add content - enroll SEMM topic

add images

devices/surface/enroll-and-configure-surface-devices-with-semm.md

@@ -59,7 +59,7 @@ To create a Surface UEFI configuration package, follow these steps:
 11.	Click **Next**.
 12.	To enable or disable advanced options in Surface UEFI or the display of Surface UEFI pages, on the **Choose the advanced settings for your devices** page, click the slider beside the desired setting to configure that option to **On** or **Off**. (As show in Figure 5.) In the **UEFI Front Page** section, you can use the sliders for **Security**, **Devices**, and **Boot** to control what pages are available to users who boot into Surface UEFI. (For more information about Surface UEFI settings, see [Manage Surface UEFI settings](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-uefi-settings).) Click **Build** when you have finished selecting options to generate and save the package.
 
-
+   ![Control advanced Surface UEFI settings and Surface UEFI pages](images\surface-semm-enroll-fig5.png "Control advanced Surface UEFI settings and Surface UEFI pages")
 
    *Figure 5. Control advanced Surface UEFI settings and Surface UEFI pages with SEMM*
 
@@ -68,6 +68,8 @@ To create a Surface UEFI configuration package, follow these steps:
 
 >**Note**:  Record the certificate thumbprint characters that are displayed on this page, as shown in Figure 6. You will need these characters to confirm enrollment of new Surface devices in SEMM. Click **End** to complete package creation and close Microsoft Surface UEFI Configurator.
 
+![Display of certificate thumbprint characters](images\surface-semm-enroll-fig6.png "Display of certificate thumbprint characters")
+
 *Figure 6. The last to characters of the certificate thumbprint are displayed on the Successful page*
 
 Now that you have created your Surface UEFI configuration package, you can enroll or configure Surface devices.
@@ -77,6 +79,8 @@ Now that you have created your Surface UEFI configuration package, you can enrol
 ## Enroll a Surface device in SEMM
 When the Surface UEFI configuration package is executed, the SEMM certificate and Surface UEFI configuration file are staged in the firmware storage of the Surface device. When the Surface device reboots, Surface UEFI processes these files and begins the process of applying the Surface UEFI configuration or enrolling the Surface device in SEMM, as shown in Figure 7.
 
+![SEMM process for configuration of Surface UEFI or enrollment](images\surface-semm-enroll-fig7.png "SEMM process for configuration of Surface UEFI or enrollment")
+
 *Figure 7. The SEMM process for configuration of Surface UEFI or enrollment of a Surface device*
 
 Before you begin the process of to enroll a Surface device in SEMM, ensure that you have the last two characters of the certificate thumbprint on hand. You will need these characters to confirm the device’s enrollment (see Figure 6).
@@ -90,6 +94,8 @@ To enroll a Surface device in SEMM with a Surface UEFI configuration package, fo
   * Surface UEFI will verify that the SEMM configuration file contains a SEMM certificate.
   * Surface UEFI will prompt you to enter to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8.
 
+  ![SEMM enrollment requires last two characters of certificate thumbprint](images\surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint")
+  
   *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint*
 
    * Surface UEFI will store the SEMM certificate in firmware and apply the configuration settings that are specified in the Surface UEFI configuration file.
@@ -98,12 +104,18 @@ To enroll a Surface device in SEMM with a Surface UEFI configuration package, fo
 
 You can verify that a Surface device has been successfully enrolled in SEMM by looking for **Microsoft Surface Configuration Package** in **Programs and Features**, as shown in Figure 9, or in the events stored in the **Microsoft Surface UEFI Configurator** log, found under **Applications and Services Logs** in Event Viewer, as shown in Figure 10.
 
+![Verify enrollment of Surface device in SEMM in Programs and Features](images\surface-semm-enroll-fig9.png "Verify enrollment of Surface device in SEMM in Programs and Features")
+
 *Figure 9. Verify the enrollment of a Surface device in SEMM in Programs and Features*
 
+![Verify enrollment of Surface device in SEMM in Event Viewer](images\surface-semm-enroll-fig10.png "Verify enrollment of Surface device in SEMM in Event Viewer")
+
 *Figure 10. Verify the enrollment of a Surface device in SEMM in Event Viewer*
 
 You can also verify that the device is enrolled in SEMM in Surface UEFI, while the device is enrolled Surface UEFI will contain the Enterprise Management page, as shown in Figure 11.
 
+![Surface UEFI Enterprise Management page](images\surface-semm-enroll-fig11.png "Surface UEFI Enterprise Management page")
+
 *Figure 11: The Surface UEFI Enterprise Management page*
 
 
@@ -117,5 +129,6 @@ If you have secured Surface UEFI with a password, users without the password who
 
 If you have not secured Surface UEFI with a password or a user enters the password correctly, settings that are configured with SEMM will be dimmed (unavailable) and the text Some settings are managed by your organization will be displayed at the top of the page, as shown in Figure 12.
 
+![Settings managed by SEMM disabled in Surface UEFI](images\surface-semm-enroll-fig12.png "Settings managed by SEMM disabled in Surface UEFI")
 
 *Figure 12. Settings managed by SEMM will be disabled in Surface UEFI*