TOC updates

lenewsad · lenewsad · commit f668dce1bfcf · 2022-07-12T18:33:09.000-04:00
diff --git a/memdocs/intune/enrollment/device-enrollment-manager-enroll.md b/memdocs/intune/enrollment/device-enrollment-manager-enroll.md
@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 05/10/2022
+ms.date: 07/12/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -59,7 +59,18 @@ These Azure AD roles can manage device enrollment managers:
 * Global Administrator 
 * Intune Service Administrator role in Azure AD    
 
-They can add and delete device enrollment managers, and view all DEM users in the Microsoft Endpoint Manager admin center.  
+People assigned these roles can add and delete device enrollment managers, and view all DEM users in the Microsoft Endpoint Manager admin center.  
+
+## Add a device enrollment manager
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Devices** > **Enroll devices**.
+3. Select **Device enrollment managers**.  
+4. Select **Add**.
+3. In the **User name** field, enter the user principal name of the user you're adding.
+6. Select **Add**. The new device enrollment manager is added to the list of DEM users. 
+
+To remove someone as a device enrollment manager, select their name in the list and then choose **Delete**.  
 
 ## Limitations 
 
@@ -97,20 +108,4 @@ Only the local device appears in the Company Portal app or Company Portal websit
 ### Number of accounts  
 There's a limit of 150 DEM accounts in Microsoft Intune.  
 
-## Add a device enrollment manager
-
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Enroll devices** > **Device enrollment managers**.
-
-2. Select **Add**.
-
-3. On the **Add User** blade, enter a user principal name for the DEM user, and select **Add**. The DEM user is added to the list of DEM users.
-
-
-## Remove device enrollment manager permissions
-
-Removing a device enrollment manager doesn't affect enrolled devices.
-
-### To remove a device enrollment manager
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Enroll devices** > **Device enrollment managers**.
-2. On the **Device enrollment managers** blade, select the DEM user, and select **Delete**.  
diff --git a/memdocs/intune/enrollment/device-group-mapping.md b/memdocs/intune/enrollment/device-group-mapping.md
@@ -33,65 +33,50 @@ ms.collection: M365-identity-device-management
 
 [!INCLUDE [azure_portal](../includes/azure_portal.md)]
 
-To make managing devices easier, you can use Microsoft Intune device categories to automatically add devices to groups based on categories that you define.
+Device categories allow you to easily manage and group devices in Microsoft Intune. Assign a category, such as *sales* or *accounting*, to a device and Intune will automatically add the device to the corresponding Intune device group or Active Directory security group.   
 
-Device categories use the following workflow:
-1. Create categories that users can choose from when they enroll their device.
-2. When users of iOS/iPadOS and Android devices enroll a device, they must choose a category from the list of categories you configured. To assign a category to a Windows device, users must use the Company Portal website.
-3. You can then deploy policies and apps to these groups.
+To enable categories in your tenant, you must create a category in the Microsoft Endpoint Manager admin center and set up a dynamic group for it in Azure AD. 
 
-You can create any device categories you want. For example:
-- Point-of-sale device
-- Demonstration device
-- Sales
-- Accounting
-- Manager
+This article describes how to configure and edit device categories.   
 
-## How to configure device categories
+## Configure device categories
 
-You need to be a Global Administrator or Intune Administrator to perform these steps.
+You must be a Global Administrator or Intune Administrator to perform these steps.
 
-### Step 1: Create device categories in Intune
+### Step 1: Create device category in Intune  
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Choose **Devices** > **Device categories** > **Create device category** to add a new category.
-3. On the **Create device category** pane, enter a **Name** for the new category, and an optional **Description**.
-4. When you are done, select **Create**. You can see the new category in the list of categories.
+2. Choose **Devices** > **Device categories**.
+3. Select **Create device category** to add a new category.
+4. Enter the name of the new category, such as `HR` and an optional description.
+5. Select **Next**.  
+6. Optionally, assign a scope tag, like `US-NC IT Team` or `JohnGlenn_ITDepartment`, to limit management of the category to specific IT groups. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](../fundamentals/scope-tags.md).  
+7. Select **Next**.  
+8. Select **Create**. The new category is added to your **Device categories** list.   
 
-You'll use the device category name when you create Azure Active Directory (Azure AD) security groups in step 2.
+You'll use the device category name when you create Azure Active Directory (Azure AD) security groups in the next step.  
 
