From 02b5c136961b45749854fcc6000b678164b0b862 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 15 Dec 2023 18:16:19 -0500
Subject: [PATCH] updates
---
.../hello-for-business/deploy/cloud.md | 2 +-
.../deploy/hybrid-cert-trust-enroll.md | 10 ++++----
.../deploy/hybrid-cert-trust.md | 2 +-
.../hybrid-cloud-kerberos-trust-enroll.md | 12 ++++-----
.../deploy/hybrid-cloud-kerberos-trust.md | 2 +-
.../deploy/hybrid-key-trust-enroll.md | 10 ++++----
.../deploy/hybrid-key-trust.md | 4 +--
.../images/adfs-device-registration.png | Bin
.../{ => deploy}/images/adfs-scp.png | Bin
.../images/azuread-kerberos-object.png | Bin
.../images/cloud-trust-prereq-check.png | Bin
.../deploy/images/group-policy.svg | 3 +++
.../images/haadj-whfb-pin-provisioning.gif | Bin
.../images/hello-cloud-trust-intune-large.png | Bin
.../images/hello-cloud-trust-intune.png | Bin
.../images/hello-internal-web-server-cert.png | Bin
.../{includes => images}/information.svg | 0
.../deploy/images/intune.svg | 24 ++++++++++++++++++
...-intune-account-protection-cert-enable.png | Bin
.../whfb-intune-account-protection-enable.png | Bin
.../images/whfb-intune-disable.png | Bin
.../apply-to-hybrid-cert-trust-entra.md | 2 +-
.../apply-to-hybrid-key-and-cert-trust.md | 2 +-
.../apply-to-on-premises-cert-trust-entra.md | 2 +-
.../includes/tooltip-deployment-cloud.md | 2 +-
.../includes/tooltip-deployment-hybrid.md | 2 +-
.../includes/tooltip-deployment-onpremises.md | 2 +-
.../deploy/includes/tooltip-join-domain.md | 2 +-
.../deploy/includes/tooltip-join-entra.md | 2 +-
.../deploy/includes/tooltip-join-hybrid.md | 2 +-
.../deploy/includes/tooltip-trust-cert.md | 2 +-
.../includes/tooltip-trust-cloud-kerberos.md | 2 +-
.../deploy/includes/tooltip-trust-key.md | 2 +-
.../hello-for-business/deploy/index.md | 6 ++---
.../deploy/on-premises-cert-trust-adfs.md | 6 ++---
.../hello-for-business/deploy/toc.yml | 6 ++---
.../hello-biometrics-in-enterprise.md | 2 +-
.../hello-how-it-works-technology.md | 4 +--
.../hello-for-business/hello-how-it-works.md | 2 +-
.../hello-hybrid-aadj-sso.md | 4 +--
.../hello-planning-guide.md | 2 +-
.../hello-prepare-people-to-use.md | 2 +-
.../passwordless-strategy.md | 2 +-
43 files changed, 78 insertions(+), 51 deletions(-)
rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/adfs-device-registration.png (100%)
rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/adfs-scp.png (100%)
rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/azuread-kerberos-object.png (100%)
rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/cloud-trust-prereq-check.png (100%)
create mode 100644 windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg
rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/haadj-whfb-pin-provisioning.gif (100%)
rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/hello-cloud-trust-intune-large.png (100%)
rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/hello-cloud-trust-intune.png (100%)
rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/hello-internal-web-server-cert.png (100%)
rename windows/security/identity-protection/hello-for-business/deploy/{includes => images}/information.svg (100%)
create mode 100644 windows/security/identity-protection/hello-for-business/deploy/images/intune.svg
rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/whfb-intune-account-protection-cert-enable.png (100%)
rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/whfb-intune-account-protection-enable.png (100%)
rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/whfb-intune-disable.png (100%)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud.md b/windows/security/identity-protection/hello-for-business/deploy/cloud.md
index d2695cb7eb..dfbd20da90 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/cloud.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/cloud.md
@@ -54,7 +54,7 @@ The following method explains how to disable Windows Hello for Business enrollme
When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.
> [!NOTE]
-> This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md).
+> This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](../hello-manage-in-organization.md).
