config_mgmt_ga

windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md

@@ -22,8 +22,6 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[!include[Prerelease information](prerelease.md)]
-
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
 
 [Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.

windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md

@@ -22,14 +22,13 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[!include[Prerelease information](prerelease.md)]
-
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
 
 Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
 
->[!NOTE]
->Before you can track and manage onboarding of machines, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management).
+Before you can track and manage onboarding of machines:
+- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management)
+- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
 
 ## Discover and track unprotected machines
 
@@ -39,8 +38,7 @@ The **Onboarding** card provides a high-level overview of your onboarding rate b
 *Card showing onboarded machines compared to the total number of Intune-managed Windows 10 machine*
 
 >[!NOTE]
->- If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines.
->- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
+>If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines.
 
 ## Onboard more machines with Intune profiles
 
@@ -66,10 +64,10 @@ From the overview, create a configuration profile specifically for the deploymen
 3. After creating the profile, assign it to all your machines. You can review profiles and their deployment status anytime by accessing **Device configuration > Profiles** on Intune.
 
    ![Profile assignment screen on Intune](images/secconmgmt_onboarding_3assignprofile.png)<br>
-   *Assigning the new agent profile to all machines*
+   *Assigning the new profile to all machines*
 
 >[!TIP]
->To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/intune/device-profile-assign).
+>To learn more about Intune profiles, read about [assigning user and device profiles](https://docs.microsoft.com/intune/device-profile-assign).
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
 

windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md

@@ -22,16 +22,15 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[!include[Prerelease information](prerelease.md)]
-
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
 
 Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
 
 To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a).
 
->[!NOTE]
->Before you can track and manage compliance to the Microsoft Defender ATP security baseline, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management).
+Before you can deploy and track compliance to security baselines:
+- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management)
+- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
 
 ## Compare the Microsoft Defender ATP and the Windows Intune security baselines
 The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
@@ -42,19 +41,7 @@ The Windows Intune security baseline provides a comprehensive set of recommended
 Both baselines are maintained so that they complement one another and have identical values for shared settings. Deploying both baselines to the same machine will not result in conflicts. Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls.
 
 >[!NOTE]
->- The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
->- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
-
-## Get permissions to manage security baselines in Intune
-
-By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage security baseline profiles. If you haven’t been assigned either role, work with a Global Administrator or an Intune Service Administrator to [create and assign a custom role in Intune](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role) with:
-
-* Read permissions to the organization
-* Full permissions to security baselines
-
-![Security baseline permissions on Intune](images/secconmgmt_baseline_permissions.png)
-
-*Security baseline permissions on Intune*
+>The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
 
 ## Monitor compliance to the Microsoft Defender ATP security baseline
 
@@ -72,10 +59,8 @@ Each machine is given one of the following status types:
 
 To review specific machines, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the machines.
 
->[!NOTE] 
->During preview, you might encounter a few known limitations:
->- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
->- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
+>[!NOTE]
+>You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
 
 ## Review and assign the Microsoft Defender ATP security baseline
 
@@ -84,7 +69,7 @@ Machine configuration management monitors baseline compliance only of Windows 10
 1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed.
 
    >[!TIP]
-   > Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines (preview) > PREVIEW: Windows Defender ATP baseline**.
+   > Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline**.
 
 
 2. Create a new profile.

windows/security/threat-protection/microsoft-defender-atp/configure-machines.md

@@ -45,7 +45,7 @@ In doing so, you benefit from:
 
 Machine configuration management works closely with Intune device management to establish the inventory of the machines in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 machines.
 
-Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
+Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read about [setting up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
 
 >[!NOTE]
 >To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign).
@@ -53,13 +53,21 @@ Before you can ensure your machines are configured properly, enroll them to Intu
 >[!TIP] 
 >To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
 
-## Obtain required ppermissions
-- **Onboarding machines** — To onboard devices to Microsoft Defender ATP using Intune, you need to be able to deploy a device configuration profile and track compliance to that profile. By default, only... **DRAFT**
+## Obtain required permissions
+By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding machines and deploying the security baseline.
 
-- **Managing security baselines** — By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage security baseline profiles. If you haven’t been assigned either role, work with a Global Administrator or an Intune Service Administrator to [create and assign a custom role in Intune](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role) with:
+If you have been assigned other roles, ensure you have the necessary permissions:
 
-    - Read permissions to the organization
-    - Full permissions to security baselines
+- Full permissions to device configurations
+- Full permissions to security baselines
+- Read permissions to device compliance policies
+- Read permissions to the organization
+
+![Required permissions on intune](images/secconmgmt_intune_permissions.png)<br>
+*Device configuration permissions on Intune*
+
+>[!TIP] 
+>To learn more about assigning permissions on Intune, [read about creating custom roles](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role).
 
 ## In this section
 Topic | Description