WIP

MicrosoftGuyJFlo · MicrosoftGuyJFlo · commit 2e6525a87c71 · 2022-01-25T12:50:06.000-05:00
diff --git a/articles/active-directory/devices/azureadjoin-plan.md b/articles/active-directory/devices/azureadjoin-plan.md
@@ -190,7 +190,7 @@ Starting Windows 10 2004 update, users can also use remote desktop from an Azure
 Currently, Azure AD joined devices don't support RADIUS authentication for connecting to Wi-Fi access points, since RADIUS relies on presence of an on-premises computer object. As an alternative, you can use certificates pushed via Intune or user credentials to authenticate to Wi-Fi. 
 
 ## Understand your provisioning options
-**Note**: Azure AD joined devices cannot be deployed using  System Preparation Tool (Sysprep) or similar imaging tools
+**Note**: Azure AD joined devices can’t be deployed using  System Preparation Tool (Sysprep) or similar imaging tools
 
 You can provision Azure AD joined devices using the following approaches:
 
@@ -209,7 +209,7 @@ Here’s a comparison of these three approaches
 | Require device OEM support | No | Yes | No |
 | Supported versions | 1511+ | 1709+ | 1703+ |
  
-Choose your deployment approach or approaches by reviewing the table above and reviewing the following considerations for adopting either approach:  
+Choose your deployment approach or approaches by reviewing the previous table and reviewing the following considerations for adopting either approach:  
 
 - Are your users tech savvy to go through the setup themselves? 
    - Self-service can work best for these users. Consider Windows Autopilot to enhance the user experience.  
diff --git a/articles/active-directory/devices/howto-hybrid-azure-ad-join.md b/articles/active-directory/devices/howto-hybrid-azure-ad-join.md
@@ -44,7 +44,7 @@ Hybrid Azure AD join requires devices to have access to the following Microsoft
 
 If your organization requires access to the internet via an outbound proxy, you can use [Web Proxy Auto-Discovery (WPAD)](/previous-versions/tn-archive/cc995261(v=technet.10)) to enable Windows 10 computers for device registration with Azure AD. To address issues configuring and managing WPAD, see [Troubleshooting Automatic Detection](/previous-versions/tn-archive/cc302643(v=technet.10)).
 
-If you don't use WPAD, you can configure WinHTTP proxy settings on your computer beginning with Windows 10 1709. For more information, see [WinHTTP Proxy Settings deployed by GPO](/archive/blogs/netgeeks/winhttp-proxy-settings-deployed-by-gpo).
+If you don't use WPAD, you can configure WinHTTP proxy settings on your computer with a Group Policy Object (GPO) beginning with Windows 10 1709. For more information, see [WinHTTP Proxy Settings deployed by GPO](/archive/blogs/netgeeks/winhttp-proxy-settings-deployed-by-gpo).
 
 > [!NOTE]
 > If you configure proxy settings on your computer by using WinHTTP settings, any computers that can't connect to the configured proxy will fail to connect to the internet.
@@ -119,7 +119,7 @@ With Windows 10 1803 or newer, if instantaneous hybrid Azure AD join for a feder
 
 ## Other scenarios
 
-Organizations who may wish to test hybrid Azure AD join on a subset of their environment before a full rollout, the steps to complete a targeted deployment can be found in the article [Hybrid Azure AD join targeted deployment](hybrid-azuread-join-control.md).
+Organizations can test hybrid Azure AD join on a subset of their environment before a full rollout. The steps to complete a targeted deployment can be found in the article [Hybrid Azure AD join targeted deployment](hybrid-azuread-join-control.md). Organizations should include a sample of users from varying roles and profiles in this pilot group. A targeted rollout will help identify any issues your plan may not have addressed before you enable for the entire organization.
 
 Some organizations may not be able to use Azure AD Connect to configure AD FS, the steps to configure the claims manually can be found in the article [Configure hybrid Azure Active Directory join manually](hybrid-azuread-join-manual.md).
 
diff --git a/articles/active-directory/devices/hybrid-azuread-join-control.md b/articles/active-directory/devices/hybrid-azuread-join-control.md
@@ -25,9 +25,9 @@ For devices running Windows 10, the minimum supported version is Windows 10 (ver
 
 To do a targeted deployment of hybrid Azure AD join on Windows current devices, you need to:
 
