Merge branch 'master' into MDBranchPhase2bPoliciesSet2

store-for-business/microsoft-store-for-business-overview.md

@@ -12,7 +12,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/17/2017
+ms.date: 
 ---
 
 # Microsoft Store for Business and Microsoft Store for Education overview
@@ -22,7 +22,10 @@ ms.date: 10/17/2017
 -   Windows 10
 -   Windows 10 Mobile
 
-Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options. 
+Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options.
+
+> [!IMPORTANT]
+> Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business.
 
 ## Features
 Organizations or schools of any size can benefit from using Microsoft Store for Business or Microsoft Store for Education:

store-for-business/prerequisites-microsoft-store-for-business.md

@@ -12,7 +12,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/13/2017
+ms.date: 
 ---
 
 # Prerequisites for Microsoft Store for Business and Education
@@ -22,6 +22,9 @@ ms.date: 10/13/2017
 -   Windows 10
 -   Windows 10 Mobile
 
+> [!IMPORTANT]
+> Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business.
+
 There are a few prerequisites for using Microsoft Store for Business or Microsoft Store for Education.
 
 ## Prerequisites

windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -22,7 +22,7 @@ Requirements:
 - The enterprise has configured a mobile device management (MDM) service  
 - The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md)
 - The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
-- The minimum Windows Server version requirement is based on the Hybrid AAD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
+- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
 
 > [!TIP]
 > For additional information, see the following topics:
@@ -30,7 +30,7 @@ Requirements:
 > - [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan)
 > - [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm)
 
-The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.
+The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD–registered.
 
 > [!NOTE]
 > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. 
@@ -106,13 +106,16 @@ Requirements:
 
 2. Under **Best match**, click **Edit group policy** to launch it.
 
-3.  In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
+3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
 
-    ![MDM policies](images/autoenrollment-mdm-policies.png)
+   ![MDM policies](images/autoenrollment-mdm-policies.png)
 
-4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10, version 1709 and later once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available.
+4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use. 
 
-    ![MDM autoenrollment policy](images/autoenrollment-policy.png)
+   > [!NOTE]
+   > **Device Credential** Credential Type will also work, however, it is not yet supported for MDM solutions (including Intune). We don't recommend using this option until support is announced.
+
+   ![MDM autoenrollment policy](images/autoenrollment-policy.png)
 
 5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**.
 
@@ -162,7 +165,7 @@ Requirements:
 
 Requirements:
 - AD-joined PC running Windows 10, version 1709 or later
-- Enterprise has MDM service already configured (with Intune or a third party service provider)
+- Enterprise has MDM service already configured (with Intune or a third-party service provider)
 - Enterprise AD must be integrated with Azure AD.
 - Ensure that PCs belong to same computer group.
 
@@ -257,7 +260,7 @@ To collect Event Viewer logs:
     ![Outdated enrollment entries](images/auto-enrollment-outdated-enrollment-entries.png)
 
     By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. 
-    A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display less entries as shown in the following screenshot:
+    A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:
 
     ![Manually deleted entries](images/auto-enrollment-activation-verification-less-entries.png)
 

windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md

@@ -53,6 +53,8 @@ These are the things you'll need to complete this lab:
 
 A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix.
 
+> If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or a later version.
+
 [Verify support for Hyper-V](#verify-support-for-hyper-v)
 <br>[Enable Hyper-V](#enable-hyper-v)
 <br>[Create a demo VM](#create-a-demo-vm)
@@ -70,7 +72,8 @@ A summary of the sections and procedures in the lab is provided below. Follow ea
 <br>&nbsp;&nbsp;&nbsp; [Autopilot registration using MSfB](#autopilot-registration-using-msfb)
 <br>[Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
 <br>&nbsp;&nbsp;&nbsp; [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
-<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Assign the profile](#assign-the-profile)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Create a device group](#create-a-device-group)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Create the deployment profile](#create-the-deployment-profile)
 <br>&nbsp;&nbsp;&nbsp; [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
 <br>[See Windows Autopilot in action](#see-windows-autopilot-in-action)
 <br>[Remove devices from Autopilot](#remove-devices-from-autopilot)
@@ -140,7 +143,7 @@ After we have set the ISO file location and determined the name of the appropria
 You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
 - When asked to select a platform, choose **64 bit**.
 
