Corrections. Added images to WHFB AADJ deployment with Inune

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md

@@ -157,7 +157,7 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 10. Click **Apply** save your selections.  Click **No** when ask to restart the service.
 
 > [!NOTE]
-> Optionally, you can remove older/unused CRL distribution points and publishing locations.
+> Optionally, you can remove unused CRL distribution points and publishing locations.
 
 #### Configure the CRL publishing location
 
@@ -257,6 +257,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 3. Click **device enrollment**.
 4. Click **Windows enrollment**
 5. Under **Windows enrollment**, click **Windows Hello for Business**.
+![Create Intune Windows Hello for Business Policy](images/aadj/IntuneWHFBPolicy-00.png)
 6. Under **Priority**, click **Default**. 
 7. Under **All users and all devices**, click **Settings**.
 8. Select **Enabled** from the **Configure Windows Hello for Business** list.
@@ -266,6 +267,8 @@ Sign-in a workstation with access equivalent to a _domain user_.
 > [!IMPORTANT]
 > The default minimum PIN length for Windows Hello for Business on Windows 10 is 6.  Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN.  If you do not have a desired PIN length, set the minimum PIN length to 6.
 
+![Intune Windows Hello for Business policy settings](images/aadj/IntuneWHFBPolicy-01.png)
+
 11. Select the appropriate configuration for the following settings.
 * **Lowercase letters in PIN**
 * **Uppercase letters in PIN**

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md

@@ -26,7 +26,7 @@ Enterprises can use either a key or a certificate to provide single-sign on for
 
 When using a key, the on-premises environment needs an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment.  Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
-When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement.  However, single-sign on using a key require additional infrastructure to issue certificate when the user enrolls for Windows Hello for Business.  Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM).  Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector.
+When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement.  However, single-sign on using a key requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business.  Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM).  Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector.