Freshness updates.

Author: TimShererWithAquent

articles/active-directory/devices/hybrid-azuread-join-managed-domains.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: tutorial
-ms.date: 05/14/2019
+ms.date: 03/06/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -19,17 +19,17 @@ ms.collection: M365-identity-device-management
 ---
 # Tutorial: Configure hybrid Azure Active Directory join for managed domains
 
-Like a user in your organization, a device is a core identity you want to protect. You can use a device's identity to protect your resources at any time and from any location. You can accomplish this goal by bringing device identities and managing them in Azure Active Directory (Azure AD) by using one of the following methods:
+In this tutorial, you learn how to configure hybrid Azure Active Directory (Azure AD) join for Active Directory domain-joined computers devices in a managed environment.
+
+Like a user in your organization, a device is a core identity you want to protect. You can use a device's identity to protect your resources at any time and from any location. You can accomplish this goal by bringing device identities and managing them in Azure AD by using one of the following methods:
 
 - Azure AD join
 - Hybrid Azure AD join
 - Azure AD registration
 
 Bringing your devices to Azure AD maximizes user productivity through single sign-on (SSO) across your cloud and on-premises resources. You can secure access to your cloud and on-premises resources with [Conditional Access](../active-directory-conditional-access-azure-portal.md) at the same time.
 
-In this tutorial, you learn how to configure hybrid Azure AD join for Active Directory domain-joined computers devices in a managed environment. 
-
-A managed environment can be deployed either through [password hash sync (PHS)](../hybrid/whatis-phs.md) or [pass-through authentication (PTA)](../hybrid/how-to-connect-pta.md) with [seamless single sign-on](../hybrid/how-to-connect-sso.md). These scenarios don't require you to configure a federation server for authentication.
+You can deploy a managed environment by using [password hash sync (PHS)](../hybrid/whatis-phs.md) or [pass-through authentication (PTA)](../hybrid/how-to-connect-pta.md) with [seamless single sign-on](../hybrid/how-to-connect-sso.md). These scenarios don't require you to configure a federation server for authentication.
 
 In this tutorial, you learn how to:
 
@@ -44,15 +44,15 @@ In this tutorial, you learn how to:
 This tutorial assumes that you're familiar with these articles:
 
 - [What is a device identity?](overview.md)
-- [How to plan your hybrid Azure AD join implementation](hybrid-azuread-join-plan.md)
-- [How to do controlled validation of hybrid Azure AD join](hybrid-azuread-join-control.md)
+- [How To: Plan your hybrid Azure Active Directory join implementation](hybrid-azuread-join-plan.md)
+- [Controlled validation of hybrid Azure AD join](hybrid-azuread-join-control.md)
 
 > [!NOTE]
 > Azure AD doesn't support smartcards or certificates in managed domains.
 
 To configure the scenario in this article, you need the [latest version of Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594) (1.1.819.0 or later) installed.
 
-Verify that Azure AD Connect has synced the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OUs), you must also configure the OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see [Configure filtering by using Azure AD Connect](../hybrid/how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering).
+Verify that Azure AD Connect has synced the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OUs), you must also configure the OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see [Organizational unit–based filtering](../hybrid/how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering).
 
 Beginning with version 1.1.819.0, Azure AD Connect includes a wizard that you can use to configure hybrid Azure AD join. The wizard significantly simplifies the configuration process. The wizard configures the service connection points (SCPs) for device registration.
 
@@ -65,16 +65,16 @@ Hybrid Azure AD join requires devices to have access to the following Microsoft
 - `https://device.login.microsoftonline.com`
 - `https://autologon.microsoftazuread-sso.com` (If you use or plan to use seamless SSO)
 
-If your organization requires access to the internet via an outbound proxy, Microsoft recommends [implementing Web Proxy Auto-Discovery (WPAD)](https://docs.microsoft.com/previous-versions/tn-archive/cc995261(v%3dtechnet.10)) to enable Windows 10 computers for device registration with Azure AD. If you encounter issues configuring and managing WPAD, see [Troubleshoot automatic detection](https://docs.microsoft.com/previous-versions/tn-archive/cc302643(v=technet.10)). 
+If your organization requires access to the internet via an outbound proxy, we recommend [implementing Web Proxy Auto-Discovery (WPAD)](https://docs.microsoft.com/previous-versions/tn-archive/cc995261(v%3dtechnet.10)) to enable Windows 10 computers for device registration with Azure AD. To address issues configuring and managing WPAD, see [Troubleshooting Automatic Detection](https://docs.microsoft.com/previous-versions/tn-archive/cc302643(v=technet.10)).
 