-After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
+After you download this file, the name will be extremely long (ex: 19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
 
 1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
 2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
@@ -163,7 +166,7 @@ For example, if the command above displays Ethernet but you wish to use Ethernet
 All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
 
 > [!IMPORTANT]
-> **VM switch**: a VM switch is how Hyper-V connects VMs to a network. <br><br>If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."<br><br>If you have never created an external VM switch before, then just run the commands below.
+> **VM switch**: a VM switch is how Hyper-V connects VMs to a network. <br><br>If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."<br><br>If you have never created an external VM switch before, then just run the commands below.<br><br>If you are not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a currently list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that is used to connect to the Internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch).
 
 ```powershell
 New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
@@ -218,6 +221,9 @@ PS C:\autopilot&gt;
 
 ### Install Windows 10
 
+> [!NOTE]
+> The VM will be booted to gather a hardware ID, then it will be reset. The goal in the next few steps is to get to the desktop quickly so don't worry about how it is configured at this stage. The VM only needs to be connected to the Internet.
+
 Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
 
    ![Windows setup example 1](images/winsetup1.png)
@@ -250,7 +256,7 @@ Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see
 
 Follow these steps to run the PS script:
 
-1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
+1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
 
     ```powershell
     md c:\HWID
@@ -263,18 +269,20 @@ Follow these steps to run the PS script:
 
 When you are prompted to install the NuGet package, choose **Yes**.
 
-See the sample output below.
+See the sample output below.  A 'dir' command is issued at the end to show the file that was created.
 
 <pre>
 PS C:\> md c:\HWID
 
-    Directory: C:\
+     Directory: C:\
 
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
-d-----        3/14/2019  11:33 AM                HWID
 
-PS C:\> Set-Location c:\HWID
+Mode                 LastWriteTime         Length Name
+----                 -------------         ------ ----
+d-----        11/13/2020   3:00 PM                HWID
+
+
+PS C:\Windows\system32> Set-Location c:\HWID
 PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
 PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
 
@@ -287,13 +295,17 @@ import the NuGet provider now?
 [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
 PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
 PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+Gathered details for device with serial number: 1804-7078-6805-7405-0796-0675-17
 PS C:\HWID> dir
 
+
     Directory: C:\HWID
 
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
--a----        3/14/2019  11:33 AM           8184 AutopilotHWID.csv
+
+Mode                 LastWriteTime         Length Name
+----                 -------------         ------ ----
+-a----        11/13/2020   3:01 PM           8184 AutopilotHWID.csv
+
 
 PS C:\HWID>
 </pre>
@@ -305,7 +317,7 @@ Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory
 
 ![Serial number and hardware hash](images/hwid.png)
 
-You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal.  If you are using a physical device instead of a VM, you can copy the file to a USB stick.  If you're using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
+You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal.  If you are using a physical device instead of a VM, you can copy the file to a USB stick.  If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
 
 If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
 
@@ -317,7 +329,7 @@ If you have trouble copying and pasting the file, just view the contents in Note
 With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
 
 On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
-Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**.
+Select **Remove everything** and **Just remove my files**. If you are asked **How would you like to reinstall Windows**, select Local reinstall. Finally, click on **Reset**.
 
 ![Reset this PC final prompt](images/autopilot-reset-prompt.jpg)
 
@@ -363,7 +375,7 @@ Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com
 
 For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
 
-![MDM user scope in the Mobility blade](images/autopilot-aad-mdm.png)
+![MDM user scope in the Mobility blade](images/ap-aad-mdm.png)
 
 ## Register your VM
 
@@ -371,24 +383,24 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
 
 ### Autopilot registration using Intune
 
-1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**.
+1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
 
-    ![Intune device import](images/device-import.png)
+    ![Intune device import](images/enroll1.png)
 
     > [!NOTE]
     > If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI.  You might need to provide Intune configuration privileges in a challenge window that appeared.
 
 2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer.  The file should contain the serial number and 4K HH of your VM (or device).  It's okay if other fields (Windows Product ID) are left blank.
 
-    ![HWID CSV](images/hwid-csv.png)
+    ![HWID CSV](images/enroll2.png)
 
     You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
 
 3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
 
-4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example.
+4. Click **Refresh** to verify your VM or device has been added. See the following example.
 
-   ![Import HWID](images/import-vm.png)
+   ![Import HWID](images/enroll3.png)
 
 ### Autopilot registration using MSfB
 
@@ -425,17 +437,33 @@ Pick one:
