acro fixes

Author: ErikjeMS

windows-365/business-enterprise-comparison.md

@@ -45,7 +45,7 @@ Windows 365 is available in two editions: [Windows 365 Business](./business/inde
 | Purchase channels | Web direct, self-service, Cloud Solution Provider (CSP). | Web direct, Enterprise Agreements (EA), CSP. |
 | License assignment | Microsoft 365 Admin Center or the Azure AD portal. | Microsoft 365 Admin Center or the Azure AD portal. |
 | Licensing requirements | No licensing pre-requirements to buy and deploy Windows 365 Business. Other features (like device management) can be used if users are licensed for Microsoft Endpoint Management.| Each user must be licensed for Windows 10 or 11 Enterprise (when available), Microsoft Endpoint Manager, and Azure AD P1. |
-| Networking costs | Outbound data/month is based on the RAM of the Cloud PC:<br>- 2 GB RAM = 12 GB outbound data<br>- 4 or 8 GB RAM = 20 GB outbound data<br>- 16 GB RAM = 40 GB outbound data<br>- 32 GB RAM = 70 GB outbound data<br>Data bandwidth may be restricted when these levels are exceeded. | When providing a network, Networking goes through the customer's Azure VNet and isn't included in the license. [Azure bandwidth pricing](https://azure.microsoft.com/pricing/details/bandwidth/) applies for these network usage costs. <br>If using a Microsoft-hosted network, the same charges (as described in Windows 365 Business networking charges) apply.|
+| Networking costs | Outbound data/month is based on the RAM of the Cloud PC:<br>- 2-GB RAM = 12-GB outbound data<br>- 4 or 8-GB RAM = 20-GB outbound data<br>- 16-GB RAM = 40-GB outbound data<br>- 32-GB RAM = 70-GB outbound data<br>Data bandwidth may be restricted when these levels are exceeded. | When providing a network, Networking goes through the customer's Azure VNet and isn't included in the license. [Azure bandwidth pricing](https://azure.microsoft.com/pricing/details/bandwidth/) applies for these network usage costs. <br>If using a Microsoft-hosted network, the same charges (as described in Windows 365 Business networking charges) apply.|
 | Seat limits | Capped to 300 seats per tenant. [Commercial Licensing Terms](https://www.microsoft.com/licensing/terms/productoffering/Windows365/MOSA) | No seat cap per tenant. [Commercial Licensing Terms](https://www.microsoft.com/licensing/terms/productoffering/Windows365/MOSA) |
 
