * Provide a single point of management for devices, including the ability to manage devices from a central console
-> * Secure and protect data on devices, including safeguards and measures to prevent unauthorized access
-
-With device management solutions, organizations can make sure that only authorized people and devices get access to proprietary information. Similarly, device users can feel at ease accessing work data from their phone, because they know their device meets their organization's security requirements.
-
-As an organization, you might ask - **What should we use to protect our resources?**.
-
-## Microsoft Intune is a world class device management solution
-
-Many organizations, including Microsoft, use Intune to secure proprietary data that users access from their company-owned and personally-owned devices. Intune includes device and app policies, software update policies, and installation statuses (charts, tables, and reports). These resources help you secure and monitor data access.
-
-With Intune, you can manage multiple devices per person, and the different platforms that run on each device, including Android, iOS/iPadOS, Linux, macOS, and Windows. Intune separates policies and settings by device platform. So it's easy to manage and view devices of a specific platform.
-
-For more information about Intune and its benefits, go to:
-
-- [Microsoft Intune planning guide](planning-guide.md)
-- [What is Intune?](what-is-intune.md)
-- [Get started with Microsoft Intune](get-started.md)
-
-### Cloud attach your on-premises Configuration Manager
-
-Many organizations use on-premises Configuration Manager to manage devices, including desktops and servers. You can cloud-attach your on-premises Configuration Manager to Microsoft Intune. When you cloud-attach, you get the benefits of Intune and the cloud, including [Conditional Access](../configmgr/comanage/quickstart-conditional-access.md), [running remote actions](../configmgr/comanage/quickstart-remote-actions.md), [using Windows Autopilot](../configmgr/comanage/quickstart-autopilot.md), and more.
-
-For more information, go to:
-
-- [What is co-management](../configmgr/comanage/overview.md)
-- [Configuration Manager tenant attach](../configmgr/tenant-attach/device-sync-actions.md)
-
-## Choose the device management solution that's right for you
-
-There are a couple of ways to approach device management.
-
-✅ **Mobile device management (MDM)**
-
-First, you can manage different aspects of devices using the features built in to Intune. This approach is called mobile device management (MDM).
-
-Users "enroll" their devices, and use certificates to communicate with Intune. As an IT administrator, you push apps on devices, restrict devices to a specific operating system, block personal devices, and more. If a device is ever lost or stolen, you can also remove all data from the device.
-
-✅ **Mobile application management (MAM)**
-
-In the second approach, you manage apps on devices. This approach is called mobile application management (MAM).
-
-Users can use their personal devices to access organizational resources. When users open an app, such as Outlook or Teams, they can be prompted to authenticate. If a device is ever lost or stolen, you can remove all organization data from the Intune managed applications.
-
-You can also use a combination of MDM and MAM together.
-
-For more information, go to:
-
-- [What is Intune?](what-is-intune.md)
-- [Microsoft Intune planning guide](planning-guide.md)
-
-## Related articles
-
-- [Microsoft Intune planning guide](planning-guide.md)
-- [Manage user and group identities in Microsoft Intune](tenant-administration/identities.md)
-- [Manage your devices and control device features in Microsoft Intune](manage-devices.md)
-- [Manage your apps and app data in Microsoft Intune](manage-apps.md)
diff --git a/intune/fundamentals/what-is-intune.md b/intune/fundamentals/what-is-intune.md
index b6090e9f50c..3b179a0406a 100644
--- a/intune/fundamentals/what-is-intune.md
+++ b/intune/fundamentals/what-is-intune.md
@@ -1,323 +1,77 @@
---
-title: What is Microsoft Intune
-description: Microsoft Intune manages users and devices, simplifies app management and automated policy deployment, and integrates with mobile threat defense. It connects to Managed Google Play, Apple tokens and certificates, and Teamviewer for remote assistance. Can use MDM or MAM to protect data, configure devices, and simplify access to company resources.
-author: MandiOhlinger
-ms.author: mandia
-ms.date: 04/30/2025
+title: What is Microsoft Intune?
+description: Microsoft Intune is a cloud-based endpoint management service that secures and manages devices and apps. Learn what it does and how it works.
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/06/2026
ms.topic: overview
-ms.reviewer: davguy
-ms.collection:
-- essentials-overview
-- M365-identity-device-management
---
-# Microsoft Intune securely manages identities, manages apps, and manages devices
+# What is Microsoft Intune?
-As organizations support hybrid and remote workforces, they're challenged with managing the different devices that access organization resources. Employees and students need to collaborate, work from anywhere, and securely access and connect to these resources. Admins need to protect organization data, manage end user access, and support users from wherever they work.
+Microsoft Intune is a cloud-based endpoint management service that secures and manages your organization's devices and apps. Use Intune to enroll, configure, secure, and update devices, deploy and protect apps, and control which users and devices can access organization resources.
-✅ To help with these challenges and tasks, use Microsoft Intune.
+Supported platforms include Android, iOS/iPadOS, Linux, macOS, tvOS, visionOS, and Windows. The service runs entirely in the cloud, with no on-premises infrastructure required, and supports the [Zero Trust security model](zero-trust.md).
-Microsoft Intune is a **cloud-based endpoint management solution**. It manages user access to organizational resources and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints.
+## What Intune does
-:::image type="content" source="./media/what-is-intune/what-is-intune.png" alt-text="Diagram that shows features and benefits of Microsoft Intune.":::
+Intune covers the full lifecycle of a managed device and the apps that run on it: enrolling devices, configuring settings, securing endpoints, deploying and protecting apps, and keeping everything up to date. You manage all of it from the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), a web-based console. Every admin center action is backed by a [Microsoft Graph API](/graph/intune-concept-overview) call, so you can automate the same operations through a public programming interface.
-You can protect access and data on organization-owned and users personal devices. And, Intune has compliance and reporting features that support the [Zero Trust security model](zero-trust.md).
+Intune is built around three pillars: the **identities** that sign in, the **devices** they sign in from, and the **apps** they use to get work done. Identity runs on Microsoft Entra ID. Device and app posture flow back to Microsoft Entra Conditional Access, which gates access to corporate resources based on real, up-to-date signals.
-> [!VIDEO https://learn-video.azurefd.net/vod/player?id=dbd45acc-fa88-41aa-a9ac-7a751378d603]
+For a deeper walkthrough of how the pillars fit together, see [Microsoft Intune core concepts](core-concepts.md). For a guided tour of the admin center, see [Walkthrough: Microsoft Intune admin center](tutorial-admin-center-walkthrough.md).
-This article lists some features and benefits of Microsoft Intune.
+:::image type="content" source="./media/shared/intune-overview.png" alt-text="Diagram showing Microsoft Intune managing identities, devices, and apps, with signals from Endpoint security in Microsoft Defender. Intune is extended by advanced capabilities, automated by Copilot, and uses Microsoft Entra ID for Conditional Access to corporate resources." lightbox="./media/shared/intune-overview.png" border="false":::
-> [!TIP]
->
-> - To get Intune, go to [Licenses available for Microsoft Intune](./licensing/index.md) and [Intune 30-day trial](free-trial-sign-up.md).