 ### Create a Windows Autopilot deployment profile using Intune
 
 > [!NOTE]
-> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
+> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list.
 
-![Intune Devices](images/intune-devices.png)
+![Devices](images/enroll4.png)
 
-> The example above lists both a physical device and a VM. Your list should only include only one of these.
+#### Create a device group
 
-To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles**
+The Autopilot deployment profile wizard will ask for a device group, so we must create one first.  To create a device group:
 
-![Deployment profiles](images/deployment-profiles.png)
+1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
+2. In the **Group** blade:
+    1. For **Group type**, choose **Security**.
+    2. Type a **Group name** and **Group description** (ex: Autopilot Lab).
+    3. Azure AD roles can be assigned to the group: **No**
+    4. For **Membership type**, choose **Assigned**.
+3. Click **Members** and add the Autopilot VM to the group. See the following example:
 
-Click on **Create profile**.
+  ![add members](images/group1.png)
+
+4. Click **Create**. 
+
+#### Create the deployment profile
+
+To create a Windows Autopilot profile, scroll back to the left hand pane and click **Devices**, then under **Enroll devices | Windows enrollment** select **Deployment Profiles**.
+
+![Deployment profiles](images/dp.png)
+
+Click on **Create profile** and then select **Windows PC**.
 
 ![Create deployment profile](images/create-profile.png)
 
@@ -444,22 +472,33 @@ On the **Create profile** blade, use the following values:
 | Setting | Value |
 |---|---|
 | Name | Autopilot Lab profile |
-| Description | blank |
+| Description | Lab |
 | Convert all targeted devices to Autopilot | No |
-| Deployment mode | User-driven |
-| Join to Azure AD as | Azure AD joined |
 
-Click on **Out-of-box experience (OOBE)** and configure the following settings:
+Click **Next** to continue with the **Out-of-box experience (OOBE)** settings:
 
 | Setting | Value |
 |---|---|
-| EULA | Hide |
+| Deployment mode | User-driven |
+| Join to Azure AD as | Azure AD joined |
+| Microsoft Sofware License Terms | Hide |
 | Privacy Settings | Hide |
 | Hide change account options | Hide |
 | User account type | Standard |
+| Allow White Glove OOBE | No |
+| Language (Region) | Operating system default |
+| Automatically configure keyboard | Yes |
 | Apply device name template | No |
 
-See the following example:
+Click **Next** to continue with the **Assignments** settings:
+
+| Setting | Value |
+|---|---|
+| Assign to | Selected groups |
+
+1. Click **Select groups to include**.
+2. Click the **Autopilot Lab** group, and then click **Select**.
+3. Click **Next** to continue and then click **Create**. See the following example:
 
 ![Deployment profile](images/profile.png)
 
@@ -467,40 +506,6 @@ Click on **OK** and then click on **Create**.
 
 > If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
 
-#### Assign the profile
-
-Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading.
-
-To create a Group, open the Azure portal and select **Azure Active Directory** > **Groups** > **All groups**:
-
-![All groups](images/all-groups.png)
-
-Select New group from the Groups blade to open the new groups UI.  Select the "Security" group type, name the group, and select the "Assigned" membership type:
-
-Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
-
-![New group](images/new-group.png)
-
-Now click **Create** to finish creating the new group.
-
-Click on **All groups** and click **Refresh** to verify that your new group has been successfully created.
-
-With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results).
-
-From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade.  Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile:
-
-![Lab profile](images/deployment-profiles2.png)
-
-Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**).
-
-![Include group](images/include-group.png)
-
-Click **Select** and then click **Save**.
-
-![Include group save](images/include-group2.png)
-
-It's also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
-
 ### Create a Windows Autopilot deployment profile using MSfB
 
 If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section.
@@ -559,14 +564,17 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com
 - Turn on the device
 - Verify that the appropriate OOBE screens (with appropriate Company Branding) appear.  You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
 
-![OOBE sign-in page](images/autopilot-oobe.jpg)
+![OOBE sign-in page](images/autopilot-oobe.png)
 
 Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device.  Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
 
-![Device enabled](images/enabled-device.png)
+![Device enabled](images/devices1.png)
 
 Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
 
+> [!TIP]
+> If you recieve a message that "Something went wrong" and it "Looks like we can't connect to the URL for your organization's MDM terms of use" then verify you have correctly [assigned licenses](https://docs.microsoft.com/mem/intune/fundamentals/licenses-assign) to the current user.
+
 Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
 
 ## Remove devices from Autopilot
@@ -575,41 +583,27 @@ To use the device (or VM) for other purposes after completion of this lab, you w
 
 ### Delete (deregister) Autopilot device
 
-You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**.  Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
+You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into the MEM admin center, then navigate to **Intune > Devices > All Devices**.  Select the device you want to delete, then click the Delete button along the top menu.
 
 ![Delete device step 1](images/delete-device1.png)
 
-Click **X** when challenged to complete the operation:
-
-![Delete device step 2](images/delete-device2.png)
-
 This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
 
-![Delete device step 3](images/delete-device3.png)
-
