Grammar, style, and aesthetic changes.

tiaraquan · tiaraquan · commit 7776565b9148 · 2022-02-18T12:19:44.000-08:00
diff --git a/microsoft-365/managed-desktop/get-started/register-devices-self.md b/microsoft-365/managed-desktop/get-started/register-devices-self.md
@@ -18,7 +18,7 @@ audience: Admin
 Microsoft Managed Desktop can work with brand-new devices, or you can reuse devices you might already have. If you reuse devices, you must reimage them. You're able to register devices with Microsoft Managed Desktop in the Microsoft Endpoint Manager portal.
 
 > [!NOTE]
-> Working with a partner to obtain devices? If so, you don't need to worry about getting the hardware hashes; they'll take care of that for you. Make sure your partner establishes a relationship with you at the [Partner Center](https://partner.microsoft.com/dashboard). Your partner can learn more at [Partner Center help](/partner-center/request-a-relationship-with-a-customer). Once this relationship established, your partner will simply register devices on your behalf – no further action required from you. If you want to see the details, or your partner has questions, see [Steps for Partners to register devices](register-devices-partner.md). Once the devices are registered, you can proceed with [checking the image](#check-the-image) and [delivering the devices](#deliver-the-device) to your users.
+> Working with a partner to obtain devices? If so, you don't need to worry about getting the hardware hashes; they'll take care of that for you. Make sure your partner establishes a relationship with you at the [Partner Center](https://partner.microsoft.com/dashboard). Your partner can learn more at [Partner Center help](/partner-center/request-a-relationship-with-a-customer). <br><br>Once this relationship established, your partner will simply register devices on your behalf – no further action required from you. If you want to see the details, or your partner has questions, see [Steps for Partners to register devices](register-devices-partner.md). Once the devices are registered, you can proceed with [checking the image](#check-the-image) and [delivering the devices](#deliver-the-device) to your users.
 
 ## Prepare to register brand-new devices
 
diff --git a/microsoft-365/managed-desktop/service-description/security.md b/microsoft-365/managed-desktop/service-description/security.md
@@ -14,57 +14,52 @@ ms.topic: article
 
 <!--Security, also Onboarding doc: data handling/store, privileged account access -->
 
-Microsoft Managed Desktop uses several Microsoft technologies to help secure managed devices and data. In addition, the Microsoft Managed Desktop Security Operations Center uses various [processes](security-operations.md) in conjunction with these technologies.
+Microsoft Managed Desktop uses several Microsoft technologies to help secure managed devices and data. In addition, the Microsoft Managed Desktop Security Operations Center uses various [processes](security-operations.md) with these technologies. Specifically:
 
-Specifically:
-
-- [Device security](#device-security) – security and protection on Microsoft Managed Desktop devices
-- [Identity and Access Management](#identity-and-access-management) – managing secure use of devices through Azure Active Directory identity services
-- [Network security](#network-security) – VPN information and Microsoft Managed Desktop recommended solution and settings
-- [Information security](#information-security) – optional available services to further protect sensitive information
+| Process | Description |
+| ------ | ------ |
+| [Device security](#device-security)| Security and protection on Microsoft Managed Desktop devices. |
+| [Identity and Access Management](#identity-and-access-management) | Managing secure use of devices through Azure Active Directory identity services. |
+| [Network security](#network-security)| VPN information and Microsoft Managed Desktop recommended solution and settings. |
+| [Information security](#information-security)| Optional available services to further protect sensitive information. |
 
 For information about data storage, usage, and security practices used by Microsoft Managed Desktop, see our whitepaper at [https://aka.ms/mmd-data](https://aka.ms/mmd-data).
 
-
 ## Device security
 
 Microsoft Managed Desktop ensures all managed devices are secured and protected, and detects threats as early as possible using the following services:
 