-1. Clear the Service Connection Point (SCP) entry from Active Directory (AD) if it exists
-1. Configure client-side registry setting for SCP on your domain-joined computers using a Group Policy Object (GPO)
-1. If you're using Active Directory Federation Services (AD FS), you must also configure the client-side registry setting for SCP on your AD FS server using a GPO  
+1. Clear the Service Connection Point (SCP) entry from Active Directory (AD) if it exists.
+1. Configure client-side registry setting for SCP on your domain-joined computers using a Group Policy Object (GPO).
+1. If you're using Active Directory Federation Services (AD FS), you must also configure the client-side registry setting for SCP on your AD FS server using a GPO.
 1. You may also need to [customize synchronization options](../hybrid/how-to-connect-post-installation.md#additional-tasks-available-in-azure-ad-connect) in Azure AD Connect to enable device synchronization. 
 
 ### Clear the SCP from AD
@@ -36,43 +36,43 @@ Use the Active Directory Services Interfaces Editor (ADSI Edit) to modify the SC
 
 1. Launch the **ADSI Edit** desktop application from and administrative workstation or a domain controller as an Enterprise Administrator.
 1. Connect to the **Configuration Naming Context** of your domain.
-1. Browse to **CN=Configuration,DC=contoso,DC=com** > **CN=Services** > **CN=Device Registration Configuration**
-1. Right-click on the leaf object **CN=62a0ff2e-97b9-4513-943f-0d221bd30080** and select **Properties**
-   1. Select **keywords** from the **Attribute Editor** window and select **Edit**
-   1. Select the values of **azureADId** and **azureADName** (one at a time) and select **Remove**
-1. Close **ADSI Edit**
+1. Browse to **CN=Configuration,DC=contoso,DC=com** > **CN=Services** > **CN=Device Registration Configuration**.
+1. Right-click on the leaf object **CN=62a0ff2e-97b9-4513-943f-0d221bd30080** and select **Properties**.
+   1. Select **keywords** from the **Attribute Editor** window and select **Edit**.
+   1. Select the values of **azureADId** and **azureADName** (one at a time) and select **Remove**.
+1. Close **ADSI Edit**.
 
 ### Configure client-side registry setting for SCP
 
 Use the following example to create a Group Policy Object (GPO) to deploy a registry setting configuring an SCP entry in the registry of your devices.
 
 1. Open a Group Policy Management console and create a new Group Policy Object in your domain.
    1. Provide your newly created GPO a name (for example, ClientSideSCP).
-1. Edit the GPO and locate the following path: **Computer Configuration** > **Preferences** > **Windows Settings** > **Registry**
-1. Right-click on the Registry and select **New** > **Registry Item**
-   1. On the **General** tab, configure the following
-      1. Action: **Update**
-      1. Hive: **HKEY_LOCAL_MACHINE**
-      1. Key Path: **SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD**
-      1. Value name: **TenantId**
-      1. Value type: **REG_SZ**
-      1. Value data: The GUID or **Tenant ID** of your Azure AD instance (This value can be found in the **Azure portal** > **Azure Active Directory** > **Properties** > **Tenant ID**)
-   1. Select **OK**
-1. Right-click on the Registry and select **New** > **Registry Item**
-   1. On the **General** tab, configure the following
-      1. Action: **Update**
-      1. Hive: **HKEY_LOCAL_MACHINE**
-      1. Key Path: **SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD**
-      1. Value name: **TenantName**
-      1. Value type: **REG_SZ**
-      1. Value data: Your verified **domain name** if you're using federated environment such as AD FS. Your verified **domain name** or your onmicrosoft.com domain name for example, `contoso.onmicrosoft.com` if you're using managed environment
-   1. Select **OK**
-1. Close the editor for the newly created GPO
-1. Link the newly created GPO to the correct OU containing domain-joined computers that belong to your controlled rollout population
+1. Edit the GPO and locate the following path: **Computer Configuration** > **Preferences** > **Windows Settings** > **Registry**.
+1. Right-click on the Registry and select **New** > **Registry Item**.
+   1. On the **General** tab, configure the following.
+      1. Action: **Update**.
+      1. Hive: **HKEY_LOCAL_MACHINE**.
+      1. Key Path: **SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD**.
+      1. Value name: **TenantId**.
+      1. Value type: **REG_SZ**.
+      1. Value data: The GUID or **Tenant ID** of your Azure AD instance (This value can be found in the **Azure portal** > **Azure Active Directory** > **Properties** > **Tenant ID**).
+   1. Select **OK**.
+1. Right-click on the Registry and select **New** > **Registry Item**.
+   1. On the **General** tab, configure the following.
+      1. Action: **Update**.
+      1. Hive: **HKEY_LOCAL_MACHINE**.
+      1. Key Path: **SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD**.
+      1. Value name: **TenantName**.
+      1. Value type: **REG_SZ**.
+      1. Value data: Your verified **domain name** if you're using federated environment such as AD FS. Your verified **domain name** or your onmicrosoft.com domain name, for example `contoso.onmicrosoft.com` if you're using managed environment.
+   1. Select **OK**.
+1. Close the editor for the newly created GPO.
+1. Link the newly created GPO to the correct OU containing domain-joined computers that belong to your controlled rollout population.
 