-> - For more information on the Intune licensing plans, go to [Microsoft Intune capabilities and plans](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune).
-> - For information on what it means to be cloud-native, go to [Learn more about cloud-native endpoints](../solutions/cloud-native-endpoints/overview.md).
+## How Intune is used: MDM, MAM, or both
-## Key features and benefits
+Intune supports two management modes that you can use independently or together.
-Some key features and benefits of Intune include:
+- **Mobile device management (MDM)**: Devices are enrolled, either by a user through the Company Portal or automatically through Windows Autopilot, Apple Automated Device Enrollment, or Android Enterprise. Intune then manages the whole device, including settings, security, and apps. If a device is lost or stolen, you can wipe it.
+- **Mobile application management (MAM)**: Intune manages only the work apps and the data inside them, not the rest of the device. MAM is typical for personal devices in bring-your-own-device (BYOD) scenarios, but it also runs alongside MDM on corporate-owned devices. The user keeps control of personal apps and content, while you protect the data inside Outlook, Microsoft Teams, and other managed apps. When the user leaves, you can selectively wipe organization data without touching personal content.
-✅ **Manage users and devices**
+You can combine the two. For example, an enrolled corporate phone (MDM) can also have app protection policies (MAM) on apps that handle especially sensitive data.
-With Intune, you can manage devices owned by your organization and devices owned by your end users. Microsoft Intune supports Android, Android Open Source Project (AOSP), iOS/iPadOS, Linux Ubuntu Desktop, macOS, and Windows client devices. With Intune, you can use these devices to securely access organization resources with policies you create.
+For details, see [Device enrollment in Microsoft Intune](../device-enrollment/guide.md) and [App protection policies overview](../app-management/protection/overview.md).
-For more information, go to:
+## How Intune works with Microsoft Entra
-- [Manage identities using Microsoft Intune](tenant-administration/identities.md)
-- [Manage devices using Microsoft Intune](manage-devices.md)
-- [Supported operating systems in Microsoft Intune](ref-supported-platforms.md)
+Intune doesn't store user identities or perform authentication. It relies on **Microsoft Entra ID** for three things:
-> [!NOTE]
-> If you manage on-premises Windows Server, you can use Configuration Manager.
+- **Authentication**: Users sign in to managed devices using Entra credentials, with single sign-on, multifactor authentication, or passwordless options.
+- **Users and groups**: Entra security groups are the foundation for assigning policies, profiles, and apps in Intune. You target a group of users, devices, or both, and Intune applies the configuration on check-in.
+ - Entra users and groups are also used to assign Intune [licenses](licensing.md). Each managed user or device needs an Intune license, but [administrators can manage Intune without one](licensing.md#unlicensed-admin-access).
+- **Conditional Access**: Intune sends device compliance state to Entra, and Conditional Access combines it with the user, app, location, and Defender risk signals to allow or block access to corporate resources.
-✅ **Simplify app management**
+This approach closes the Zero Trust loop: access decisions are based on real, up-to-date device posture, not on whether the device is on the corporate network.
-Intune has a built-in app experience, including app deployment, updates, and removal. You can:
+For the end-to-end access flow and how the pieces fit together, see [Microsoft Intune core concepts](core-concepts.md#how-the-pillars-fit-together). For details about Conditional Access, see [Use Conditional Access with Microsoft Intune](../device-security/conditional-access-integration/overview.md).
-- Connect to and distribute apps from your private app stores.
-- Enable Microsoft 365 apps, including Microsoft Teams.
-- Deploy Win32 and line-of-business (LOB) apps.
-- Create app protection policies that protect data within an app.
-- Manage access to apps & their data.
+## Advanced capabilities
-For more information, go to [Manage apps using Microsoft Intune](manage-apps.md).
+Beyond the core service, Intune offers advanced capabilities that add depth across endpoint security, app management, certificates, remote support, analytics, device updates, secure remote access, and specialty-device management. You can access these capabilities through Microsoft 365 plans, Microsoft Intune Suite, or as standalone subscriptions.
-✅ **Automate policy deployment**
+For details, see [Microsoft Intune advanced capabilities](advanced-capabilities.md).
-You can create policies for apps, security, device configuration, compliance, Conditional Access, and more. When the policies are ready, you can deploy these policies to your user groups and device groups. To receive these policies, the devices only need internet access.
+## Copilot in Intune
-For more information, go to [Assign policies in Microsoft Intune](../device-configuration/assign-device-profile.md).
+Copilot in Intune is an AI assistant built into the admin center, powered by Microsoft Security Copilot. Copilot can:
-✅ **Use the self-service features**
+- Summarize what an existing policy does and flag conflicts.
+- Explain what a setting controls and recommend values.
+- Surface device details and help triage problems.
+- Run specialized AI agents that triage Multi Admin Approval requests, generate policy from baselines, and prioritize vulnerability remediation.
-Employees and students can use the Company Portal app and website to reset a PIN/password, install apps, join groups, and more. You can customize the Company Portal to help reduce support calls.
+For details, see [Microsoft Copilot in Intune](../copilot/index.md).
-For more information, go to [Configure the Intune Company Portal apps, Company Portal website, and Intune app](../app-management/configuration/configure-company-portal.md).
+## Try Intune
-✅ **Integrate with mobile threat defense**
+- Sign up for a [free 30-day trial](free-trial-sign-up.md) to evaluate Intune in your environment.
+- Compare plans and pricing in [Microsoft Intune licensing](licensing.md).
+- After your trial, see [Sign up or sign in to Intune](account-sign-up.md) to set up your organization's subscription.
-Intune integrates with Microsoft Defender for Endpoint and third party partner services. With these services, the focus is on endpoint security. You can create policies that respond to threats, do real-time risk analysis, and automate remediation.
+## Related content
-For more information, go to [Mobile Threat Defense integration with Intune](../device-security/mobile-threat-defense/overview.md).
-
-✅ **Use a web-based admin center**
-
-The Intune admin center focuses on endpoint management, including data-driven reporting. Admins can sign into the admin center from any device that has internet access.
-
-For more information, go to [Walkthrough the Intune admin center](tutorial-admin-center-walkthrough.md). To sign in to the admin center, go to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-This admin center uses [Microsoft Graph](/graph/overview) REST APIs to programmatically access the Intune service. Every action in the admin center is a Microsoft Graph call. If you're not familiar with Graph, and want to learn more, go to [Graph integrates with Microsoft Intune](/graph/intune-concept-overview).
-
-✅ **Advanced endpoint management and security**
-
-The Microsoft Intune Suite offers different features, like Remote Help, Endpoint Privilege Management, Microsoft Tunnel for MAM, and more.
