diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
index eeeb654fb8..5bdba905fb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
@@ -40,7 +40,7 @@ Sign in using *Enterprise Administrator* equivalent credentials on a Windows Ser
Install-AdcsCertificationAuthority
```
-## Configure a PKI
+## Configure the enterprise PKI
If you don't have an existing PKI, review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your PKI using the information from your design session.
@@ -103,7 +103,7 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
-Supersede existing domain controller certificates
+Supersede existing domain controller certificates
The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called *domain controller certificate*. Later releases of Windows Server provided a new certificate template called *domain controller authentication certificate*. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the *KDC Authentication* extension.
@@ -166,7 +166,12 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
-### Configure automatic certificate enrollment for the domain controllers
+## Configure and deploy certificates to domain controllers
+
+Expand the following sections to configure the group policy for domain controllers and validate the certificate deployment.
+
+
+Configure automatic certificate enrollment for the domain controllers
Domain controllers automatically request a certificate from the *Domain controller certificate* template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates, create and configure a Group Policy Object (GPO) for automatic certificate enrollment, linking the Group Policy object to the *Domain Controllers* Organizational Unit (OU).
@@ -184,7 +189,10 @@ Domain controllers automatically request a certificate from the *Domain controll
1. Select **OK**
1. Close the **Group Policy Management Editor**
-### Deploy the domain controller auto certificate enrollment GPO
+
+
+
+Deploy the domain controller auto certificate enrollment GPO
Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials.
@@ -193,6 +201,8 @@ Sign in to domain controller or management workstations with *Domain Administrat
1. In the **Select GPO** dialog box, select *Domain Controller Auto Certificate Enrollment* or the name of the domain controller certificate enrollment Group Policy object you previously created
1. Select **OK**
+
+
## Validate the configuration
Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase.