Matt Palko edits

windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md

@@ -13,7 +13,7 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
-ms.date: 06/03/2021
+ms.date: 06/23/2021
 ms.reviewer: 
 ---
 # Azure AD Joined Cloud Only Deployment
@@ -25,15 +25,15 @@ When you Azure Active Directory (Azure AD) join a Windows 10 device, the system
 You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
 
 > [!NOTE]
-> During the out-of-box experience (OOBE) flow of an Azure AD (AAD) join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
+> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
 
 ## Prerequisites
 
-This cloud only deployment will use AAD multi-factor authentication (MFA) during the Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in AAD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process.
+Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business enrollment process.
 
 The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment).
 
-Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells AAD that the federated IDP will perform the MFA challenge.
+Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge.
 
 Check and view this setting with the following MSOnline PowerShell command:
 
@@ -53,9 +53,9 @@ If you use this Supports MFA switch with value **True**, you must verify that yo
 
 We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello).
 
-However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business.
+However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't using Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business.
 
-## Create a Windows Hello for Business Enrollment policy
+## Disable Windows Hello for Business using Intune Enrollment policy
 
 1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center.
 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens.
@@ -72,11 +72,11 @@ The information below can be pushed out to the devices through a third-party MDM
 
 Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used.
 
-Here are the registry settings an Intune policy would set. If you aren't using Intune, it's recommended to use the Intune Device Policy registry settings manually to disable Windows Hello For Business enrollment.
+Here are the registry settings an Intune policy would set.
 
 Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies**
 
-To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant)
+To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant)
 
 These registry settings are pushed from Intune for user policies for your reference.
 
@@ -91,7 +91,7 @@ For your reference, these registry settings can be applied from Local or Group P
 - DWORD: **Enabled**
 - Value = **0** for Disable or Value = **1** for Enable
 
-If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results.
+If there's a conflicting Device policy and User policy, the User policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results.
 
 ## Related reference documents for Azure AD join scenarios