-Service | Description
---- | ---
-Antivirus | Microsoft Defender Antivirus is installed and configured<br>Microsoft Defender Antivirus definitions are up to date
-Full Volume Encryption | Windows BitLocker is the volume encryption solution for Microsoft Managed Desktop devices.<br><br>Once an organization is onboarded into the service, devices will be encrypted using Windows BitLocker with built-in Trust Platform Module (TPM) to prevent unauthorized access to local data when the device is in sleep mode, or off.
-Monitoring | Microsoft Defender for Endpoint is used for security threat monitoring across all Microsoft Managed Desktop devices. Defender for Endpoint allows enterprise customers to detect, investigate, and respond to advanced threats in their corporate network. For more information, see [Microsoft Defender for Endpoint.](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection)
-Operating system updates | Microsoft Managed Desktop devices are always secured with the latest security updates.
-Secure Device Configuration | Microsoft Managed Desktop implements the Microsoft Security Baseline. For more information, see [Windows security baselines.](/windows/security/threat-protection/windows-security-baselines)
-
-
+| Service | Description |
+| ----- | ----- |
+| Antivirus | Microsoft Defender Antivirus is installed and configured<br>Microsoft Defender Antivirus definitions are up to date. |
+| Full Volume Encryption | Windows BitLocker is the volume encryption solution for Microsoft Managed Desktop devices.<br><br>Once an organization is enrolled into the service, devices will be encrypted using Windows BitLocker with built-in Trust Platform Module (TPM) to prevent unauthorized access to local data when the device is in sleep mode, or off.
+| Monitoring | Microsoft Defender for Endpoint is used for security threat monitoring across all Microsoft Managed Desktop devices. Defender for Endpoint allows enterprise customers to detect, investigate, and respond to advanced threats in their corporate network. For more information, see [Microsoft Defender for Endpoint.](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) |
+| Operating system updates | Microsoft Managed Desktop devices are always secured with the latest security updates. |
+| Secure Device Configuration | Microsoft Managed Desktop implements the Microsoft Security Baseline. For more information, see [Windows security baselines.](/windows/security/threat-protection/windows-security-baselines)|
 
 ## Identity and access management
 
-Identity and access management protects corporate assets and business-critical data. Microsoft Managed Desktop configures devices to ensure secure use with Azure Active Directory (Azure AD) managed identities. It is the customer's responsibility to maintain accurate information in their Azure AD tenant.
-
-Service | Description
---- | ---
-Biometric Authentication | Windows Hello allows users to sign in by using their face or a PIN, making passwords harder to forget or steal. Customers are responsible for implementing the necessary pre-requisites for their on-premises Active Directory for use of this service in a hybrid configuration. For more information, see [Windows Hello.](/windows-hardware/design/device-experiences/windows-hello) 
-Standard user permission | To protect the system and make it more secure, the user will be assigned Standard User Permissions. This permission is assigned as part of the Windows Autopilot out-of-box experience.
-
+Identity and access management protects corporate assets and business-critical data. Microsoft Managed Desktop configures devices to ensure secure use with Azure Active Directory (Azure AD) managed identities. It's the customer's responsibility to maintain accurate information in their Azure AD tenant.
 
+| Service | Description |
+| ----- | ----- |
+| Biometric Authentication | Windows Hello allows users to sign in by using their face or a PIN, making passwords harder to forget or steal. Customers are responsible for implementing the necessary pre-requisites for their on-premises Active Directory to use this service in a hybrid configuration. For more information, see [Windows Hello.](/windows-hardware/design/device-experiences/windows-hello) |
+| Standard user permission | To protect the system and make it more secure, the user will be assigned Standard User Permissions. This permission is assigned as part of the Windows Autopilot out-of-box experience.
 
 ## Network security
 
-Customers are responsible for network security. 
+Customers are responsible for network security.
 
-Service | Description
---- | ---
-VPN | Customers own their VPN infrastructure, to ensure limited corporate resources can be exposed outside the intranet.<br><br>Minimum requirement: Microsoft Managed Desktop requires a Windows 10 compatible and supported VPN solution. If your organization needs a VPN solution, it needs to support Windows 10 and be packaged and deployable through Intune. Contact your software publisher for more information.<br><br>Recommendation:<br>- Microsoft recommends a modern VPN solution that could be easily deployed through Intune to push VPN profiles. This approach provides an always-on, seamless, reliable, and secure way to access corporate network. For more information, see [[VPN settings in Intune]](/intune/vpn-settings-configure).<br>- Thick VPN clients, or older VPN clients, are not recommended by Microsoft while using Microsoft Managed Desktop as it can impact the user environment.<br>- Microsoft recommends that the outgoing web traffic goes directly to Internet without going through the VPN to avoid any performance issues.<br>- Ideally, Microsoft recommends the use of Azure Active Directory App Proxy instead of a VPN.
+| Service | Description |
+| ----- | ----- |
+| VPN | Customers own their VPN infrastructure, to ensure limited corporate resources can be exposed outside the intranet.<br><br>Minimum requirement: Microsoft Managed Desktop requires a Windows 10 compatible and supported VPN solution. If your organization needs a VPN solution, it needs to support Windows 10 and be packaged and deployable through Intune. Contact your software publisher for more information.<br><br>Recommendation:<br><ul><li> Microsoft recommends a modern VPN solution that could be easily deployed through Intune to push VPN profiles. This approach provides an always-on, seamless, reliable, and secure way to access corporate network. For more information, see [VPN settings in Intune](/intune/vpn-settings-configure).</li><li>Thick VPN clients, or older VPN clients, aren't recommended by Microsoft while using Microsoft Managed Desktop as it can affect the user environment.</li><li>Microsoft recommends that the outgoing web traffic goes directly to Internet without going through the VPN to avoid any performance issues.</li><li>Ideally, Microsoft recommends the use of Azure Active Directory App Proxy instead of a VPN.</li></ul>
 
