MicrosoftDocs
diff --git a/‎memdocs/azure-ad-joined-hybrid-azure-ad-joined.md‎
Lines changed: 14 additions & 19 deletions b/‎memdocs/azure-ad-joined-hybrid-azure-ad-joined.md‎
Lines changed: 14 additions & 19 deletions
diff --git a/‎memdocs/cloud-native-endpoints-on-premises.md‎
Lines changed: 3 additions & 8 deletions b/‎memdocs/cloud-native-endpoints-on-premises.md‎
Lines changed: 3 additions & 8 deletions
diff --git a/‎memdocs/configmgr/core/get-started/set-up-your-lab.md‎
Lines changed: 10 additions & 4 deletions b/‎memdocs/configmgr/core/get-started/set-up-your-lab.md‎
Lines changed: 10 additions & 4 deletions
diff --git a/‎memdocs/configmgr/core/get-started/technical-preview.md‎
Lines changed: 2 additions & 1 deletion b/‎memdocs/configmgr/core/get-started/technical-preview.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎memdocs/configmgr/core/servers/deploy/install/get-install-media.md‎
Lines changed: 5 additions & 2 deletions b/‎memdocs/configmgr/core/servers/deploy/install/get-install-media.md‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎memdocs/configmgr/core/understand/learn-more-editions.md‎
Lines changed: 7 additions & 2 deletions b/‎memdocs/configmgr/core/understand/learn-more-editions.md‎
Lines changed: 7 additions & 2 deletions
@@ -9,7 +9,7 @@ author: MandiOhlinger
 
 ms.author: mandia
 manager: dougeby
-ms.date: 05/17/2022
+ms.date: 05/18/2022
 ms.topic: conceptual
 ms.service: mem
 ms.subservice: fundamentals
@@ -34,9 +34,9 @@ ms.collection:
 > [!TIP]
 > [!INCLUDE [cloud-native-endpoints-definitions](./includes/cloud-native-endpoints-definitions.md)]
 
-When moving to cloud native endpoints, you need to understand the differences between Azure AD joined and hybrid Azure AD joined devices.
+Many critical and valuable services, including [Conditional Access](/azure/active-directory/conditional-access/overview) and [Azure AD single sign-on](/azure/active-directory/manage-apps/what-is-single-sign-on), require endpoints to have a cloud identity. For organization owned Windows endpoints, a cloud identity is created when the device is Azure AD joined or Hybrid Azure AD joined
 
-To summarize:
+When moving to cloud native endpoints, you need to understand the differences between Azure AD joined and hybrid Azure AD joined devices:
 
 - **Azure AD joined** (AADJ): Device are joined to an Azure Active Directory (Azure AD). They're not joined to on-premises Azure AD.
 
@@ -50,7 +50,7 @@ This feature applies to:
 
 - Windows cloud native endpoints
 
-This article describes the differences between Azure AD joined and hybrid Azure AD joined devices. For an overview of cloud native endpoints, and their benefits, go to [What are cloud native endpoints?](cloud-native-endpoints-overview.md).
+This article describes some of the differences between Azure AD joined and hybrid Azure AD joined devices. For an overview of cloud native endpoints, and their benefits, go to [What are cloud native endpoints?](cloud-native-endpoints-overview.md).
 
 ## Azure AD joined
 
@@ -117,27 +117,22 @@ For information on how to register your existing domain joined devices to Azure
 - [Configure hybrid Azure AD join for managed domains](/azure/active-directory/devices/hybrid-azuread-join-managed-domains)
 - [Configure hybrid Azure AD join for federated domains](/azure/active-directory/devices/hybrid-azuread-join-federated-domains)
 
-For new, refurbished, or refreshed Windows devices, Microsoft recommends [Azure AD joined](#azure-ad-joined) (in this article).
-
 ## Which option is right for your organization
 
-Keep in mind that HAADJ and AADJ are not mutually exclusive, both can coexist in the same environment. However, HAADJ should not be your organization's end goal for its Windows endpoints and having both may increase the environment's complexity which may translate into additional support costs.
-
-It depends, and there might not be a right or wrong answer. It depends on your environment, your hardware, and your organization goals. Consider the following scenarios:
-
-- **Endpoints can't be reset or reprovisioned**
-
-  In this scenario, Hybrid Azure AD joined is the easiest option. Devices have a cloud identity and can use cloud services that require a cloud identity. It might have minimal impact to end users.
-
-- **You have new endpoints or can reset existing endpoints**
-
-  In this scenario, Azure AD joined is recommended.
+It depends on your environment, your hardware, and your organization goals. When making this decision, you need to consider the future, the long term impact, and the organization goals.
 