-
-For more information, go to [Intune Suite add-on features](add-ons.md).
-
-> [!TIP]
-> Step through a training module to learn how you can [benefit from modern endpoint management](/training/modules/benefits-microsoft-endpoint-manager?azure-portal=true) with Microsoft Intune.
-
-✅ **Use Microsoft Copilot in Intune for AI-generated analysis**
-
-Copilot in Intune is available and has capabilities that are powered by Security Copilot.
-
-Copilot can summarize existing policies, give you more setting information, including recommended values and potential conflicts. You can also get device details and troubleshoot a device.
-
-For more information, go to [Microsoft Copilot in Intune](../copilot/index.md).
-
-## Integrates with other Microsoft services and apps
-
-Microsoft Intune integrates with other Microsoft products and services that focus on endpoint management, including:
-
-- **[Configuration Manager](../configmgr/core/understand/introduction.md)** for on-premises endpoint management and Windows Server, including deploying software updates and managing data centers
-
- You can use Intune and Configuration Manager together in a co-management scenario, use tenant attach, or use both. With these options, you get the benefits of the web-based admin center and can use other cloud-based features available in Intune.
-
- For more specific information, go to:
-
- - [What is co-management](../configmgr/comanage/overview.md)
- - [Frequently asked questions about co-management](../configmgr/comanage/faq.yml)
- - [How to enable tenant attach](../configmgr/tenant-attach/device-sync-actions.md)
-
-- **[Windows Autopilot](/autopilot/overview)** for modern OS deployment and provisioning
-
- With Windows Autopilot, you can provision new devices and send these devices directly to users from an OEM or device provider. For existing devices, you can reimage these devices to use Windows Autopilot and deploy the latest Windows version.
-
- For more specific information, go to:
-
- - [Windows Autopilot overview](/autopilot/overview)
- - [Windows Autopilot deployment for existing devices](/autopilot/existing-devices)
-
-- **[Endpoint analytics](../endpoint-analytics/index.md)** for visibility and reporting on end user experiences, including device performance and reliability
-
- You can use Endpoint analytics to help identify policies or hardware issues that slow down devices. It also provides guidance that can help you proactively improve end user experiences and reduce help desk tickets.
-
- For more specific information, go to:
-
- - [Endpoint Analytics Overview](../endpoint-analytics/index.md)
- - [Enroll Intune devices into Endpoint analytics](../endpoint-analytics/configure.md)
-
-- **[Microsoft 365](/deployoffice/about-microsoft-365-apps)** for end user productivity Office apps, including Outlook, Teams, Sharepoint, OneDrive, and more
-
- Using Intune, you can deploy Microsoft 365 apps to users and devices in your organization. You can also deploy these apps when users sign in for the first time.
-
- For more specific information, go to:
-
- - [Add Microsoft 365 Apps to Windows devices with Microsoft Intune](../app-management/deployment/add-microsoft-365-windows.md)
- - [Microsoft 365 docs: Manage devices with Intune](/microsoft-365/solutions/manage-devices-with-intune-overview)
-
-- **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)** to help enterprises prevent, detect, investigate, and respond to threats
-
- In Intune, you can create a service-to-service connection between Intune and Microsoft Defender for Endpoint. When they're connected, you can create policies that scan files, detect threats, and report threat levels to Microsoft Defender for Endpoint. You can also create compliance policies that set an allowable level of risk. When combined with Conditional Access, you can block access to organization resources for devices that are noncompliant.
-
- For more specific information, go to:
-
- - [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](../device-security/microsoft-defender/overview.md)
- - [Configure Microsoft Defender for Endpoint in Intune](../device-security/microsoft-defender/configure-integration.md)
-
-- **[Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)** for automatic patching of Windows, Microsoft 365 apps for enterprise, Microsoft Edge, and Microsoft Teams
-
- Windows Autopatch is a cloud based service. It keeps software current, gives users the latest productivity tools, minimizes on-premises infrastructure, and helps free up your IT admins to focus on other projects. Windows Autopatch uses Microsoft Intune to manage patching for Intune-enrolled devices or devices using co-management (Intune + Configuration Manager).
-
- For more specific information, go to:
-
- - [What is Windows Autopatch?](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)
- - [Frequently Asked Questions about Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-faq)
-
-## Integrates with third party partner devices and apps
-
-The Intune admin center makes it easy to connect to different partner services, including:
-
-- **Managed Google Play for Android apps**: When you connect to your Managed Google Play account, admins can access your organization's private store for Android apps, and deploy these apps to your devices.
-
- For more information, go to [Add Managed Google Play apps to Android Enterprise devices with Intune](../app-management/deployment/add-managed-google-play.md).
-
-- **Apple tokens and certificates for enrollment and apps**: When they're added, your iOS/iPadOS and macOS devices can enroll in Intune and receive policies from Intune. Admins can access your volume purchased iOS/iPad and macOS app licenses, and deploy these apps to your devices.
-
- For more information, go to:
-
- - [Get an Apple MDM push certificate](../device-enrollment/apple/create-mdm-push-certificate.md)
- - [Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment](../device-enrollment/apple/setup-automated-ios.md)
- - [Manage iOS and macOS apps purchased through Apple Business with Microsoft Intune](../app-management/deployment/manage-vpp-apple.md)
-
-- **TeamViewer for remote assist**: When you connect to your TeamViewer account, you can use TeamViewer to remotely assist devices.
-
- For more information, go to [Use TeamViewer to remotely administer Intune devices](../device-management/tools/teamviewer-legacy.md).
-
-With these services, Intune:
-
-- Gives admins simplified access to third party partner app services.
-- Can manage hundreds of third party partner apps.
-- Supports public retail store apps, line of business (LOB) apps, private apps not available in the public store, custom apps, and more.
-
-For more platform-specific requirements to enroll third party partner devices in Intune, go to:
-
-- [Deployment guide: Enroll Android devices in Microsoft Intune](../device-enrollment/android/guide.md)
-- [Deployment guide: Enroll iOS and iPadOS devices in Microsoft Intune](../device-enrollment/apple/guide-ios-ipados.md)
-- [Deployment guide: Enroll Linux devices in Microsoft Intune](../device-enrollment/guide-linux.md)
-- [Deployment guide: Enroll macOS devices in Microsoft Intune](../device-enrollment/apple/guide-macos.md)
-
-## Enroll in device management, application management, or both
-
-✅ Organization-owned devices are enrolled in Intune for **mobile device management (MDM)**. MDM is device centric, so device features are configured based on who needs them. For example, you can configure a device to allow access to Wi-Fi, but only if the signed-in user is an organization account.
-
-In Intune, you create policies that configure features & settings and provide security & protection. Your admin team fully manages the devices, including the user identities that sign in, the apps that are installed, and the data that's accessed.
-
-When devices enroll, you can deploy your policies during the enrollment process. When enrollment completes, the device is ready to use.