-If you don't use WPAD and need to configure proxy settings on your computer, you can do so beginning with Windows 10 1709. For more information, see [Configure WinHTTP settings using a group policy object (GPO)](https://blogs.technet.microsoft.com/netgeeks/2018/06/19/winhttp-proxy-settings-deployed-by-gpo/).
+If you don't use WPAD and need to configure proxy settings on your computer, you can do so, beginning with Windows 10 1709. For more information, see [WinHTTP Proxy Settings deployed by GPO](https://blogs.technet.microsoft.com/netgeeks/2018/06/19/winhttp-proxy-settings-deployed-by-gpo/).
 
 > [!NOTE]
 > If you configure proxy settings on your computer by using WinHTTP settings, any computers that can't connect to the configured proxy will fail to connect to the internet.
 
 If your organization requires access to the internet via an authenticated outbound proxy, you must make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run device registration by using machine context, you must configure outbound proxy authentication by using machine context. Follow up with your outbound proxy provider on the configuration requirements.
 
-To verify if the device is able to access the above Microsoft resources under the system account, you can use [Test Device Registration Connectivity](https://gallery.technet.microsoft.com/Test-Device-Registration-3dc944c0) script.
+To verify if the device can access the above Microsoft resources under the system account, you can use [Test Device Registration Connectivity](https://gallery.technet.microsoft.com/Test-Device-Registration-3dc944c0) script.
 
 ## Configure hybrid Azure AD join
 
@@ -87,43 +87,43 @@ To configure a hybrid Azure AD join using Azure AD Connect, you need:
 
 1. Start Azure AD Connect, and then select **Configure**.
 
-   ![Welcome](./media/hybrid-azuread-join-managed-domains/11.png)
+   ![Welcome](./media/hybrid-azuread-join-managed-domains/welcome-azure-ad-connect.png)
 
-1. On the **Additional tasks** page, select **Configure device options**, and then select **Next**.
+1. In **Additional tasks**, select **Configure device options**, and then select **Next**.
 
-   ![Additional tasks](./media/hybrid-azuread-join-managed-domains/12.png)
+   ![Additional tasks](./media/hybrid-azuread-join-managed-domains/azure-ad-connect-additional-tasks.png)
 
-1. On the **Overview** page, select **Next**.
+1. In **Overview**, select **Next**.
 
-   ![Overview](./media/hybrid-azuread-join-managed-domains/13.png)
+   ![Overview](./media/hybrid-azuread-join-managed-domains/azure-ad-connect-overview.png)
 
-1. On the **Connect to Azure AD** page, enter the credentials of a global administrator for your Azure AD tenant.  
+1. In **Connect to Azure AD**, enter the credentials of a global administrator for your Azure AD tenant.  
 
-   ![Connect to Azure AD](./media/hybrid-azuread-join-managed-domains/14.png)
+   ![Connect to Azure AD](./media/hybrid-azuread-join-managed-domains/connect-to-azure-ad-username-password.png)
 
-1. On the **Device options** page, select **Configure Hybrid Azure AD join**, and then select **Next**.
+1. In **Device options**, select **Configure Hybrid Azure AD join**, and then select **Next**.
 
-   ![Device options](./media/hybrid-azuread-join-managed-domains/15.png)
+   ![Device options](./media/hybrid-azuread-join-managed-domains/azure-ad-connect-device-options.png)
 
-1. On the **SCP** page, for each forest where you want Azure AD Connect to configure the SCP, complete the following steps, and then select **Next**:
+1. In **SCP configuration**, for each forest where you want Azure AD Connect to configure the SCP, complete the following steps, and then select **Next**:
 
-   ![SCP](./media/hybrid-azuread-join-managed-domains/16.png)
-
-   1. Select the forest.
-   1. Select the authentication service.
+   1. Select the **Forest**.
+   1. Select an **Authentication Service**.
    1. Select **Add** to enter the enterprise administrator credentials.
 
-1. On the **Device operating systems** page, select the operating systems that devices in your Active Directory environment use, and then select **Next**.
+   ![SCP](./media/hybrid-azuread-join-managed-domains/azure-ad-connect-scp-configuration.png)
+
+1. In **Device operating systems**, select the operating systems that devices in your Active Directory environment use, and then select **Next**.
 
-   ![Device operating system](./media/hybrid-azuread-join-managed-domains/17.png)
+   ![Device operating system](./media/hybrid-azuread-join-managed-domains/azure-ad-connect-device-operating-systems.png)
 
-1. On the **Ready to configure** page, select **Configure**.
+1. In **Ready to configure**, select **Configure**.
 