-### Step 2: Create Azure Active Directory security groups
-In this step, you'll create dynamic groups in the Azure portal, based on the device category and device category name.
+### Step 2: Create Azure Active Directory security groups 
 
-To continue, refer to [Using attributes to create advanced rules](/azure/active-directory/users-groups-roles/groups-dynamic-membership#using-attributes-to-create-rules-for-device-objects) in the Azure AD documentation.
+To enable automatic grouping, you must create a dynamic group using the attribute-based rules in Azure AD. For instructions, see [Using attributes to create advanced rules](/azure/active-directory/users-groups-roles/groups-dynamic-membership#using-attributes-to-create-rules-for-device-objects) in the Azure AD documentation. Create an advaced rule for your group using the **deviceCategory** attribute and the category name you created in step 1. For example: `device.deviceCategory -eq "HR"`   
 
-Use the information in this section to create a device group with an advanced rule, by using the **deviceCategory** attribute. For example: **device.deviceCategory -eq** "*the device category name you got from the Azure portal*".
-
-After you configure device groups, and users enroll their device, they are presented with a list of the categories you configured. After they choose a category and finish enrollment, their device is added to the Active Directory security group that corresponds with the category they chose.
-
-### View the categories of devices that you manage
-
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **All devices**.
-
-2. In the list of devices, examine the **Device category** column.
-
-If the **Device category** column isn't shown, select **Columns** > **Category** > **Apply**.
+### View categories of all devices 
+ Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Devices** > **All devices** for a list of all devices. The **Device category** column shows the category assigned to each device. 
+ 
+ If the **Device category** column isn't visible in the table, select **Columns**  and then choose **Category** > **Apply**.  
 
 ### Change the category of a device
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **All devices** > choose the device you want > **Properties**.
-2. On the next blade, you can change the **Device category** of the selected device to any of the category names you previously configured.
-
-## After you configure device groups
-
-When users of iOS/iPadOS and Android devices enroll their device, they must choose a category from the list of categories you configured. After they choose a category and finish enrollment, their device is added to the Intune device group, or the Active Directory security group that corresponds with the category they chose.
-
-Windows users should use the Company Portal website or the Company Portal app to select a category.
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Devices** > **All devices**.
+3. Select a device.
+4. On the device details page, select **Properties**.  
+5. Change your selection in the **Device category** field.  
 
-Regardless of platform, your users can always go to portal.manage.microsoft.com after enrolling the device. Have the user access the Company Portal website, and go to **My Devices**. The user can choose an enrolled device listed on the page, and then select a category.
+## Best practices  
+Device categories are supported on devices running Android, iOS/iPadOS, or Windows. People with Windows devices must use the Company Portal website to select their category. Regardless of platform, any device user can sign in to portal.manage.microsoft.com at anytime and go to **My devices** to select a category. 
 
-After choosing a category, the device is automatically added to the corresponding group you created. If a device is already enrolled before you configure categories, the user sees a notification about the device on the Company Portal website. This lets the user know to select a category the next time they access the Company Portal app on iOS/iPadOS or Android.
+If a device is already enrolled before you configure categories, the user will receive a notification about the device on the Company Portal website informing them to select a category the next time they access the Company Portal app on iOS/iPadOS or Android.  
 
-## Further information
-- You can edit a device category in the Azure portal, but you must manually update any Azure AD security groups that reference this category.
+You can edit a device category in the Azure portal, but you must manually update any Azure AD security groups that reference this category.  
 
-- If you delete a category, devices assigned to it display the category name **Unassigned**.
+If you delete a category, devices assigned to it display the category name **Unassigned**.  
diff --git a/memdocs/intune/enrollment/toc.yml b/memdocs/intune/enrollment/toc.yml
@@ -31,19 +31,10 @@ items:
   - name: Restrictions
     href: enrollment-restrictions-set.md
   - name: Understand Intune and Azure AD device limits
-    href: device-limit-intune-azure.md
-  - name: Apple MDM push certificate
-    href: apple-mdm-push-certificate-get.md
+    href: device-limit-intune-azure.md  
   - name: Corporate identifiers
     href: corporate-identifiers-add.md
-    displayName: COD
-  - name: Multi-factor authentication
-    href: multi-factor-authentication.md
-    displayName: mfa; multifactor        
-  - name: Device enrollment manager
-    href: device-enrollment-manager-enroll.md
-  - name: Map devices to groups
-    href: device-group-mapping.md    
+    displayName: COD     
 - name: How-to guides
   items:
   - name: Set up Windows enrollment
@@ -154,6 +145,15 @@ items:
       href: device-enrollment-direct-enroll-macos.md      
   - name: Incomplete enrollment report
     href: enrollment-report-company-portal-abandon.md
+  - name: Add device enrollment manager  
+    href: device-enrollment-manager-enroll.md  
+  - name: Configure device categories  
+    href: device-group-mapping.md   
+  - name: Get Apple MDM push certificate  
+    href: apple-mdm-push-certificate-get.md 
+  - name: Require multi-factor authentication  
+    href: multi-factor-authentication.md
+    displayName: mfa; multifactor   
   - name: Troubleshoot enrollment
     items:
     - name: Troubleshoot device enrollment