 
 ## Information security
 
-You can configure these optional services to help protect corporate high-value assets. 
+You can configure these optional services to help protect corporate high-value assets.
 
-Service | Description
---- | ---
-Data recovery  | Information stored in key folders on the device is backed up to OneDrive for Business. Microsoft Managed Desktop is not responsible for data that isn’t synchronized with OneDrive for Business.
-Windows Information Protection | For companies that require high levels of information security, we recommend [Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip) and [Azure Information Protection.](https://www.microsoft.com/cloud-platform/azure-information-protection)
+| Service | Description |
+| ----- | ----- |
+| Data recovery | Information stored in key folders on the device is backed up to OneDrive for Business. Microsoft Managed Desktop isn't responsible for data that isn't synchronized with OneDrive for Business.
+| Windows Information Protection | For companies that require high levels of information security, we recommend [Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip) and [Azure Information Protection.](https://www.microsoft.com/cloud-platform/azure-information-protection)
diff --git a/microsoft-365/managed-desktop/service-description/shared-devices.md b/microsoft-365/managed-desktop/service-description/shared-devices.md
@@ -13,22 +13,24 @@ ms.topic: article
 
 # Shared devices
 
-Microsoft Managed Desktop allows you to register devices in "shared device mode," similar to the shared device mode offered by [Microsoft Intune](/mem/intune/configuration/shared-user-device-settings). Devices in this mode are optimized for situations where users aren't tied down to a single desk and are frequently changing devices, typically frontline workers such as bank tellers or nursing staff. You can apply any of the Microsoft Managed Desktop [profiles](profiles.md) to devices in this mode. Devices registered in this mode have some important differences:
+Microsoft Managed Desktop allows you to register devices in "shared device mode," similar to the shared device mode offered by [Microsoft Intune](/mem/intune/configuration/shared-user-device-settings).
+
+Devices in this mode are optimized for situations where users aren't tied down to a single desk and are frequently changing devices. For example, frontline workers such as bank tellers or nursing staff. You can apply any of the Microsoft Managed Desktop [profiles](profiles.md) to devices in this mode. Devices registered in this mode have some important differences:
 
 - [Device storage](#device-storage) is optimized for shared users.
 - [Inactive accounts](#deletion-of-inactive-accounts) are deleted.
 - [Guest accounts](#guest-accounts) aren't supported by default.
 - [Microsoft 365 Applications](#microsoft-365-apps-for-enterprise) for enterprise licensing is optimized for shared devices.
 
-Because you make the choice to use shared device mode at the point of registration into Microsoft Managed Desktop, if you want to change it out of this mode later, you'll have to de-register it and register it again.
+Because you make the choice to use shared device mode at the point of registration in Microsoft Managed Desktop, if you want to change out of this mode later, you must de-register it and register it again.
 
 ## When to use shared device mode
 
 Any situation where users are frequently changing devices.
 
-For example, bank tellers might be in one location managing deposits, but move to a back office to help customers with a mortgage. In each of those locations, the device runs different applications and is optimized for those tasks, though they are used by multiple people.
+For example, bank tellers might be in one location managing deposits, but move to a back office to help customers with a mortgage. In each of those locations, the device runs different applications and is optimized for those tasks, though they're used by multiple people.
 
-Nursing staff typically move between rooms and offices as they interact with patients, so they can sign into a workstation in an office, but connect to their remote desktop and take notes, only to repeat this in a different room with a different patient.
+Nursing staff typically move between rooms and offices as they interact with patients. They can sign into a workstation in an office, but connect to their remote desktop and take notes, and repeat this process in a different room with a different patient.
 