+Consider the following scenarios:
 
+| Scenario | AADJ or HAADJ |
+| --- | --- |
+| You have new endpoints or can reset existing endpoints | ✔️ Azure AD join <br/><br/> If you have new, refurbished, or refreshed Windows devices, then Azure AD joined is recommended. AADJ should be your default option. <br/><br/> There are some known blockers and challenges outside of Microsoft's control that may prevent your organization from fully adopting AADJ. There may also be unknown blockers that are specific to your organization and its configuration or expectations. Note that these blockers may be technical or they mat arise due to other, non-technical factors.<br/><br/>❌ Hybrid Azure AD join<br/><br/> You can use HAADJ for new endpoints, but it's typically not recommended. Windows 10/11 have modern features built-in to the OS, including modern management, modern authentication, and more. When joined using HAADJ, you might not get these features, and must use Group Policy Objects (GPO) to manage these endpoints, which can be complex, cumbersome, and possibly costly. <br/><br/>If you identify a potential blocker, then determine the scope, impact, and solution. The [High level planning guide to move to cloud native endpoints](cloud-native-endpoints-planning-guide.md) may help. |
+| Endpoints can't be reset or reprovisioned |  ❌ Azure AD join <br/><br/> Existing devices joined to an on-premises AD domain must be reset to become Azure AD joined. If they can't be reset, then AADJ isn't possible. <br/>  <br/>✔️ Hybrid Azure AD join<br/> <br/>If you have existing endpoints that are joined to an on-premises AD domain, and can't be reset, then Hybrid Azure AD joined might be the easiest option for your organization. Devices get a cloud identity and can use cloud services that require a cloud identity. This option typically has minimal impact to end users. |
+| You have new endpoints and have existing AD joined endpoints that can't be reset | ✔️ Azure AD join <br/><br/> AADJ should be your default option for new, refurbished, or refreshed Windows devices. <br/><br/> ✔️ Hybrid Azure AD join<br/> <br/> Hybrid Azure AD joined and Azure AD joined aren't mutually exclusive, and can coexist in the same environment. <br/> <br/>Having a mixed environment does increase complexity, maintenance tasks, and support costs. But, you can use HAADJ until those endpoints can be replaced or reset. Remember, Hybrid Azure AD joined shouldn't be your organization's end goal. |
+| You want to be cloud-only, and remove dependency to on-premises | ✔️ Azure AD join <br/><br/> ❌ Hybrid Azure AD join<br/><br/> |
 
-For newly provisioned Windows endpoints, you should strongly consider only using AADJ whenever possible. Choosing HAADJ for newly provisioned devices leads to additional envrionmental complexity and costs because of this complexity. There are some known blockers and challeneges outside of Microsoft's control that may prevent your organization from fully adopting AADJ for newly provisioned Windows endpoints. There may also be unknown blockers that are specific to your organization and its configuration or expectations. Note that these blockers may be technical in nature or they mat arise due to other, non-technical factors. 
+Search: HAADJ vs AADJ
 
-In general, AADJ should be the default choice for organizations for newly provisioned Windows endpoints and HAADJ should only be considered when an identified and impactful blocker is discovered. Because HAADJ should not be the goal for any Windows endpoints in an envrionment, simple identification of the blocker should be the beginning of an investigation and not the end. Once identified, your organization can determine the scope of the impact and paths to overcoming these blockers which may vary between organizations and will be based on the nature of the blocker.
+https://docs.microsoft.com/en-us/answers/questions/33891/difference-between-azure-ad-registered-azure-ad-jo.html
 
 ## Follow the cloud native endpoints guidance
 
 
@@ -31,11 +31,6 @@ ms.collection:
 
 # Cloud native endpoints and on-premises resources
 
-**TO DO:**
-
-- ??Answer some outstanding questions.??
-- ??In the "Authentication and access to on-premises resources" section, is there an image we can add? It might help??
-
 > [!TIP]
 > [!INCLUDE [cloud-native-endpoints-definitions](./includes/cloud-native-endpoints-definitions.md)]
 
@@ -83,7 +78,7 @@ The following list is a common set of on-premises resources that users can acces
 
 The following steps describe how an Azure AD joined endpoint authenticates and accesses (based on permissions) an on-premises resource.
 