## Disable Windows Hello for Business enrollment without Intune
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
index 1cf3d29281..da2bb39379 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
@@ -19,7 +19,7 @@ ms.topic: tutorial
After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
-# [:::image type="icon" source="../../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
+# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
> [!IMPORTANT]
> The information in this section applies to Microsoft Entra hybrid joined devices only.
@@ -96,7 +96,7 @@ The application of Group Policy object uses security group filtering. This solut
Users (or devices) must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding members to the *Windows Hello for Business Users* group. Users and groups who aren't members of this group won't attempt to enroll for Windows Hello for Business.
-# [:::image type="icon" source="../../../images/icons/intune.svg"::: **Intune**](#tab/intune)
+# [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
## Configure Windows Hello for Business using Microsoft Intune
@@ -129,7 +129,7 @@ To check the Windows Hello for Business policy applied at enrollment time:
1. Select **Windows Hello for Business**
1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
-:::image type="content" source="../images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="../images/whfb-intune-disable.png":::
+:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
@@ -152,7 +152,7 @@ To configure Windows Hello for Business using an *account protection* policy:
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
1. Review the policy configuration and select **Create**
-:::image type="content" source="../images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="../images/whfb-intune-account-protection-cert-enable.png":::
+:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-cert-enable.png":::
---
@@ -172,7 +172,7 @@ This is the process that occurs after a user signs in, to enroll in Windows Hell
1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key to Active Directory
-:::image type="content" source="../images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
+:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
> [!IMPORTANT]
> The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
index 1e1abbb130..36eb5fa683 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
@@ -20,7 +20,7 @@ Hybrid environments are distributed systems that enable organizations to use on-
This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
> [!IMPORTANT]
-> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](../hybrid-clud-kerberos-trust.md).
+> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](../hybrid-cloud-kerberos-trust.md).
It's recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
index 918d86d832..da843f036d 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
@@ -8,7 +8,7 @@ ms.topic: tutorial
---
# Configure and provision Windows Hello for Business - cloud Kerberos trust
-[!INCLUDE [hello-hybrid-key-trust](includes/hello-hybrid-cloudkerb-trust.md)]
+[!INCLUDE [apply-to-hybrid-cloud-kerberos-trust](includes/apply-to-hybrid-cloud-kerberos-trust.md)]
## Deployment steps
@@ -29,7 +29,7 @@ If you haven't deployed Microsoft Entra Kerberos, follow the instructions in the
After setting up the Microsoft Entra Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
-#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
+#### [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
For devices managed by Intune, you can use Intune policies to configure Windows Hello for Business.
@@ -68,7 +68,7 @@ To configure Windows Hello for Business using an account protection policy:
1. Specify a **Name** and, optionally, a **Description** > **Next**.
1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available.
- These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**.
- - For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business).
+ - For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business).
1. Under **Enable to certificate for on-premises resources**, select **Not configured**
1. Select **Next**.
1. Optionally, add **scope tags** and select **Next**.
@@ -107,7 +107,7 @@ To configure the cloud Kerberos trust policy:
1. Assign the policy to a security group that contains as members the devices or users that you want to configure.
-#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
+#### [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
Microsoft Entra hybrid joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
@@ -118,7 +118,7 @@ You can configure the Enable Windows Hello for Business Group Policy setting for
Cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
> [!NOTE]
-> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources).
+> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources).
#### Update administrative templates
@@ -199,7 +199,7 @@ If you deployed Windows Hello for Business using the certificate trust model, an
## Frequently Asked Questions
-For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](hello-faq.yml#cloud-kerberos-trust).
+For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](../hello-faq.yml#cloud-kerberos-trust).
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
index fb61f15acf..f6e7a28d29 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
@@ -84,7 +84,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a clou
> * Provision Windows Hello for Business on Windows clients
> [!div class="nextstepaction"]
-> [Next: configure and provision Windows Hello for Business >](hybrid-clud-kerberos-trust-enroll.md)
+> [Next: configure and provision Windows Hello for Business >](hybrid-cloud-kerberos-trust-enroll.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
index c36e2167e1..f334ccb78a 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
@@ -11,7 +11,7 @@ ms.topic: tutorial
After the prerequisites are met and the PKI configuration is validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
-#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
+#### [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
## Configure Windows Hello for Business using Microsoft Intune
@@ -54,7 +54,7 @@ To configure Windows Hello for Business using an *account protection* policy:
1. Specify a **Name** and, optionally, a **Description** > **Next**
1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available
- These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes**
- - For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
+ - For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
1. Select **Next**
1. Optionally, add *scope tags* > **Next**
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
@@ -62,7 +62,7 @@ To configure Windows Hello for Business using an *account protection* policy:
:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png":::
-#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
+#### [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
## Configure Windows Hello for Business using group policies
@@ -72,7 +72,7 @@ It's suggested to create a security group (for example, *Windows Hello for Busin
The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
> [!NOTE]
-> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
+> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
### Enable Windows Hello for Business group policy setting
@@ -101,7 +101,7 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv
> [!NOTE]
> Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*.
