updates

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md

@@ -221,7 +221,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
 
 ## Deploy the root CA certificate to Azure AD-joined devices
 
-The domain controllers have a certificate that includes the new CRL distribution point. Next, you need the enterprise root certificate so you can deploy it to Azure AD-joined devices. When you deploy the enterprise root certificates to a device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD-joined devices don't trust domain controller certificates and authentication fails. Expand each step to learn more:
+The domain controllers have a certificate that includes the new CRL distribution point. Next, you need the enterprise root certificate so you can deploy it to Azure AD-joined devices. When you deploy the enterprise root certificates to a device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD-joined devices don't trust domain controller certificates and authentication fails.
 
 ### Export the enterprise root certificate
 

windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md

@@ -43,8 +43,6 @@ Sign in using *Enterprise Administrator* equivalent credentials on a Windows Ser
 
 ## Configure the enterprise PKI
 
-The configuration of the enterprise PKI to support Windows Hello for Business consists of the following steps (expand each step to learn more):
-
 [!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
 
 > [!NOTE]