 ## Administrative comparisons
@@ -55,8 +55,8 @@ Windows 365 is available in two editions: [Windows 365 Business](./business/inde
 | Provisioning | Provisioning is simplified and uses default configurations.<br>Cloud PCs are automatically provisioned with a standard image after a Cloud PC license is assigned. | Provisioning is configurable and customizable to the needs of the organization.<br>Admins select the network, configure user permissions (local admin or not), and assign the policy to an Azure AD group.<br>Cloud PCs are then provisioned by using standard gallery images or custom images (admin choice). |
 | Policy management | Not Supported. | Group Policy Objects (GPO) and Intune MDM are supported. |
 | Application deployment | Supported only if you have Intune license. | Supported. |
-| Windows updates | Default Windows Update for Business settings are configured for users. With an Intune license these can be edited. | Can be managed by using Microsoft Endpoint Manager. |
-| Device management | Device management is limited to assigning and unassigning of Cloud PC licenses in the Microsoft Admin Center. Some device management is possible in Microsoft Endpoint Manager if you have an Intune license but Cloud PCs will not be visible in the Windows 365 blade. | Microsoft Endpoint Manager admin center options, including image management, link and access on-premises resources, granular targeting of policies, resizing Cloud PCs, other user experience settings, and all the policy-based management options available to physical devices. |
+| Windows updates | Default Windows Update for Business settings are configured for users. With an Intune license, these settings an be edited. | Can be managed by using Microsoft Endpoint Manager. |
+| Device management | Device management is limited to assigning and unassigning of Cloud PC licenses in the Microsoft Admin Center. Some device management is possible in Microsoft Endpoint Manager if you have an Intune license but Cloud PCs won't be visible in the Windows 365 blade. | Microsoft Endpoint Manager admin center options, including image management, link and access on-premises resources, granular targeting of policies, resizing Cloud PCs, other user experience settings, and all the policy-based management options available to physical devices. |
 | Monitoring | Not supported. | Endpoint Analytics reporting and monitoring, service health, and operational health alerts. |
 | Troubleshooting | Not supported | Microsoft Endpoint Manager troubleshooting including the Troubleshooting blade, device management actions, and reprovisioning of Cloud PCs to their initial state. |
 | Partner/programmatic access | Not supported | Partners can manage Cloud PCs through Microsoft 365 Lighthouse or restful web APIs (Graph) to support Managed Service Provider tooling for up to 300 seats.  |
@@ -75,7 +75,7 @@ Windows 365 is available in two editions: [Windows 365 Business](./business/inde
 | Capability | Windows 365 Business | Windows 365 Enterprise |
 | --- | --- | --- |
 | Conditional Access | Conditional Access policies can be deployed only by using Azure AD with an Azure AD P1 license. | Conditional Access policies can be deployed by using the Microsoft Endpoint Manager admin center or Azure AD. |
-| [Per-user multi-factor authentication (MFA)](/azure/active-directory/authentication/howto-mfa-userstates) | Only MFA using [Azure AD Conditional Access](/azure/active-directory/authentication/tutorial-enable-azure-mfa) is supported. Legacy per-user MFA is not supported. | Legacy per-user MFA is supported for user connections to Hybrid Azure AD joined Cloud PCs but is not supported for user connections to Azure AD joined Cloud PCs. |
+| [Per-user multi-factor authentication (MFA)](/azure/active-directory/authentication/howto-mfa-userstates) | Only MFA using [Azure AD Conditional Access](/azure/active-directory/authentication/tutorial-enable-azure-mfa) is supported. Legacy per-user MFA isn't supported. | Legacy per-user MFA is supported for user connections to Hybrid Azure AD joined Cloud PCs.  It's not supported for user connections to Azure AD joined Cloud PCs. |
 | Security baselines | Not supported. | Dedicated Security Baselines can be edited and deployed by using Microsoft Endpoint Manager. |
 | Microsoft Defender for Endpoint | Supported if the customer separately has the requisite E5 license. | Integration with Defender for Endpoint. If the customer has an E5 license, all Cloud PCs will respond to Defender for Endpoint policies and show up in MDE dashboards. |
 

windows-365/enterprise/add-device-images.md

@@ -30,11 +30,11 @@ ms.collection: M365-identity-device-management
 
 # Add or delete custom device images
 
-If you want to use a custom device image, you can add it into your Azure subscription and then use it for provisioning Cloud PCs. You can use standard Azure Marketplace gallery images or [create your own custom managed image](/azure/virtual-machines/windows/capture-image-resource). If you currently use a Shared Image Gallery in Microsoft Azure, you can convert one of those images into a managed imaged using the steps to [export an image version to a managed disk](/azure/virtual-machines/managed-disk-from-image-version) and then [create an image from a managed disk](/azure/virtual-machines/windows/capture-image-resource#create-an-image-from-a-snapshot-using-powershell).
+If you want to use a custom device image, you can add it into your Azure subscription and then use it for provisioning Cloud PCs. You can use standard Azure Marketplace gallery images or [create your own custom managed image](/azure/virtual-machines/windows/capture-image-resource). If you currently use a Shared Image Gallery in Microsoft Azure, you can convert one of those images into a managed image. To convert, use the steps to [export an image version to a managed disk](/azure/virtual-machines/managed-disk-from-image-version) and then [create an image from a managed disk](/azure/virtual-machines/windows/capture-image-resource#create-an-image-from-a-snapshot-using-powershell).
 
 > [!NOTE]
 >
-> - Windows 10 images should not contain Azure Virtual Desktop client components. Additionally, you cannot import Windows 10 Multisession images into Windows 365.
+> - Windows 10 images should not contain Azure Virtual Desktop client components. Additionally, you can't import Windows 10 Multisession images into Windows 365.
 > - For information about support for Windows 11 custom device images, see [What's New for Windows 365 Enterprise](whats-new.md#support-for-windows-11).
 
 ## Add a custom device image

windows-365/enterprise/architecture.md

@@ -41,7 +41,7 @@ Each Cloud PC has a virtual network interface card (NIC) in Microsoft Azure. You
 
 The NICs are attached to an Azure Virtual Network based on your [on-premises network connection (OPNC)](on-premises-network-connections.md) configuration.
 