>
-> For more information about these policies, see [Group Policy settings for Windows Hello for Business](hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business).
+> For more information about these policies, see [Group Policy settings for Windows Hello for Business](../hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business).
### Configure security for GPO
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
index ac811a8a9d..2b0ec7021d 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
@@ -19,9 +19,9 @@ Hybrid environments are distributed systems that enable organizations to use on-
This deployment guide describes how to deploy Windows Hello for Business in a hybrid key trust scenario.
> [!IMPORTANT]
-> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-clud-kerberos-trust.md).
+> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md).
-It is recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
+It is recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
## Prerequisites
diff --git a/windows/security/identity-protection/hello-for-business/images/adfs-device-registration.png b/windows/security/identity-protection/hello-for-business/deploy/images/adfs-device-registration.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/adfs-device-registration.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/adfs-device-registration.png
diff --git a/windows/security/identity-protection/hello-for-business/images/adfs-scp.png b/windows/security/identity-protection/hello-for-business/deploy/images/adfs-scp.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/adfs-scp.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/adfs-scp.png
diff --git a/windows/security/identity-protection/hello-for-business/images/azuread-kerberos-object.png b/windows/security/identity-protection/hello-for-business/deploy/images/azuread-kerberos-object.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/azuread-kerberos-object.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/azuread-kerberos-object.png
diff --git a/windows/security/identity-protection/hello-for-business/images/cloud-trust-prereq-check.png b/windows/security/identity-protection/hello-for-business/deploy/images/cloud-trust-prereq-check.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/cloud-trust-prereq-check.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/cloud-trust-prereq-check.png
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg b/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg
new file mode 100644
index 0000000000..ace95add6b
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/images/haadj-whfb-pin-provisioning.gif b/windows/security/identity-protection/hello-for-business/deploy/images/haadj-whfb-pin-provisioning.gif
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/haadj-whfb-pin-provisioning.gif
rename to windows/security/identity-protection/hello-for-business/deploy/images/haadj-whfb-pin-provisioning.gif
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-cloud-trust-intune-large.png b/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune-large.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/hello-cloud-trust-intune-large.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune-large.png
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-cloud-trust-intune.png b/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/hello-cloud-trust-intune.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune.png
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-internal-web-server-cert.png b/windows/security/identity-protection/hello-for-business/deploy/images/hello-internal-web-server-cert.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/hello-internal-web-server-cert.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/hello-internal-web-server-cert.png
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/information.svg b/windows/security/identity-protection/hello-for-business/deploy/images/information.svg
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/deploy/includes/information.svg
rename to windows/security/identity-protection/hello-for-business/deploy/images/information.svg
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/intune.svg b/windows/security/identity-protection/hello-for-business/deploy/images/intune.svg
new file mode 100644
index 0000000000..6e0d938aed
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/images/intune.svg
@@ -0,0 +1,24 @@
+
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-intune-account-protection-cert-enable.png b/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-cert-enable.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/whfb-intune-account-protection-cert-enable.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-cert-enable.png
diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-intune-account-protection-enable.png b/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-enable.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/whfb-intune-account-protection-enable.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-enable.png
diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-intune-disable.png b/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-disable.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/whfb-intune-disable.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-disable.png
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md
index ce40bf460b..31073eae23 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md
@@ -5,6 +5,6 @@ ms.topic: include
[!INCLUDE [intro](intro.md)]
- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
+- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-trust-cert.md)]
- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)]
---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md
index 7b367e4025..2ad97beb62 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md
@@ -5,6 +5,6 @@ ms.topic: include
[!INCLUDE [intro](intro.md)]
- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)],[!INCLUDE [tooltip-cert-trust](../deploy/includes/tooltip-cert-trust.md)]
+- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)],[!INCLUDE [tooltip-cert-trust](../deploy/includes/tooltip-trust-cert.md)]
- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)]
---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md
index d7a1ab9c2f..e3c6bad7b3 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md
@@ -5,6 +5,6 @@ ms.topic: include
[!INCLUDE [intro](intro.md)]
- **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](tooltip-deployment-onpremises.md)]
-- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
+- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-trust-cert.md)]
- **Join type:** [!INCLUDE [tooltip-join-domain](tooltip-join-domain.md)]
---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
index dc0a2c315a..b944355d1a 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
ms.topic: include
---
-[cloud :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
+[cloud :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
index 5df4ec742e..4247fc5667 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
ms.topic: include
---
-[hybrid :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
+[hybrid :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
index 12dfec5f8a..620e12c556 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
ms.topic: include
---
-[on-premises :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
+[on-premises :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
index bb7302821e..ef02364191 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
ms.topic: include
---
-[domain join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md)
+[domain join :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
index 8c5916ead4..bcb2249f0a 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
ms.topic: include
---
-[Microsoft Entra join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
+[Microsoft Entra join :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
index e825d14f2d..515f955fed 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
ms.topic: include
---
-[Microsoft Entra hybrid join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
+[Microsoft Entra hybrid join :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
index 191890e588..f4723af8a0 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
ms.topic: include
---
-[certificate trust :::image type="icon" source="../../../../images/icons/information.svg" border="false":::](../../hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
\ No newline at end of file
+[certificate trust :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
index 4f19945d64..35ebb35bef 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
ms.topic: include
---
-[cloud Kerberos trust :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")
\ No newline at end of file
+[cloud Kerberos trust :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
index 2f901dc761..da9675a1b8 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
ms.topic: include
---
-[key trust :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
+[key trust :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/index.md b/windows/security/identity-protection/hello-for-business/deploy/index.md
index 4f8b485100..1ac0f82f03 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/index.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/index.md
@@ -10,7 +10,7 @@ appliesto:
Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
-This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.
+This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](../hello-planning-guide.md) guide to determine the right deployment model for your organization.
Once you've chosen a deployment model, the deployment guide for that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. Read the [Windows Hello for Business Deployment Prerequisite Overview](requirements.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
@@ -48,11 +48,11 @@ The trust model determines how you want users to authenticate to the on-premises
Following are the various deployment guides and models included in this topic:
-- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hybrid-clud-kerberos-trust.md)
+- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hybrid-cloud-kerberos-trust.md)
- [Microsoft Entra hybrid joined Key Trust Deployment](hybrid-key-trust.md)
- [Microsoft Entra hybrid joined Certificate Trust Deployment](hybrid-cert-trust.md)
- [Microsoft Entra join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
-- [On Premises Key Trust Deployment](hybrid-clud-kerberos-trust.md)
+- [On Premises Key Trust Deployment](hybrid-cloud-kerberos-trust.md)
- [On Premises Certificate Trust Deployment](on-premises-cert-trust.md)
For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](on-premises-key-trust-mfa.md) and [for certificate trust](deploy/on-premises-cert-trust-mfa.md) deployments.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
index 53fa558172..265478462d 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
@@ -52,7 +52,7 @@ Sign-in the federation server with *domain administrator* equivalent credentials
1. Select **Next** on the **Select Certificate Enrollment Policy** page
1. On the **Request Certificates** page, select the **Internal Web Server** check box
1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link
- :::image type="content" source="../images/hello-internal-web-server-cert.png" lightbox="../images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
+ :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add**
1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished
1. Select **Enroll**
@@ -161,11 +161,11 @@ Sign-in to the federation server with *Enterprise Administrator* equivalent cred
1. In the details pane, select **Configure device registration**
1. In the **Configure Device Registration** dialog, Select **OK**
-:::image type="content" source="../images/adfs-device-registration.png" lightbox="../images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point.":::
+:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point.":::
Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover.