-   ![Ready to configure](./media/hybrid-azuread-join-managed-domains/19.png)
+   ![Ready to configure](./media/hybrid-azuread-join-managed-domains/azure-ad-connect-ready-to-configure.png)
 
-1. On the **Configuration complete** page, select **Exit**.
+1. IN **Configuration complete**, select **Exit**.
 
-   ![Configuration complete](./media/hybrid-azuread-join-managed-domains/20.png)
+   ![Configuration complete](./media/hybrid-azuread-join-managed-domains/azure-ad-connect-configuration-complete.png)
 
 ## Enable Windows downlevel devices
 
@@ -134,11 +134,11 @@ If some of your domain-joined devices are Windows downlevel devices, you must:
 - Install Microsoft Workplace Join for Windows downlevel computers
 
 > [!NOTE]
-> Windows 7 support ended on January 14, 2020. For more information, [Support for Windows 7 has ended](https://support.microsoft.com/en-us/help/4057281/windows-7-support-ended-on-january-14-2020).
+> Windows 7 support ended on January 14, 2020. For more information, see [Windows 7 support ended](https://support.microsoft.com/en-us/help/4057281/windows-7-support-ended-on-january-14-2020).
 
 ### Configure the local intranet settings for device registration
 
-To successfully complete hybrid Azure AD join of your Windows downlevel devices and to avoid certificate prompts when devices authenticate to Azure AD, you can push a policy to your domain-joined devices to add the following URLs to the local intranet zone in Internet Explorer:
+To complete hybrid Azure AD join of your Windows downlevel devices and to avoid certificate prompts when devices authenticate to Azure AD, you can push a policy to your domain-joined devices to add the following URLs to the local intranet zone in Internet Explorer:
 
 - `https://device.login.microsoftonline.com`
 - `https://autologon.microsoftazuread-sso.com`
@@ -147,7 +147,7 @@ You also must enable **Allow updates to status bar via script** in the user’s
 
 ### Configure seamless SSO
 
-To successfully complete hybrid Azure AD join of your Windows downlevel devices in a managed domain that uses [PHS](../hybrid/whatis-phs.md) or [PTA](../hybrid/how-to-connect-pta.md) as your Azure AD cloud authentication method, you must also [configure seamless SSO](../hybrid/how-to-connect-sso-quick-start.md#step-2-enable-the-feature).
+To complete hybrid Azure AD join of your Windows downlevel devices in a managed domain that uses [password hash sync](../hybrid/whatis-phs.md) or [pass-through authentication](../hybrid/how-to-connect-pta.md) as your Azure AD cloud authentication method, you must also [configure seamless SSO](../hybrid/how-to-connect-sso-quick-start.md#step-2-enable-the-feature).
 
 ### Install Microsoft Workplace Join for Windows downlevel computers
 
@@ -164,8 +164,8 @@ To verify the device registration state in your Azure tenant, you can use the **
 When you use the **Get-MSolDevice** cmdlet to check the service details:
 
 - An object with the **device ID** that matches the ID on the Windows client must exist.
-- The value for **DeviceTrustType** must be **Domain Joined**. This setting is equivalent to the **Hybrid Azure AD joined** state on the **Devices** page in the Azure AD portal.
-- For devices that are used in Conditional Access, the value for **Enabled** must be **True** and **DeviceTrustLevel** must be **Managed**.
+- The value for **DeviceTrustType** is **Domain Joined**. This setting is equivalent to the **Hybrid Azure AD joined** state on the **Devices** page in the Azure AD portal.
+- For devices that are used in Conditional Access, the value for **Enabled** is **True** and **DeviceTrustLevel** is **Managed**.
 
 **To check the service details**:
 
@@ -178,9 +178,11 @@ When you use the **Get-MSolDevice** cmdlet to check the service details:
 
 If you experience issues with completing hybrid Azure AD join for domain-joined Windows devices, see:
 
-- [Troubleshoot hybrid Azure AD join for Windows current devices](troubleshoot-hybrid-join-windows-current.md)
-- [Troubleshoot hybrid Azure AD join for Windows downlevel devices](troubleshoot-hybrid-join-windows-legacy.md)
+- [Troubleshooting hybrid Azure Active Directory joined devices](troubleshoot-hybrid-join-windows-current.md)
+- [Troubleshooting hybrid Azure Active Directory joined down-level devices](troubleshoot-hybrid-join-windows-legacy.md)
 
 ## Next steps
 
-Learn how to [manage device identities by using the Azure portal](device-management-azure-portal.md).
+Advance to the next article to learn how to manage device identities by using the Azure portal.
+> [!div class="nextstepaction"]
+> [Manage device identities](device-management-azure-portal.md)