-Windows 365 is [supported in a number of Azure regions](requirements.md#supported-azure-regions-for-cloud-pc-provisioning). You can control which Azure region is used in two ways:
+Windows 365 is [supported in many Azure regions](requirements.md#supported-azure-regions-for-cloud-pc-provisioning). You can control which Azure region is used in two ways:
 
 - By selecting the Microsoft-hosted network and an Azure region.
 - By selecting an Azure virtual network from your Azure subscription when [creating an OPNC](create-on-premises-network-connection.md).
@@ -62,12 +62,12 @@ By using your own Azure virtual network, Windows 365 lets you use Virtual Networ
 
 ## Microsoft Endpoint Manager integration
 
-[Microsoft Endpoint Manager](/mem/endpoint-manager-overview) is used to manage all of your Cloud PCs. Microsoft Endpoint Manager and associated Windows components have a variety of [network endpoints that must be allowed](/mem/intune/fundamentals/intune-endpoints) through the Virtual Network. Apple and Android endpoints may be safely ignored if you don’t use Microsoft Endpoint Manager for managing those device types.
+[Microsoft Endpoint Manager](/mem/endpoint-manager-overview) is used to manage all of your Cloud PCs. Microsoft Endpoint Manager and associated Windows components have various [network endpoints that must be allowed](/mem/intune/fundamentals/intune-endpoints) through the Virtual Network. Apple and Android endpoints may be safely ignored if you don’t use Microsoft Endpoint Manager for managing those device types.
 
 > [!TIP]
 > Be sure to allow access to [Windows Notification Services (WNS)](/mem/intune/fundamentals/intune-endpoints#windows-push-notification-services-wns). You might not immediately notice an impact if access is blocked. However, WNS enables Microsoft Endpoint Manager to trigger actions on Windows endpoints immediately instead of waiting for normal policy polling intervals on those devices or policy polling at startup/logon behavior. WNS [recommends](/windows/uwp/design/shell/tiles-and-notifications/firewall-allowlist-config) direct connectivity from the Windows client to WNS.
 
-You’ll only need to grant access to a subset of endpoints based on your Microsoft Endpoint Manager tenant location. To find your tenant location (or Azure Scale Unit (ASU)), sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Tenant details**. Under **Tenant location**, you’ll see something similar to "North America 0501" or "Europe 0202". The rows in the Microsoft Endpoint Manager documentation are differentiated by geographic region, as indicated by the first two letters in the names (na = North America, eu = Europe, ap = Asia Pacific). Because tenants may be relocated within a region, it’s best to allow access to an entire region rather than a specific endpoint in that region.
+You only need to grant access to a subset of endpoints based on your Microsoft Endpoint Manager tenant location. To find your tenant location (or Azure Scale Unit (ASU)), sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Tenant details**. Under **Tenant location**, you’ll see something similar to "North America 0501" or "Europe 0202". The rows in the Microsoft Endpoint Manager documentation are differentiated by geographic region. Regions are indicated by the first two letters in the names (na = North America, eu = Europe, ap = Asia Pacific). Because tenants may be relocated within a region, it’s best to allow access to an entire region rather than a specific endpoint in that region.
 
 For more information about Microsoft Endpoint Manager service regions and data location information, see [Data storage and processing in Intune](/mem/intune/protect/privacy-data-store-process).
 
@@ -104,7 +104,7 @@ For more information on how to use Azure AD Conditional Access with Windows 365,
 
 ### Active Directory Domain Services
 
-Windows 365 Cloud PCs can be either Hybrid azure AD joined or Azure AD Joined. When using Hybrid Azure AD Join, Cloud PCs must domain join to an AD DS domain. This domain must be synchronized with Azure AD. The domain’s domain controllers may be hosted in Azure or on-premises. If hosted on-premises, connectivity must be established from Azure to the on-premises environment. The connectivity can be in the form of [Azure Express Route](/azure/architecture/reference-architectures/hybrid-networking/expressroute) or a [site-to-site VPN](/azure/architecture/reference-architectures/hybrid-networking/vpn). For more information on establish hybrid network connectivity, see [implement a secure hybrid network](/azure/architecture/reference-architectures/dmz/secure-vnet-dmz). The connectivity must allow communication from the Cloud PCs to the domain controllers required by Active Directory. For more information see, [Configure firewall for AD domain and trusts](/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts).
+Windows 365 Cloud PCs can be either Hybrid azure AD joined or Azure AD Joined. When using Hybrid Azure AD Join, Cloud PCs must domain join to an AD DS domain. This domain must be synchronized with Azure AD. The domain’s domain controllers may be hosted in Azure or on-premises. If hosted on-premises, connectivity must be established from Azure to the on-premises environment. The connectivity can be in the form of [Azure Express Route](/azure/architecture/reference-architectures/hybrid-networking/expressroute) or a [site-to-site VPN](/azure/architecture/reference-architectures/hybrid-networking/vpn). For more information on establish hybrid network connectivity, see [implement a secure hybrid network](/azure/architecture/reference-architectures/dmz/secure-vnet-dmz). The connectivity must allow communication from the Cloud PCs to the domain controllers required by Active Directory. For more information, see [Configure firewall for AD domain and trusts](/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts).
 
