move azure intune up

windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md

@@ -23,8 +23,6 @@ ms.date: 04/16/2018
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
-
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
 
 You can use mobile device management (MDM) solutions to configure machines. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage machines.
@@ -40,6 +38,70 @@ For more information on enabling MDM with Microsoft Intune, see [Setup Windows D
 
 For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
 
+### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
+
+1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+    a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
+
+    b. Select Windows 10 as the operating system.
+
+    c. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
+    
+    d. Click **Download package**, and save the .zip file.
+
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
+
+3. Login to the [Microsoft Azure portal](https://portal.azure.com).
+
+4. From the Intune blade, choose **Device configuration**.
+
+  ![Image of device configuration menu in Microsoft Azure](images/atp-azure-intune-device-config.png)
+
+5. Under **Manage**, choose **Profiles** and click **Create Profile**.
+
+  ![Image of policy creation in Azure](images/atp-azure-intune-create-profile.png)
+
+6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type.
+
+  ![Image of naming a policy](images/atp-intune-custom.png)
+
+7. Click **Settings** > **Configure**.
+
+  ![Image of settings](images/atp-intune-configure.png)
+
+8. Under Custom OMA-URI Settings, click **Add**.
+
+  ![Image of configuration settings](images/atp-custom-oma-uri.png)
+
+9. Enter the following values, then click **OK**.
+
+  ![Image of profile creation](images/atp-oma-uri-values.png)
+
+  - **Name**: Type a name for the setting.
+  - **Description**: Type a description for the setting.
+  - **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_
+  - **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
+
+10. Save the settings by clicking **OK**.
+  
+11. Click **Create**.
+
+  ![Image of the policy being created](images/atp-intune-create-policy.png)
+
+12. To deploy the Profile, click **Assignments**. 
+
+  ![Image of groups](images/atp-intune-assignments.png)
+
+13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**.
+
+  ![Image of groups](images/atp-intune-group.png)
+
+14. Click **Save** to finish deploying the Configuration Profile.
+
+  ![Image of deployment](images/atp-intune-save-deployment.png)
+
+
 ### Onboard and monitor machines using the classic Intune console
 
 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
@@ -119,70 +181,6 @@ Configuration for onboarded machines: diagnostic data reporting frequency | ./De
 >[!TIP]
 > After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md).
 
-### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
-
-1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
-
-    a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
-
-    b. Select Windows 10 as the operating system.
-
-    c. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
-    
-    d. Click **Download package**, and save the .zip file.
-
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
-
-3. Login to the [Microsoft Azure portal](https://portal.azure.com).
-
-4. From the Intune blade, choose **Device configuration**.
-
-  ![Image of device configuration menu in Microsoft Azure](images/atp-azure-intune-device-config.png)
-
-5. Under **Manage**, choose **Profiles** and click **Create Profile**.
-
-  ![Image of policy creation in Azure](images/atp-azure-intune-create-profile.png)
-
-6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type.
-
-  ![Image of naming a policy](images/atp-intune-custom.png)
-
-7. Click **Settings** > **Configure**.
-
-  ![Image of settings](images/atp-intune-configure.png)
-
-8. Under Custom OMA-URI Settings, click **Add**.
-
-  ![Image of configuration settings](images/atp-custom-oma-uri.png)
-
-9. Enter the following values, then click **OK**.
-
-  ![Image of profile creation](images/atp-oma-uri-values.png)
-
-  - **Name**: Type a name for the setting.
-  - **Description**: Type a description for the setting.
-  - **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_
-  - **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
-
-10. Save the settings by clicking **OK**.
-  
-11. Click **Create**.
-
-  ![Image of the policy being created](images/atp-intune-create-policy.png)
-
-12. To deploy the Profile, click **Assignments**. 
-
-  ![Image of groups](images/atp-intune-assignments.png)
-
-13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**.
-
-  ![Image of groups](images/atp-intune-group.png)
-
-14. Click **Save** to finish deploying the Configuration Profile.
-
-  ![Image of deployment](images/atp-intune-save-deployment.png)
-
-
 ## Offboard and monitor machines using Mobile Device Management tools
 For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.