-The following steps are an overview. For more specific information, see [Primary Refresh Token (PRT) and Azure AD](/azure/active-directory/devices/concept-primary-refresh-token).
+The following steps are an overview. For more specific information, including detailed swimlane graphics describing the full process, see [Primary Refresh Token (PRT) and Azure AD](/azure/active-directory/devices/concept-primary-refresh-token).
 
 1. When users sign in, their credentials are sent to the Cloud Authentication Provider (CloudAP) and the Web Account Manager (WAM).
 
@@ -112,11 +107,11 @@ The following steps are an overview. For more specific information, see [Primary
     > 
     > [MS-PKCA: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol](/openspecs/windows_protocols/ms-pkca/d0cf1763-3541-4008-a75f-a577fa5e8c5b)
 
-6. The DC authenticates the user. The DC returns a Kerberos Ticket-Granting Ticket (TGT) or a NTLM token based on the protocol that the on-premises resource or application supports (which Windows caches). ??Caches what specifically??
+6. The DC authenticates the user. The DC returns a Kerberos Ticket-Granting Ticket (TGT) or a NTLM token based on the protocol that the on-premises resource or application supports (Windows caches the returned TGT or NTLM token for future use).
 
     If the attempt to get the Kerberos TGT or NTLM token for the domain fails (related DCLocator timeout can cause a delay), then Windows Credential Manager retries. Or, the user may receive an authentication pop-up requesting credentials for the on-premises resource.
 
-7. All apps that use [Windows Integrated Authentication (WIA)](/aspnet/web-api/overview/security/integrated-windows-authentication) automatically get SSO when a user tries to access the apps. **This** includes standard user authentication to an on-premises AD domain using NTLM or Kerberos when accessing on-premises services or resources. ??What's meant by 'this'? Do you mean SSO??
+7. All apps that use [Windows Integrated Authentication (WIA)](/aspnet/web-api/overview/security/integrated-windows-authentication) automatically use SSO when a user tries to access the apps. Windows integrated authentication includes standard user authentication to an on-premises AD domain using NTLM or Kerberos when accessing on-premises services or resources.
 
     For more information, see [How SSO to on-premises resources works on Azure AD joined devices](/azure/active-directory/devices/azuread-join-sso).
 
 
@@ -26,9 +26,12 @@ Following the guidance in this topic will enable you to set up a lab for evaluat
 
 -   **The lab environment uses Windows Server 2012 R2**, into which we will install Configuration Manager.  
 
-     You can download an evaluation version of Windows Server 2012 R2 from the [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012).  
+    You can download an evaluation version of Windows Server.
 
-     Consider modifying or disabling Internet Explorer Enhanced Security Configuration in order to more easily access some of the downloads referenced throughout the course of these exercises. For more information, see [Internet Explorer: Enhanced Security Configuration](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd883248(v=ws.10)).  
+    > [!NOTE]
+    > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).<!-- MAXADO-6049663, CMADO-14437681 -->
+
+    Consider modifying or disabling Internet Explorer Enhanced Security Configuration in order to more easily access some of the downloads referenced throughout the course of these exercises. For more information, see [Internet Explorer: Enhanced Security Configuration](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd883248(v=ws.10)).  
 
 -   **The lab environment uses SQL Server 2012 SP2** for the site database.  
 