 ### Configure AD FS settings
 
-If you're using AD FS, you first need to configure client-side SCP using the instructions mentioned above by linking the GPO to your AD FS servers. The SCP object defines the source of authority for device objects. It can be on-premises or Azure AD. When client-side SCP is configured for AD FS, the source for device objects is established as Azure AD.
+If you're using AD FS, you first need to configure client-side SCP using the instructions mentioned earlier by linking the GPO to your AD FS servers. The SCP object defines the source of authority for device objects. It can be on-premises or Azure AD. When client-side SCP is configured for AD FS, the source for device objects is established as Azure AD.
 
 > [!NOTE]
 > If you failed to configure client-side SCP on your AD FS servers, the source for device identities would be considered as on-premises. ADFS will then start deleting device objects from on-premises directory after the stipulated period defined in the ADFS Device Registration's attribute "MaximumInactiveDays". ADFS Device Registration objects can be found using the [Get-AdfsDeviceRegistration cmdlet](/powershell/module/adfs/get-adfsdeviceregistration).
diff --git a/articles/active-directory/devices/hybrid-azuread-join-plan.md b/articles/active-directory/devices/hybrid-azuread-join-plan.md
@@ -65,10 +65,10 @@ For devices running the Windows desktop operating system, supported versions are
 ### Windows down-level devices
 
 - Windows 8.1
-- Windows 7 support ended on January 14, 2020. For more information, see [Support for Windows 7 has ended](https://support.microsoft.com/en-us/help/4057281/windows-7-support-ended-on-january-14-2020).
+- Windows 7 support ended on January 14, 2020. For more information, see [Support for Windows 7 has ended](https://support.microsoft.com/en-us/help/4057281/windows-7-support-ended-on-january-14-2020)
 - Windows Server 2012 R2
 - Windows Server 2012
-- Windows Server 2008 R2. For support information on Windows Server 2008 and 2008 R2, see [Prepare for Windows Server 2008 end of support](https://www.microsoft.com/cloud-platform/windows-server-2008).
+- Windows Server 2008 R2 for support information on Windows Server 2008 and 2008 R2, see [Prepare for Windows Server 2008 end of support](https://www.microsoft.com/cloud-platform/windows-server-2008)
 
 As a first planning step, you should review your environment and determine whether you need to support Windows down-level devices.
 
@@ -87,16 +87,16 @@ As a first planning step, you should review your environment and determine wheth
 
 - If you're relying on a Virtual Machine (VM) snapshot to create more VMs, make sure that snapshot isn't from a VM that is already registered with Azure AD as hybrid Azure AD joined.
 
-- If you're using [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter) and similar technologies that clear changes to the disk at reboot, they must be applied after the device is hybrid Azure AD joined. Enabling such technologies before completion of hybrid Azure AD join will result in the device getting unjoined on every reboot
+- If you're using [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter) and similar technologies that clear changes to the disk at reboot, they must be applied after the device is hybrid Azure AD joined. Enabling such technologies before completion of hybrid Azure AD join will result in the device getting unjoined on every reboot.
 
 ### Handling devices with Azure AD registered state
 
-If your Windows 10 domain joined devices are [Azure AD registered](concept-azure-ad-register.md) to your tenant, it could lead to a dual state of hybrid Azure AD joined and Azure AD registered device. We recommend upgrading to Windows 10 1803 (with KB4489894 applied) or above to automatically address this scenario. In pre-1803 releases, you'll need to remove the Azure AD registered state manually before enabling hybrid Azure AD join. In 1803 and above releases, the following changes have been made to avoid this dual state:
+If your Windows 10 domain joined devices are [Azure AD registered](concept-azure-ad-register.md) to your tenant, it could lead to a dual state of hybrid Azure AD joined and Azure AD registered device. We recommend upgrading to Windows 10 1803 (with KB4489894 applied) or newer to automatically address this scenario. In pre-1803 releases, you'll need to remove the Azure AD registered state manually before enabling hybrid Azure AD join. In 1803 and above releases, the following changes have been made to avoid this dual state:
 