 The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores.  The former (All devices) is the list of devices currently enrolled into Intune.
 
 > [!NOTE]
 > A device will only appear in the All devices list once it has booted.  The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
 
-To remove the device from the Autopilot program, select the device and click Delete.
+To remove the device from the Autopilot program, select the device and click **Delete**. You will get a popup dialog box to confirm deletion.
 
-![Delete device step 4](images/delete-device4.png)
-
-A warning message appears reminding you to first remove the device from Intune, which we previously did.
-
-![Delete device step 5](images/delete-device5.png)
+![Delete device](images/delete-device2.png)
 
 At this point, your device has been unenrolled from Intune and also deregistered from Autopilot.  After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
 
-![Delete device step 6](images/delete-device6.png)
-
 Once the device no longer appears, you are free to reuse it for other purposes.
 
 If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
 
-![Delete device step 7](images/delete-device7.png)
-
 ## Appendix A: Verify support for Hyper-V
 
 Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
@@ -741,7 +735,7 @@ You will be able to find your app in your app list:
 #### Assign the app to your Intune profile
 
 > [!NOTE]
-> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile).  If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group).  If you have not done that, please return to the main part of the lab and complete those steps before returning here.
 
 In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade.  Then click **Assignments** from the menu:
 
@@ -810,7 +804,7 @@ Click **OK** and then click **Add**.
 #### Assign the app to your Intune profile
 
 > [!NOTE]
-> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile).  If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group).  If you have not done that, please return to the main part of the lab and complete those steps before returning here.
 
 In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade.  Then click **Assignments** from the menu:
 

windows/security/identity-protection/hello-for-business/hello-faq.md

@@ -76,6 +76,8 @@ Communicating with Azure Active Directory uses the following URLs:
 - login.microsoftonline.com
 - login.windows.net
 - account.live.com
+- accountalt.azureedge.net
+- secure.aadcdn.microsoftonline-p.com
 
 If your environment uses Microsoft Intune, you need these additional URLs:
 - enrollment.manage.microsoft.com

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md

@@ -1,92 +0,0 @@
----
-title: Microsoft Defender ATP for iOS - Privacy information
-ms.reviewer:
-description: Describes privacy information for Microsoft Defender ATP for iOS
-keywords: microsoft, defender, atp, ios, policy, overview
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: 
-- m365-security-compliance 
-- m365initiative-defender-endpoint 
-ms.topic: conceptual
----
-
-# Privacy information - Microsoft Defender for Endpoint for iOS
-
-> [!NOTE]
-> Defender for Endpoint for iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. **Microsoft or your organization, does not see your browsing activity.**
-
-Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected, and to support the service.
-
-For more details about data storage, see [Microsoft Defender for Endpoint data storage and privacy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy).
-
-## Required data 
-
-Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. 
-
-Here is a list of the types of data being collected: 
-
-### Web page or Network information 
-
-- Connection information only when a malicious connection or web page is detected. 
-
-- Protocol type (such as HTTP, HTTPS, etc.) only when a malicious connection or web page is detected. 
-
-### Device and account information 
-
-- Device information such as date & time, iOS version, CPU info, and Device identifier, where Device identifier is one of the following: 
-
-    - Wi-Fi adapter MAC address 
-
-    - Randomly generated globally unique identifier (GUID) 
-
-- Tenant, Device and User information 
-
-    - Azure Active Directory (AD) Device ID and Azure User ID - Uniquely identifies the device, User respectively at Azure Active directory. 
-
-    - Azure tenant ID - GUID that identifies your organization within Azure Active Directory. 
-
-    - Microsoft Defender ATP org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. 
-
-    - User Principal Name – Email ID of the user. 
-
-### Product and service usage data 
-
-The following information is collected only for Microsoft Defender for Endpoint app installed on the device. 
-
-- App package info, including name, version, and app upgrade status. 
-
-- Actions performed in the app. 
-
-- Crash report logs generated by iOS. 
-
-- Memory usage data. 
-
-## Optional Data 
-
-Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself. 
-
-Optional diagnostic data includes: 
-
-- App, CPU, and network usage for Defender for Endpoint. 
-
-- Features configured by the admin for Defender for Endpoint. 
-
-Feedback Data is collected through in-app feedback provided by the user. 
-
-- The user’s email address, if they choose to provide it.
-
-- Feedback type (smile, frown, idea) and any feedback comments submitted by the user. 
-
-For more information, see [More on Privacy](https://aka.ms/mdatpiosprivacystatement).
-
-

windows/security/threat-protection/microsoft-defender-atp/network-protection.md

@@ -52,6 +52,11 @@ Windows 10 version | Microsoft Defender Antivirus
 -|-
 Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled
 
+After you have enabled the services, you may need to configure your network or firewall to allow the connections between the services and your endpoints.  
+
+- .smartscreen.microsoft.com
+- .smartscreen-prod.microsoft.com
+
 ## Review network protection events in the Microsoft Defender for Endpoint Security Center
 
 Microsoft Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).