 ## "Hosted on behalf of" architecture
 
@@ -114,7 +114,7 @@ All Cloud PC connectivity is provided by the virtual network interface card. The
 
 Windows 365 manages the capacity and in-region availability in the Windows 365 subscriptions. Windows 365 determines the size and type of VM based on the [license](cloud-pc-size-recommendations.md) you [assign to the user](assign-licenses.md). Windows 365 determines the Azure region to host your Cloud PCs in based on the virtual network you select when [creating an on-prem network connection](create-on-premises-network-connection.md).
 
-Windows 365 aligns with Microsoft 365 data protection policies and provisions. Customer data within Microsoft's enterprise cloud services is protected by a variety of technologies and processes:
+Windows 365 aligns with Microsoft 365 data protection policies and provisions. Customer data within Microsoft's enterprise cloud services is protected by various technologies and processes:
 
 - Various forms of encryption.
 - Isolated logically from other tenants.
@@ -127,9 +127,14 @@ For more information about Windows 365 Cloud PC encryption, see [Data encryption
 
 ## Azure Virtual Desktop connectivity
 
-Cloud PC connectivity is provided by Azure Virtual Desktop. No inbound connections direct from the Internet are made to the Cloud PC. Instead, connections are made from the Cloud PC to the Azure Virtual Desktop endpoints and from Remote Desktop clients to Azure Virtual Desktop endpoints. For more information on these ports, see [Azure Virtual Desktop required URL list](/azure/virtual-desktop/safe-url-list). To ease configuration of network security controls, use Service Tags for Azure Virtual Desktop to identity those endpoints. For more information on Azure Service Tags and their use in simplifying virtual network configuration, see [Azure service tags overview](/azure/virtual-network/service-tags-overview).
+Cloud PC connectivity is provided by Azure Virtual Desktop. No inbound connections direct from the Internet are made to the Cloud PC. Instead, connections are made from:
 
-There is no requirement to configure your Cloud PCs to make these connections. Windows 365 seamlessly integrates Azure Virtual Desktop connectivity components into gallery or custom images.
+- The Cloud PC to the Azure Virtual Desktop endpoints.
+- The Remote Desktop clients to Azure Virtual Desktop endpoints.
+
+For more information on these ports, see [Azure Virtual Desktop required URL list](/azure/virtual-desktop/safe-url-list). To ease configuration of network security controls, use Service Tags for Azure Virtual Desktop to identity those endpoints. For more information on Azure Service Tags, see [Azure service tags overview](/azure/virtual-network/service-tags-overview).
+
+There's no requirement to configure your Cloud PCs to make these connections. Windows 365 seamlessly integrates Azure Virtual Desktop connectivity components into gallery or custom images.
 
 For more information on the network architecture of Azure Virtual Desktop, see [Understanding Azure Virtual Desktop network connectivity](/azure/virtual-desktop/network-connectivity).
 

windows-365/enterprise/automated-provisioning-steps.md

@@ -40,7 +40,7 @@ There are three stages that Windows 365 automatically completes for Cloud PC pro
 
 ## Core provisioning
 
-Core provisioning is optimized to only perform absolutely necessary steps to make sure a Cloud PC is provisioned successfully.
+Core provisioning is optimized to only perform necessary steps to make sure a Cloud PC is provisioned successfully.
 
 1. **Allocate Azure capacity**: When provisioning first begins, Windows 365 allocates Azure capacity in the customer’s supported region of choice. Customers don’t need to manage capacity and allocation manually.
 2. **Create VM**: A virtual machine is created based on the Windows 365 license assigned to the user. Each Windows 365 license includes hardware capacity information. The VM is created with these specs.
@@ -74,7 +74,7 @@ After core provisioning is complete, Windows 365 optimizes the configuration to
 
 Unlike core provisioning, if one or more of these optimizations fail for some reason, provisioning will still succeed. The Cloud PC will be marked as **Success with warnings** and the process will move onto the assignment stage.
 
-In the case of failure, you can manually trigger a reprovisioning if you prefer to see post provisioning configuration succeed.
+If an optimization fails, you can manually trigger a reprovisioning if you prefer to see post provisioning configuration succeed.
 
 ## Assignment