 - Any existing Azure AD registered state for a user would be automatically removed <i>after the device is hybrid Azure AD joined and the same user logs in</i>. For example, if User A had an Azure AD registered state on the device, the dual state for User A is cleaned up only when User A logs in to the device. If there are multiple users on the same device, the dual state is cleaned up individually when those users log in. After removing the Azure AD registered state, Windows 10 will unenroll the device from Intune or other MDM, if the enrollment happened as part of the Azure AD registration via auto-enrollment.
-- Azure AD registered state on any local accounts on the device is not impacted by this change. Only applicable to domain accounts. Azure AD registered state on local accounts isn't removed automatically even after user logon, since the user isn't a domain user. 
+- Azure AD registered state on any local accounts on the device isn’t impacted by this change. Only applicable to domain accounts. Azure AD registered state on local accounts isn't removed automatically even after user logon, since the user isn't a domain user. 
 - You can prevent your domain joined device from being Azure AD registered by adding the following registry value to HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: "BlockAADWorkplaceJoin"=dword:00000001.
-- In Windows 10 1803, if you have Windows Hello for Business configured, the user needs to reconfigure Windows Hello for Business after the dual state cleanup. This issue has been addressed with KB4512509
+- In Windows 10 1803, if you have Windows Hello for Business configured, the user needs to reconfigure Windows Hello for Business after the dual state cleanup. This issue has been addressed with KB4512509.
 
 > [!NOTE]
 > Even though Windows 10 automatically removes the Azure AD registered state locally, the device object in Azure AD is not immediately deleted if it is managed by Intune. You can validate the removal of Azure AD registered state by running dsregcmd /status and consider the device not to be Azure AD registered based on that.
@@ -139,9 +139,8 @@ A managed environment can be deployed either through [Password Hash Sync (PHS)](
 These scenarios don't require you to configure a federation server for authentication.
 
 > [!NOTE]
-> [Cloud authentication using Staged rollout](../hybrid/how-to-connect-staged-rollout.md) is only supported starting Windows 10 1903 update
-
-> [!NOTE]
+> [Cloud authentication using Staged rollout](../hybrid/how-to-connect-staged-rollout.md) is only supported starting at the Windows 10 1903 update.
+> 
 > Azure AD doesn't support smartcards or certificates in managed domains.
 
 ### Federated environment
@@ -167,13 +166,13 @@ Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to
 
 Sometimes, on-premises AD users UPNs are different from your Azure AD UPNs. In these cases, Windows 10 hybrid Azure AD join provides limited support for on-premises AD UPNs based on the [authentication method](../hybrid/choose-ad-authn.md), domain type, and Windows 10 version. There are two types of on-premises AD UPNs that can exist in your environment:
 
-- Routable users UPN: A routable UPN has a valid verified domain, that is registered with a domain registrar. For example, if contoso.com is the primary domain in Azure AD, contoso.org is the primary domain in on-premises AD owned by Contoso and [verified in Azure AD](../fundamentals/add-custom-domain.md)
+- Routable users UPN: A routable UPN has a valid verified domain, that is registered with a domain registrar. For example, if contoso.com is the primary domain in Azure AD, contoso.org is the primary domain in on-premises AD owned by Contoso and [verified in Azure AD](../fundamentals/add-custom-domain.md).
 - Non-routable users UPN: A non-routable UPN doesn't have a verified domain and is applicable only within your organization's private network. For example, if contoso.com is the primary domain in Azure AD and contoso.local is the primary domain in on-premises AD but isn't a verifiable domain in the internet and only used within Contoso's network.
 
 > [!NOTE]
 > The information in this section applies only to an on-premises users UPN. It isn't applicable to an on-premises computer domain suffix (example: computer1.contoso.local).
 
-The table below provides details on support for these on-premises AD UPNs in Windows 10 hybrid Azure AD join
+The following table provides details on support for these on-premises AD UPNs in Windows 10 hybrid Azure AD join
 
 | Type of on-premises AD UPN | Domain type | Windows 10 version | Description |
 | ----- | ----- | ----- | ----- |
diff --git a/articles/active-directory/devices/plan-device-deployment.md b/articles/active-directory/devices/plan-device-deployment.md