-
-✅ For personal devices in bring-your-own-device (BYOD) scenarios, you can use Intune for **mobile application management (MAM)**. MAM is user centric, so the app data is protected regardless of the device used to access this data. There's a focus on apps, including securely accessing apps and protecting data within the apps.
-
-With MAM, you can:
-
-- Publish mobile apps to users.
-- Configure apps and automatically update apps.
-- View data reports that focus on app inventory and app usage.
-
-✅ You can also use MDM and MAM together. If your devices are enrolled and there are apps that need extra security, then you can also use MAM app protection policies.
-
-For more information, go to:
-
-- [Device enrollment in Intune?](../device-enrollment/guide.md)
-- [App protection policies overview](../app-management/protection/overview.md)
-
-## Protect data on any device
-
-With Intune, you can **protect data on managed devices** (enrolled in Intune) and **protect data on unmanaged devices** (not enrolled in Intune). Intune can isolate organization data from personal data. The idea is to protect your company information using policies that you configure and deploy.
-
-For organization-owned devices, you want full control over the devices, especially security. When devices enroll, they receive your security rules and settings.
-
-On devices enrolled in Intune, you can:
-
-- Create and deploy policies that configure security settings, set password requirements, deploy certificates, and more.
-- Use mobile threat defense services to scan devices, detect threats, and remediate threats.
-- View data and reports that measure compliance with your security settings and rules.
-- Use Conditional Access to only allow managed and compliant devices access to organization resources, apps, and data.
-- Remove organization data if a device is lost or stolen.
-
-For personal devices, users might not want their IT admins to have full control. To support a hybrid work environment, give users options. For example, users enroll their devices if they want full access to your organization's resources. Or, if these users only want access to Outlook or Microsoft Teams, then use app protection policies that require multifactor authentication (MFA).
-
-On devices using application management, you can:
-
-- Use mobile threat defense services to protect app data. The service can scan devices, detect threats, and assess risk.
-- Prevent organization data from being copied and pasted into personal apps.
-- Use app protection policies on apps and on unmanaged devices enrolled in a third party or partner MDM.
-- Use Conditional Access to restrict the apps that can access organization email and files.
-- Remove organization data within apps.
-
-For more information, go to:
-
-- [Protect data and devices with Microsoft Intune](../device-security/overview.md)
-- [Mobile Threat Defense integration with Intune](../device-security/mobile-threat-defense/overview.md)
-
-## Simplify access
-
-Intune helps organizations support employees who can work from anywhere. There are features you can configure that allow users to connect to an organization, wherever they might be.
-
-This section includes some common features that you can configure in Intune.
-
-### Use Windows Hello for Business instead of passwords
-
-Windows Hello for Business helps protect against phishing attacks and other security threats. It also helps users sign in to their devices and apps more quickly and easily.
-
-Windows Hello for Business replaces passwords with a PIN or biometric, such as fingerprint or facial recognition. This biometric information is stored locally on the devices and is never sent to external devices or servers.
-
-For more information, go to:
-
-- [Get an overview Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview)
-- [Manage Windows Hello for Business on devices when they enroll in Intune](../device-security/identity-protection/configure-tenant-wide-policy.md)
-- [Manage identities using Microsoft Intune](tenant-administration/identities.md)
-
-### Create a VPN connection for remote users
-
-VPN policies give users secure remote access to your organization network.
-
-Using common VPN connection partners, including Check Point, Cisco, Microsoft Tunnel, NetMotion, Pulse Secure, and more, you can create a VPN policy with your network settings. When the policy is ready, you deploy this policy to your users and devices that need to connect to your network remotely.
-
-In the VPN policy, you can use certificates to authenticate the VPN connection. When you use certificates, your end users don't need to enter usernames and passwords.
-
-For more information, go to:
-
-- [Create VPN profiles to connect to VPN servers in Intune](../device-configuration/templates/configure-vpn.md)
-- [Use certificates for authentication in Intune](./certificates/overview.md)
-- [Learn more about Microsoft Tunnel for Intune](../device-security/microsoft-tunnel/overview.md)
-- [Use Microsoft Tunnel for MAM](../device-security/microsoft-tunnel/mam.md)
-
-### Create a Wi-Fi connection for on-premises users
-
-For users who need to connect to your organization network on-premises, you can create a Wi-Fi policy with your network settings. You can connect to a specific SSID, select an authentication method, use a proxy, and more. You can also configure the policy to automatically connect to Wi-Fi when the device is in range.
-
-In the Wi-Fi policy, you can use certificates to authenticate the Wi-Fi connection. When you use certificates, your end users don't need to enter usernames and passwords.
-
-When the policy is ready, you deploy this policy to your on-premises users and devices that need to connect to your on-premises network.
-
-For more information, go to:
-
-- [Create Wi-Fi policy to connect to Wi-Fi networks in Intune](../device-configuration/templates/configure-wifi.md)
-- [Use certificates for authentication in Microsoft Intune](./certificates/overview.md)
-
-### Enable single sign-on (SSO) to your apps and services
-
-When you enable SSO, users can automatically sign in to apps and services using their Microsoft Entra organization account, including some mobile threat defense partner apps.
-
-Specifically:
-
-- On Windows devices, SSO is automatically built in and used to sign in to apps and websites that use Microsoft Entra ID for authentication, including Microsoft 365 apps. You can also enable SSO on VPN and Wi-Fi policies.
-
-- On iOS/iPadOS and macOS devices, you can use the Microsoft Enterprise SSO plug-in to automatically sign in to apps and websites that use Microsoft Entra ID for authentication, including Microsoft 365 apps.
-
- For more information, go to [Single sign-on (SSO) overview and options for Apple devices in Microsoft Intune](../device-configuration/enterprise-sso-plugin.md).
-
-- On Android devices, you can use the Microsoft Authentication Library (MSAL) to enable SSO to Android apps.