@@ -333,7 +336,10 @@ Before you begin the installation, launch the  [Prerequisite Checker](../servers
 
 #### To download and install Configuration Manager:  
 
-1.  Navigate to the [System Center Evaluations](https://www.microsoft.com/evalcenter/evaluate-system-center-2012-configuration-manager-and-endpoint-protection) page to download the newest evaluation version of Configuration Manager.  
+1. Download the latest evaluation version of Configuration Manager.
+
+    > [!NOTE]
+    > The Evaluation Center is currently unavailable. As a workaround you can download the current branch evaluation from [aka.ms/MECM2203CB-Eval](https://aka.ms/MECM2203CB-Eval).<!-- 14437681 -->
 
 2.  Decompress the download media into your predefined location.  
 
@@ -378,4 +384,4 @@ Each Configuration Manager site publishes its own site-specific information to t
 
 3.  In the **Administration** workspace, click **Active Directory Forests**.  
 
-4.  On the **Publishing** tab of the site properties, select your connected forest, then click **Ok** to save the configuration.
+4.  On the **Publishing** tab of the site properties, select your connected forest, then click **Ok** to save the configuration.
@@ -96,7 +96,8 @@ Install a baseline version for up to one year after its release. When you instal
 
 - **Technical preview version 2202**
 
-Download a baseline version from the [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview).
+> [!NOTE]
+> The Evaluation Center is currently unavailable. As a workaround you can download the latest technical preview branch baseline build from [aka.ms/MECM2202TP-Baseline](https://aka.ms/MECM2202TP-Baseline).<!-- 14437681 -->
 
 ## <a name="BKMK_TPFeedback"></a> Providing feedback
 
 
@@ -15,10 +15,13 @@ ms.localizationpriority: medium
 
 *Applies to: Configuration Manager (current branch)*
 
-If you have Configuration Manager volume licenses with Software Assurance, or if you have purchased licenses for Configuration Manager volume licenses, you can download baseline source media to install Configuration Manager from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).   
+If you have Configuration Manager volume licenses with Software Assurance, or if you have purchased licenses for Configuration Manager volume licenses, you can download baseline source media to install Configuration Manager from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
 
 If you have a Configuration Manager license from EMS, Microsoft 365, or a Cloud Solution Provider (CSP), please see the [Product and Licensing FAQ](../../../understand/product-and-licensing-faq.yml#i-have-purchased-ems-or-microsoft-365-through-a-cloud-solution-provider--csp---do-i-have-rights-to-use-configuration-manager-).
 
-If you would like to purchase volume licenses for Configuration Manager, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx). You can also download media to install an evaluation edition of Configuration Manager from the [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) website.
+If you would like to purchase volume licenses for Configuration Manager, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx). You can also download media to install an evaluation edition of Configuration Manager.
+
+> [!NOTE]
+> The Evaluation Center is currently unavailable. As a workaround you can download the current branch evaluation from [aka.ms/MECM2203CB-Eval](https://aka.ms/MECM2203CB-Eval).<!-- 14437681 -->
 
 To learn about baseline media for Configuration Manager, see [Baseline and update versions](../../manage/updates.md#bkmk_Baselines).
@@ -52,14 +52,19 @@ Critical security updates for Configuration Manager are made available to this b
 
 ### Evaluation installation of the current branch
 
-The evaluation version doesn't require a Software Assurance agreement with Microsoft. [Evaluation installs](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) are always the current branch, and you can use them for 180 days.
+The evaluation version doesn't require a Software Assurance agreement with Microsoft. Evaluation installs are always the current branch, and you can use them for 180 days.
+
+> [!NOTE]
+> The Evaluation Center is currently unavailable. As a workaround you can download the current branch evaluation from [aka.ms/MECM2203CB-Eval](https://aka.ms/MECM2203CB-Eval).<!-- 14437681 -->
 
 You can upgrade the evaluation installation to a full installation of the current branch. You can't upgrade an evaluation installation to the long-term servicing branch.
 
 ### Technical preview branch
 
-The [technical preview branch](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview) is also available. This branch is a limited build of Configuration Manager that lets you try out new features. You install the technical preview using different media than the licensed versions. For more information, see [Technical Preview](../get-started/technical-preview.md).
+The technical preview branch is also available. This branch is a limited build of Configuration Manager that lets you try out new features. You install the technical preview using different media than the licensed versions. For more information, see [Technical Preview](../get-started/technical-preview.md).
 
+> [!NOTE]
+> The Evaluation Center is currently unavailable. As a workaround you can download the latest technical preview branch baseline build from [aka.ms/MECM2202TP-Baseline](https://aka.ms/MECM2202TP-Baseline).<!-- 14437681 -->
 
 ## Software Assurance agreements