 ## When not to use shared device mode
 
@@ -49,11 +51,11 @@ If you're enrolling devices yourself, follow the steps in [Register new devices
 
 If you're having a partner enroll devices, follow the steps in [Steps for Partners to register devices](../get-started/register-devices-partner.md), but append **-Shared** to the group tag, as shown in the following table:
 
-|Device profile  |Group tag (standard mode)  |Group tag (shared device mode)  |
-|---------|---------|---------|
-|Sensitive date | Microsoft365Managed_SensitiveData        |  Microsoft365Managed_SensitiveData-Shared       |
-| Power user         | Microsoft365Managed_PowerUser        | Not supported        |
-|Standard     | Microsoft365Managed_Standard        | Microsoft365Managed_Standard-Shared  |
+| Device profile | Autopilot group tag (standard mode) | Group tag (shared device mode) |
+| ----- | ----- | ----- |
+| Sensitive data | Microsoft365Managed_SensitiveData |  Microsoft365Managed_SensitiveData-Shared |
+| Power user | Microsoft365Managed_PowerUser | Not supported |
+| Standard  | Microsoft365Managed_Standard | Microsoft365Managed_Standard-Shared |
 
 ## Consequences of shared device mode
 
@@ -84,7 +86,7 @@ In shared device mode, you can have only one [device profile](profiles.md) on a
 
 ### Apps and policies assigned to users
 
-On shared devices, you should assign any apps or policies that you are managing yourself to *device groups*, not user groups. Doing this ensures that each user has a more consistent experience. The exception is [Company Portal](#deploying-apps-with-company-portal).
+On shared devices, you should assign any apps or policies that you're managing yourself to *device groups*, not user groups. Assigning to device groups ensures that each user has a more consistent experience. The exception is [Company Portal](#deploying-apps-with-company-portal).
 
 ## Limitations of shared device mode
 
@@ -100,25 +102,27 @@ When Universal print installs a printer for a single user on a shared device tha
 
 ### Primary user
 
-Each Microsoft Intune device has a primary user, which gets assigned when a device is set up by Autopilot. But when devices are shared, Intune requires that the primary user be removed.
+Each Microsoft Intune device has a primary user, which is assigned when a device is set up by Autopilot. But when devices are shared, Intune requires that the primary user is removed.
 
 > [!IMPORTANT]
 > While shared device mode is in public preview, be sure to remove the primary user by following these steps: sign in to the Microsoft Endpoint Manager admin center, select **Devices**>**All devices**, select a device, then select **Properties**>**Remove primary user**, and delete the user listed there.
 
 ### Deploying apps with Company Portal
 
-Some apps probably don't need to be present on all devices, so you might prefer that users only install those apps when they need them from [Company Portal](/mem/intune/user-help/install-apps-cpapp-windows). Microsoft Managed Desktop disables Company Portal by default for devices in shared device mode. If you want Company Portal enabled, you can file a [change request](../working-with-managed-desktop/admin-support.md), but you should be aware of some limitations in this feature in this public preview:
+Some apps probably don't need to be present on all devices, so you might prefer that users only install those apps when they need them from [Company Portal](/mem/intune/user-help/install-apps-cpapp-windows).
+
+Microsoft Managed Desktop disables Company Portal by default for devices in shared device mode. If you want the Company Portal enabled, you can file a [change request](../working-with-managed-desktop/admin-support.md). However,you should be aware of some limitations in this feature in this public preview:
 
 - To make an app available to users in Company Portal, [assign a user group](/mem/intune/apps/apps-deploy) to that app in Intune and then add each user to that user group.
-- Devices cannot have a [primary user](#primary-user).
+- Devices can't have a [primary user](#primary-user).
 - To uninstall an app that a user installed through Company Portal, you must uninstall the app from all users on that device.
 
 > [!CAUTION]
 > Company Portal doesn't support applications assigned to device groups as available.
 
 ### Redeployment of Microsoft 365 Apps for enterprise
 
-During public preview, if Microsoft 365 Apps need to be redeployed, users will have to contact their local support staff to request an agent elevate and reinstall Microsoft 365 Apps for enterprise on that device.
+During public preview, if Microsoft 365 Apps must be redeployed, users must contact their local support staff to request an agent elevate and reinstall Microsoft 365 Apps for enterprise on that device.
 
 ### Microsoft Teams
 