-
- For more information, go to:
-
- - [How SSO to on-premises resources works on Microsoft Entra joined devices](/azure/active-directory/devices/azuread-join-sso)
- - [Use the Microsoft Enterprise SSO plug-in on iOS/iPadOS and macOS devices in Microsoft Intune](../device-configuration/enterprise-sso-plugin.md)
- - [Enable cross-app SSO on Android using MSAL](/azure/active-directory/develop/msal-android-single-sign-on)
-
-## Related articles
-
-- [Manage identities using Microsoft Intune](tenant-administration/identities.md)
-- [Manage devices using Microsoft Intune](manage-devices.md)
-- [Manage apps using Microsoft Intune](manage-apps.md)
-- [Troubleshoot Microsoft Intune](/troubleshoot/mem/intune/welcome-intune)
+- [Microsoft Intune core concepts](core-concepts.md)
+- [Microsoft Intune architecture](architecture.md)
+- [Microsoft Intune advanced capabilities](advanced-capabilities.md)
diff --git a/intune/fundamentals/zero-trust.md b/intune/fundamentals/zero-trust.md
index c45717582f8..34060f5d224 100644
--- a/intune/fundamentals/zero-trust.md
+++ b/intune/fundamentals/zero-trust.md
@@ -52,8 +52,6 @@ For detailed deployment guidance including prerequisites, licensing requirements
## Related articles
-- [Learn about managing identities in Intune](tenant-administration/identities.md)
-- [Learn about managing devices in Intune](manage-devices.md)
-- [Learn about managing apps in Intune](manage-apps.md)
+- [Learn about Intune core concepts](core-concepts.md)
- [Zero Trust deployment approach with Microsoft Intune](zero-trust-deployment.md)
- [Zero Trust Guidance Center](/security/zero-trust)
diff --git a/intune/includes/intune-plan2-suite-note.md b/intune/includes/intune-plan2-suite-note.md
deleted file mode 100644
index 23bda4f745d..00000000000
--- a/intune/includes/intune-plan2-suite-note.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-author: MandiOhlinger
-ms.topic: include
-ms.date: 02/06/2025
-ms.author: mandia
----
-> [!NOTE]
-> This capability is available when you add Microsoft Intune Plan 2 or Microsoft Intune Suite as an add-on license. For more information, see [Use Intune Suite add-on capabilities](../fundamentals/add-ons.md).
diff --git a/intune/includes/licensing/additional-licensing-plan2.md b/intune/includes/licensing/additional-licensing-plan2.md
new file mode 100644
index 00000000000..6ff5ec736ae
--- /dev/null
+++ b/intune/includes/licensing/additional-licensing-plan2.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms-topic: include
+ms.date: 05/21/2026
+---
+
+This feature requires Microsoft Intune Plan 2 or an additional subscription. For licensing options, see [Microsoft Intune plans and pricing](https://www.microsoft.com/security/business/microsoft-intune-pricing) and [Microsoft 365 Security Enterprise Plans](https://www.microsoft.com/security/pricing/enterprise-plans).
diff --git a/intune/includes/licensing/additional-licensing.md b/intune/includes/licensing/additional-licensing.md
new file mode 100644
index 00000000000..8692cb50043
--- /dev/null
+++ b/intune/includes/licensing/additional-licensing.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms-topic: include
+ms.date: 05/21/2026
+---
+
+This feature requires a subscription in addition to Microsoft Intune Plan 1 or Plan 2. For licensing options, see [Microsoft Intune plans and pricing](https://www.microsoft.com/security/business/microsoft-intune-pricing) and [Microsoft 365 Security Enterprise Plans](https://www.microsoft.com/security/pricing/enterprise-plans).
diff --git a/intune/index.yml b/intune/index.yml
index 92d85469590..4b6e3ce4d23 100644
--- a/intune/index.yml
+++ b/intune/index.yml
@@ -21,9 +21,9 @@ highlightedContent:
- title: Features in development
itemType: whats-new
url: ./whats-new/in-development.md
- - title: Microsoft Intune Suite add-ons
+ - title: Microsoft Intune advanced capabilities
itemType: overview
- url: ./fundamentals/add-ons.md
+ url: ./fundamentals/advanced-capabilities.md
productDirectory:
title: Set up, secure, and operate your device fleet
@@ -127,7 +127,7 @@ conceptualContent:
- url: https://aka.ms/Intune_GuidedDemo
itemType: get-started
text: Interactive demos for Intune
- - url: ./fundamentals/licensing/index.md
+ - url: ./fundamentals/licensing.md
itemType: get-started
text: Microsoft Intune licensing
- url: ./fundamentals/planning-guide.md
diff --git a/intune/media/icons/16/add-on.svg b/intune/media/icons/16/add-on.svg
new file mode 100644
index 00000000000..393da774aff
--- /dev/null
+++ b/intune/media/icons/16/add-on.svg
@@ -0,0 +1,3 @@
+
diff --git a/intune/media/icons/16/plus.svg b/intune/media/icons/16/plus.svg
new file mode 100644
index 00000000000..d93cde2f014
--- /dev/null
+++ b/intune/media/icons/16/plus.svg
@@ -0,0 +1,3 @@
+
diff --git a/intune/media/icons/24/devices.svg b/intune/media/icons/24/devices.svg
deleted file mode 100644
index 4bdd26bf755..00000000000
--- a/intune/media/icons/24/devices.svg
+++ /dev/null
@@ -1,22 +0,0 @@
-
diff --git a/intune/media/icons/24/query.svg b/intune/media/icons/24/query.svg
deleted file mode 100644
index 061e1dae8aa..00000000000
--- a/intune/media/icons/24/query.svg
+++ /dev/null
@@ -1,18 +0,0 @@
-
diff --git a/intune/media/icons/24/report.svg b/intune/media/icons/24/report.svg
deleted file mode 100644
index a6c559a48b6..00000000000
--- a/intune/media/icons/24/report.svg
+++ /dev/null
@@ -1,10 +0,0 @@
-
diff --git a/intune/remote-help/deploy.md b/intune/remote-help/deploy.md
index 867b1767180..3d3164b49de 100644
--- a/intune/remote-help/deploy.md
+++ b/intune/remote-help/deploy.md
@@ -12,10 +12,6 @@ ms.collection:
# Deploying Remote Help with Microsoft Intune
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [remote-help-overview](includes/remote-help-overview.md)]
-
This article describes the steps to deploy Remote Help with Microsoft Intune.
- [⚙️Set up your tenant](#configure-remote-help-for-your-tenant)
diff --git a/intune/remote-help/includes/remote-help-overview.md b/intune/remote-help/includes/remote-help-overview.md
deleted file mode 100644
index a8243ccbd05..00000000000
--- a/intune/remote-help/includes/remote-help-overview.md
+++ /dev/null
@@ -1,7 +0,0 @@
----
-ms.service: microsoft-intune
-ms.topic: include
-ms.date: 10/01/2025
----
-
-Remote Help is a cloud-based solution for secure help desk connections with role-based access controls. With the connection, your support staff can remote connect to the user's device. For more information, see [Remote Help Overview](../index.md). To start using Remote Help features, ensure you have met the [Prerequisites](../plan.md#prerequisites).
diff --git a/intune/remote-help/index.md b/intune/remote-help/index.md
index 89c05ae84f4..a3aebd0fd61 100644
--- a/intune/remote-help/index.md
+++ b/intune/remote-help/index.md
@@ -9,11 +9,9 @@ ms.collection:
- M365-identity-device-management
---
- # Use Remote Help with Microsoft Intune
+# Use Remote Help with Microsoft Intune
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-Microsoft Intune Remote Help is a cloud-based remote support solution that allows IT support teams to connect securely to an end-user's device for real-time assistance. It's available as a standalone add-on to Microsoft Intune, or as part of the Intune Suite, enabling organizations to provide remote troubleshooting and guidance with enterprise security controls in place. Remote Help distinguishes between helpers (support personnel) and sharers (end users sharing their screen), both of whom must sign in with corporate Entra ID accounts for each session. This requirement means Remote Help only works within your organization's tenant – helpers can't assist users in another tenant or external organization.
+Microsoft Intune Remote Help is a cloud-based remote support solution that allows IT support teams to connect securely to an end-user's device for real-time assistance. It enables organizations to provide remote troubleshooting and guidance with enterprise security controls in place. Remote Help distinguishes between helpers (support personnel) and sharers (end users sharing their screen), both of whom must sign in with corporate Entra ID accounts for each session. This requirement means Remote Help only works within your organization's tenant – helpers can't assist users in another tenant or external organization.
## Remote Help capabilities
diff --git a/intune/remote-help/plan.md b/intune/remote-help/plan.md
index 1a7d860513c..9f9f2c8ab6c 100644
--- a/intune/remote-help/plan.md
+++ b/intune/remote-help/plan.md
@@ -9,11 +9,7 @@ ms.collection:
- M365-identity-device-management
---
- # Planning for Remote Help with Microsoft Intune
-
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [remote-help-overview](includes/remote-help-overview.md)]
+# Planning for Remote Help with Microsoft Intune
In this article, users who provide help are referred to as *helpers*, and users that receive help are referred to as *sharers*, as they share their session with the helper. Both helpers and sharers sign in to your organization to use the app. It's through your Microsoft Entra ID that the proper trusts are established for the Remote Help sessions.
@@ -125,11 +121,12 @@ The following Intune built-in roles include Remote Help permissions:
Remote Help has the following requirements:
-- [Intune subscription](../fundamentals/licensing/index.md).
-- [Remote Help add on license or an Intune Suite license](../fundamentals/add-ons.md#available-add-ons) for all IT support workers (helpers) and users (sharers) that are targeted to use Remote Help and benefit from the service.
-- [Supported platforms and devices](#supported-platforms).
+- A Remote Help license for everyone targeted to use the service — both helpers (IT support workers) and sharers (users).
+- A [supported platform or device](#supported-platforms).
- Intune-enrolled devices must be registered with Microsoft Entra.
+[!INCLUDE [additional-licensing](../includes/licensing/additional-licensing.md)]
+
## Limitations
Remote Help has the following limitations:
diff --git a/intune/remote-help/start-session.md b/intune/remote-help/start-session.md
index cb120adcff4..afa6ac9a815 100644
--- a/intune/remote-help/start-session.md
+++ b/intune/remote-help/start-session.md
@@ -11,10 +11,6 @@ ms.collection:
# Using Remote Help with Microsoft Intune
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [remote-help-overview](includes/remote-help-overview.md)]
-
The use of Remote Help depends on whether you're requesting help or providing help. In this article, we cover both scenarios.
## Get help
diff --git a/intune/remote-help/troubleshoot.md b/intune/remote-help/troubleshoot.md
index 4fb54343829..a8c31a0d8de 100644
--- a/intune/remote-help/troubleshoot.md
+++ b/intune/remote-help/troubleshoot.md
@@ -11,10 +11,6 @@ ms.collection:
# Troubleshoot and Monitor Remote Help
-[!INCLUDE [intune-add-on-note](../advanced-analytics/includes/intune-add-on-note.md)]
-
-[!INCLUDE [remote-help-overview](includes/remote-help-overview.md)]
-
## Monitoring and reports
You can monitor the use of Remote Help from within the Microsoft Intune admin center. For unenrolled devices, reporting on Remote Help sessions is limited.
diff --git a/intune/solutions/azure-virtual-desktop-multi-session.md b/intune/solutions/azure-virtual-desktop-multi-session.md
index 6189540dea0..8ab0bbd0b95 100644
--- a/intune/solutions/azure-virtual-desktop-multi-session.md
+++ b/intune/solutions/azure-virtual-desktop-multi-session.md
@@ -53,7 +53,7 @@ This feature supports Windows Enterprise multi-session VMs, which are:
- Configured with [Active Directory group policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy), set to use Device credentials, and set to automatically enroll devices that are Microsoft Entra hybrid joined.
- [Configuration Manager co-management](/configmgr/comanage/overview).
- Microsoft Entra joined and enrolled in Microsoft Intune by enabling [Enroll the VM with Intune](/azure/virtual-desktop/deploy-azure-ad-joined-vm#deploy-azure-ad-joined-vms) in the Azure portal.
-- Licensing: The appropriate Azure Virtual Desktop and Microsoft Intune license is required if a user or device benefits directly or indirectly from the Microsoft Intune service, including access to the Microsoft Intune service through a Microsoft API. For more information, go to [Microsoft Intune licensing](../fundamentals/licensing/index.md).
+- Licensing: The appropriate Azure Virtual Desktop and Microsoft Intune license is required if a user or device benefits directly or indirectly from the Microsoft Intune service, including access to the Microsoft Intune service through a Microsoft API. For more information, go to [Microsoft Intune licensing](../fundamentals/licensing.md).
- See [Licensing Azure Virtual Desktop](/azure/virtual-desktop/licensing) for more information about Azure Virtual Desktop licensing requirements.
## Limitations
diff --git a/intune/solutions/cloud-native-endpoints/tutorial-cloud-native-setup.md b/intune/solutions/cloud-native-endpoints/tutorial-cloud-native-setup.md
index ebaf68e3b4b..4a5dc6d2cd6 100644
--- a/intune/solutions/cloud-native-endpoints/tutorial-cloud-native-setup.md
+++ b/intune/solutions/cloud-native-endpoints/tutorial-cloud-native-setup.md
@@ -88,7 +88,7 @@ Enrollment restrictions allow you to control what types of devices can enroll in
- **Microsoft Entra Premium P1**
- **Microsoft Intune for Education**
- To assign licenses, go to [Assign Microsoft Intune licenses](../../fundamentals/licensing/assign-licenses.md).
+ To assign licenses, go to [Assign Microsoft Intune licenses](../../fundamentals/assign-licenses.md).
> [!NOTE]
> Both types of licenses are typically included with licensing bundles, like Microsoft 365 E3 (or A3) and higher. View comparisons of Microsoft 365 licensing [here](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
diff --git a/intune/solutions/education/tutorial-school-deployment/configure-apps.md b/intune/solutions/education/tutorial-school-deployment/configure-apps.md
index dbf19510563..4df9c822e6e 100644
--- a/intune/solutions/education/tutorial-school-deployment/configure-apps.md
+++ b/intune/solutions/education/tutorial-school-deployment/configure-apps.md
@@ -32,7 +32,7 @@ Intune supports the deployment several application types including desktop apps
Enterprise App Management enables you to easily discover and deploy applications and keep them up to date from the Enterprise App Catalog. The Enterprise App Catalog is a collection of prepared Microsoft and non-Microsoft applications. These apps are Win32 apps that are [prepared as Win32 apps](../../../app-management/deployment/create-win32-package.md) and hosted by Microsoft.