-:::image type="content" source="../images/adfs-scp.png" lightbox="../images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS.":::
+:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS.":::
## Review to validate the AD FS and Active Directory configuration
diff --git a/windows/security/identity-protection/hello-for-business/deploy/toc.yml b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
index dfeb68e1f8..87ab1eb026 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
@@ -10,10 +10,10 @@ items:
- name: Cloud Kerberos trust deployment
items:
- name: Overview
- href: hybrid-clud-kerberos-trust.md
+ href: hybrid-cloud-kerberos-trust.md
displayName: cloud Kerberos trust
- name: Configure and provision Windows Hello for Business
- href: hybrid-clud-kerberos-trust-enroll.md
+ href: hybrid-cloud-kerberos-trust-enroll.md
displayName: cloud Kerberos trust
- name: Key trust deployment
items:
@@ -54,7 +54,7 @@ items:
- name: Key trust deployment
items:
- name: Overview
- href: hybrid-clud-kerberos-trust.md
+ href: hybrid-cloud-kerberos-trust.md
- name: Configure and validate the PKI
href: on-premises-key-trust-pki.md
- name: Prepare and deploy Active Directory Federation Services (AD FS)
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index 9067db991e..0a441f9e0c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -80,7 +80,7 @@ To use Iris authentication, you'll need a [HoloLens 2 device](/hololens/). All H
## Related topics
-- [Windows Hello for Business](hello-identity-verification.md)
+- [Windows Hello for Business](requirements.md)
- [How Windows Hello for Business works](hello-how-it-works.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index b848b6347e..481b9e8a63 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -106,7 +106,7 @@ In Windows 10 and Windows 11, cloud experience host is an application used while
### Related to cloud experience host
-- [Windows Hello for Business](hello-identity-verification.md)
+- [Windows Hello for Business](requirements.md)
- [Managed Windows Hello in organization](hello-manage-in-organization.md)
### More information on cloud experience host
@@ -131,7 +131,7 @@ Giving the simplicity offered by this model, cloud Kerberos trust is the recomme
### More information about cloud Kerberos trust
-[Cloud Kerberos trust deployment](hybrid-clud-kerberos-trust.md)
+[Cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md)
## Deployment type
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index ee893787c7..629c651006 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -44,7 +44,7 @@ For more information read [how authentication works](hello-how-it-works-authenti
## Related topics
- [Technology and Terminology](hello-how-it-works-technology.md)
-- [Windows Hello for Business](hello-identity-verification.md)
+- [Windows Hello for Business](requirements.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index b9a871f8a9..4a2846f9e6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -6,7 +6,7 @@ ms.topic: how-to
---
# Configure single sign-on for Microsoft Entra joined devices
-[!INCLUDE [hello-hybrid-key-trust](includes/hello-hybrid-keycert-trust-aad.md)]
+[!INCLUDE [apply-to-hybrid-key-and-cert-trust](deploy/includes/apply-to-hybrid-key-and-cert-trust.md)]
Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Microsoft Entra joined devices may need to access these resources. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
@@ -203,7 +203,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
1. Repeat this procedure on all your domain controllers
> [!NOTE]
-> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](hello-deployment-guide.md) to learn how to deploy automatic certificate enrollment for domain controllers.
+> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](index.md) to learn how to deploy automatic certificate enrollment for domain controllers.
> [!IMPORTANT]
> If you are not using automatic certificate enrollment, create a calendar reminder to alert you two months before the certificate expiration date. Send the reminder to multiple people in the organization to ensure more than one or two people know when these certificates expire.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 6dfedc9c3e..db7b0b3eff 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -82,7 +82,7 @@ It's fundamentally important to understand which deployment model to use for a s
A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
> [!NOTE]
-> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hybrid-clud-kerberos-trust.md).
+> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hybrid-cloud-kerberos-trust.md).
The key trust type doesn't require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 87cd5f6ea5..094d134856 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -44,7 +44,7 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci
## Related topics
-- [Windows Hello for Business](hello-identity-verification.md)
+- [Windows Hello for Business](requirements.md)
- [How Windows Hello for Business works](hello-how-it-works.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index a66a69f90c..fd387134b6 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -155,7 +155,7 @@ A successful transition relies on user acceptance testing. It's impossible for y
#### Deploy Windows Hello for Business to test users
-Next, you'll want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming password-less. Use the [Windows Hello for Business planning guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business.
+Next, you'll want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming password-less. Use the [Windows Hello for Business planning guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](index.md) to deploy Windows Hello for Business.
With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you'll only need to deploy the infrastructure once. When other targeted work personas need to start using Windows Hello for Business, add them to a group. You'll use the first work persona to validate your Windows Hello for Business deployment.