> [!IMPORTANT]
-> Enterprise App Management is an Intune add-on as part of the Intune suite that is available for trial and purchase. For more information, see [Use Intune Suite add-on capabilities](../../../fundamentals/add-ons.md).
+> Enterprise App Management is part of Microsoft Intune Suite and available for trial and purchase. For more information, see [Microsoft Intune advanced capabilities](../../../fundamentals/advanced-capabilities.md).
For more information, see [Enterprise Application Management](../../../app-management/deployment/enterprise-app-management.md).
diff --git a/intune/solutions/education/tutorial-school-deployment/setup-intune.md b/intune/solutions/education/tutorial-school-deployment/setup-intune.md
index e849a34d9c3..d79aa05a8fc 100644
--- a/intune/solutions/education/tutorial-school-deployment/setup-intune.md
+++ b/intune/solutions/education/tutorial-school-deployment/setup-intune.md
@@ -262,7 +262,7 @@ When the Intune service configured, you can configure policies and applications
-[MEM-1]: ../../../fundamentals/licensing/index.md
+[MEM-1]: ../../../fundamentals/licensing.md
[MEM-2]: ../../../device-enrollment/restrictions.md
[MEM-4]: ../../../device-security/identity-protection/configure-tenant-wide-policy.md
[INT-1]: /intune-education/what-is-intune-for-education
diff --git a/intune/solutions/end-to-end-guides/macos-endpoints-get-started.md b/intune/solutions/end-to-end-guides/macos-endpoints-get-started.md
index a5f9eb418d8..dfae4c41fc4 100644
--- a/intune/solutions/end-to-end-guides/macos-endpoints-get-started.md
+++ b/intune/solutions/end-to-end-guides/macos-endpoints-get-started.md
@@ -91,7 +91,7 @@ Specifically:
- **Licensing**
- Users enrolling macOS devices require a Microsoft Intune or Microsoft Intune for Education license. To assign licenses, go to [Assign Microsoft Intune licenses](../../fundamentals/licensing/assign-licenses.md). Assign the licenses to the test accounts you created.
+ Users enrolling macOS devices require a Microsoft Intune or Microsoft Intune for Education license. To assign licenses, go to [Assign Microsoft Intune licenses](../../fundamentals/assign-licenses.md). Assign the licenses to the test accounts you created.
> [!NOTE]
> Both types of licenses are typically included with licensing bundles, like Microsoft 365 E3 (or A3) and higher. For more information, go to [Compare Microsoft 365 Enterprise Plans](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
diff --git a/intune/solutions/frontline-worker/index.md b/intune/solutions/frontline-worker/index.md
index 250123e179c..2ff88aec0cf 100644
--- a/intune/solutions/frontline-worker/index.md
+++ b/intune/solutions/frontline-worker/index.md
@@ -79,7 +79,7 @@ Intune has built-in features that can be used for frontline worker devices, incl
These devices include augmented reality (AR) & virtual reality (VR) headsets, large smart-screen devices, and some conference room meeting devices, like Microsoft Teams Rooms devices. They can be managed using Intune policies.
> [!NOTE]
-> Some features may require additional licenses. For more information, go to [Intune Suite add-on capabilities](../../fundamentals/add-ons.md) or [Microsoft Intune licensing](../../fundamentals/licensing/index.md).
+> Some features may require additional licenses. For more information, go to [Microsoft Intune advanced capabilities](../../fundamentals/advanced-capabilities.md) or [Microsoft Intune licensing](../../fundamentals/licensing.md).
## Microsoft Entra shared device mode for FLW
diff --git a/intune/solutions/passwordless.md b/intune/solutions/passwordless.md
index 952a44d0b08..2c612405b3e 100644
--- a/intune/solutions/passwordless.md
+++ b/intune/solutions/passwordless.md
@@ -305,12 +305,12 @@ Depending on the passwordless methods you choose, your organization might need M
| Certificate-based authentication (CBA) | Microsoft Entra ID P1 (P2 for risk-based Conditional Access) |
| Authentication strength policies | Microsoft Entra ID P1 |
| Risk-based Conditional Access | Microsoft Entra ID P2 |
-| Microsoft Cloud PKI | Microsoft Intune Suite add-on or standalone Cloud PKI add-on |
+| Microsoft Cloud PKI | Microsoft Intune Suite or standalone Cloud PKI license |
| Device compliance and configuration profiles | Microsoft Intune Plan 1 |
:::image type="icon" source="../media/icons/16/learn-more.svg" border="false"::: **Learn more**
- [Microsoft Entra plans and pricing](/entra/fundamentals/licensing)
-- [Microsoft Intune licensing](../fundamentals/licensing/index.md)
+- [Microsoft Intune licensing](../fundamentals/licensing.md)
### Platform requirements
diff --git a/intune/whats-new/archive/index.md b/intune/whats-new/archive/index.md
index 8387cb99faf..c6a02a29412 100644
--- a/intune/whats-new/archive/index.md
+++ b/intune/whats-new/archive/index.md
@@ -1036,7 +1036,7 @@ Endpoint Privilege Management (EPM) elevation rules now include a new file eleva
*Deny* rules support the same configuration options as other [elevation types](../../epm/create-elevation-rules.md#creating-elevation-rules-with-endpoint-privilege-management) except for child processes, which aren't used.
-For more information about EPM, which is available as an [Intune Suite add-on-capability](../../fundamentals/add-ons.md), see [Endpoint Privilege Management overview](../../epm/overview.md).
+For more information about EPM, which is available as an [Intune Suite add-on-capability](../../fundamentals/advanced-capabilities.md), see [Endpoint Privilege Management overview](../../epm/overview.md).
### App management
@@ -1163,7 +1163,7 @@ Microsoft Intune has a new icon. The Intune icon is being updated across platfor
File elevation rules for Endpoint Privilege Management (EPM) now support [command line file arguments](../../epm/create-elevation-rules.md#use-file-arguments-for-elevation-rules). When an elevation rule is configured to define one or more file arguments, EPM allows that file to run in an elevated request only when one of the defined arguments is used. EPM blocks elevation of the file should a command line argument be used that isn't defined by the elevation rule. Use of file arguments in your file elevation rules can help you refine how and for what intent different files are successfully run in an elevated context by Endpoint Privilege Management.
-EPM is available as an [Intune Suite add-on-capability](../../fundamentals/add-ons.md).
+EPM is available as an [Intune Suite add-on-capability](../../fundamentals/advanced-capabilities.md).
### App management
@@ -1712,7 +1712,7 @@ With this capability, while reviewing the properties of a file elevation request
- The risk score for the user requesting the file elevation
- The risk score of the device from which the elevation was submitted
-EPM is available as an [Intune Suite add-on-capability](../../fundamentals/add-ons.md). To learn more about how you can currently use Copilot in Intune, see [Microsoft Copilot in Intune](../../copilot/index.md).
+EPM is available as an [Intune Suite add-on-capability](../../fundamentals/advanced-capabilities.md). To learn more about how you can currently use Copilot in Intune, see [Microsoft Copilot in Intune](../../copilot/index.md).
To learn more about Microsoft Security Copilot, see, [Microsoft Security Copilot](/copilot/security/microsoft-security-copilot).
@@ -2314,7 +2314,7 @@ The resource performance scores and insights for physical devices are aimed to h
For more information, see:
- [Resource performance report](../../advanced-analytics/resource-performance.md)
-- [Microsoft Intune Suite](../../fundamentals/add-ons.md)
+- [Microsoft Intune Suite](../../fundamentals/advanced-capabilities.md)
### App management
@@ -2603,7 +2603,7 @@ Plan 2 capabilities:
For more information, see:
-- [Use Microsoft Intune Suite add-on capabilities](../../fundamentals/add-ons.md)
+- [Use Microsoft Intune Suite add-on capabilities](../../fundamentals/advanced-capabilities.md)
- [Microsoft Intune for US Government GCC service description](../../fundamentals/government-service.md)
### Device enrollment
@@ -3494,7 +3494,7 @@ Applies to:
#### GCC customers can use Remote Help for Windows and Android devices
-The [Microsoft Intune Suite](../../fundamentals/add-ons.md) includes advanced endpoint management and security features, including Remote Help.
+The [Microsoft Intune Suite](../../fundamentals/advanced-capabilities.md) includes advanced endpoint management and security features, including Remote Help.
On Windows and enrolled Android Enterprise dedicated devices, you can use remote help on US Government GCC environments.
@@ -3530,7 +3530,7 @@ Applies to
#### New elevation type for Endpoint Privilege Management
-Endpoint Privilege Management has a new file elevation type, **support approved**. Endpoint Privilege Management is a feature component of the Microsoft Intune Suite and is also available as a standalone [Intune add-on](../../fundamentals/add-ons.md).
+Endpoint Privilege Management has a new file elevation type, **support approved**. Endpoint Privilege Management is a feature component of the Microsoft Intune Suite and is also available as a standalone [Intune add-on](../../fundamentals/advanced-capabilities.md).
A support-approved elevation gives you a third option for both the default elevation response and the elevation type for each rule. Unlike automatic or user confirmed, a support-approved elevation request requires Intune administrators to manage which files can run as elevated on a case-by-case basis.
@@ -3846,7 +3846,7 @@ For more information, see [Create a notification message template](../../device-
#### New Microsoft Cloud PKI service
-Use the Microsoft Cloud PKI service to simplify and automate certificate lifecycle management for Intune-managed devices. Microsoft Cloud PKI is a feature component of the Microsoft Intune Suite and is also available as a standalone [Intune add-on](../../fundamentals/add-ons.md). The cloud-based service provides a dedicated PKI infrastructure for your organization, and doesn't require on-premises servers, connectors, or hardware. Microsoft Cloud PKI automatically issues, renews, and revokes certificates for all OS platforms supporting the SCEP certificate device configuration profile. Issued certificates can be used for certificate-based authentication for Wi-Fi, VPN, and other services supporting certificate-based authentication. For more information, see [Overview of Microsoft Cloud PKI](../../cloud-pki/index.md).
+Use the Microsoft Cloud PKI service to simplify and automate certificate lifecycle management for Intune-managed devices. Microsoft Cloud PKI is a feature component of the Microsoft Intune Suite and is also available as a standalone [Intune add-on](../../fundamentals/advanced-capabilities.md). The cloud-based service provides a dedicated PKI infrastructure for your organization, and doesn't require on-premises servers, connectors, or hardware. Microsoft Cloud PKI automatically issues, renews, and revokes certificates for all OS platforms supporting the SCEP certificate device configuration profile. Issued certificates can be used for certificate-based authentication for Wi-Fi, VPN, and other services supporting certificate-based authentication. For more information, see [Overview of Microsoft Cloud PKI](../../cloud-pki/index.md).
Applies to:
@@ -4111,7 +4111,7 @@ Enterprise Application Management provides an Enterprise App Catalog of Win32 ap
For more information, see:
-- [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md)
+- [Use Intune Suite add-on capabilities](../../fundamentals/advanced-capabilities.md)
- [Microsoft Intune Enterprise Application Management](../../app-management/deployment/enterprise-app-management.md)
- [Add an Enterprise App Catalog app to Microsoft Intune](../../app-management/deployment/add-enterprise-catalog-app.md)
@@ -4142,7 +4142,7 @@ To use Device query and battery health report in your tenant, or any of the exis
For more information, see:
-- [Use Intune Suite add-on capabilities](../../fundamentals/add-ons.md)
+- [Use Intune Suite add-on capabilities](../../fundamentals/advanced-capabilities.md)
- [Microsoft Intune Advanced Analytics](../../advanced-analytics/index.md)
- [Battery health](../../advanced-analytics/battery-health.md)
- [Device query](../../advanced-analytics/device-query.md)
@@ -4843,7 +4843,7 @@ For more information, see [Set up web based device enrollment for iOS](../../dev
The Intune add-ons page under **Tenant administration** includes **Your add-ons**, **All add-ons**, and **Capabilities**. It provides an enhanced view into your trial or purchased licenses, the add-on capabilities you're licensed to use in your tenant, and support for new billing experiences in Microsoft admin center.
-For more information, see [Use Intune Suite add-ons capabilities](../../fundamentals/add-ons.md).
+For more information, see [Use Intune Suite add-ons capabilities](../../fundamentals/advanced-capabilities.md).
#### Remote Help for Android is now Generally available
@@ -5076,7 +5076,7 @@ This integration is now generally available for Android Enterprise Dedicated and
Previously, this feature was in public preview and free for use. With this release as generally available, this solution now requires an add-on license for its use.
-For licensing details, see [Intune add-ons](../../fundamentals/add-ons.md).
+For licensing details, see [Intune add-ons](../../fundamentals/advanced-capabilities.md).
### Device enrollment
diff --git a/intune/whats-new/index.md b/intune/whats-new/index.md
index 38a62ce1c6e..e932063beee 100644
--- a/intune/whats-new/index.md
+++ b/intune/whats-new/index.md
@@ -885,7 +885,7 @@ Device query for multiple devices now includes expanded operator support, cleare
Endpoint Privilege Management (EPM) elevation policies now support deployment to users on Azure Virtual Desktop (AVD) single-session virtual machines.
-For information about using EPM, which is available as an [Intune Suite add-on-capability](../fundamentals/add-ons.md), see [Plan and Prepare for Endpoint Privilege Management Deployment](../epm/deployment-planning.md).
+For information about using EPM, see [Plan and Prepare for Endpoint Privilege Management Deployment](../epm/deployment-planning.md).
### App management