diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 3b2425c95d..19da0b2cbe 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -13,59 +13,24 @@ ms.topic: tutorial
Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
-## Deploy an enterprise certification authority
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
-This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role.
-
-### Lab-based PKI
-
-The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**.
-
-Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed.
-
->[!NOTE]
->Never install a certification authority on a domain controller in a production environment.
-
-1. Open an elevated Windows PowerShell prompt
-1. Use the following command to install the Active Directory Certificate Services role.
- ```PowerShell
- Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
- ```
-3. Use the following command to configure the CA using a basic certification authority configuration
- ```PowerShell
- Install-AdcsCertificationAuthority
- ```
-
-## Configure a PKI
-
-If you have an existing PKI, review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your PKI using the information from your design session.
+## Configure the enterprise PKI
Expand the following sections to configure the PKI for Windows Hello for Business.
-
-Configure domain controller certificates
[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
-
-
-
-Supersede existing domain controller certificates
[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
-
-
-
-Configure an internal web server certificate template
[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)]
-
-
Configure a certificate registration authority template
@@ -108,68 +73,10 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
-
-Configure a Windows Hello for Business authentication certificate template
-During Windows Hello for Business provisioning, Windows clients request an authentication certificate from AD FS, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template.
-
-Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
-
-1. Open the **Certification Authority** management console
-1. Right-click **Certificate Templates** and select **Manage**
-1. Right-click the **Smartcard Logon** template and choose **Duplicate Template**
-1. On the **Compatibility** tab:
- - Clear the **Show resulting changes** check box
- - Select **Windows Server 2016** from the **Certification Authority** list
- - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
-1. On the **General** tab:
- - Type *WHFB Authentication* in **Template display name**
- - Adjust the validity and renewal period to meet your enterprise's needs
- > [!NOTE]
- > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
-1. On the **Cryptography** tab
- - Select **Key Storage Provider** from the **Provider Category** list
- - Select **RSA** from the **Algorithm name** list
- - Type *2048* in the **Minimum key size** text box
- - Select **SHA256** from the **Request hash** list
-1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**
-1. On the **Issuance Requirements** tab,
- - Select the **This number of authorized signatures** check box. Type *1* in the text box
- - Select **Application policy** from the **Policy type required in signature**
- - Select **Certificate Request Agent** from in the **Application policy** list
- - Select the **Valid existing certificate** option
-1. On the **Subject** tab,
- - Select the **Build from this Active Directory information** button
- - Select **Fully distinguished name** from the **Subject name format** list
- - Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
-1. On the **Request Handling** tab, select the **Renew with same key** check box
-1. On the **Security** tab, select **Add**. Type *Window Hello for Business Users* in the **Enter the object names to select** text box and select **OK**
-1. Select the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section:
- - Select the **Allow** check box for the **Enroll** permission
- - Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared
- - Select **OK**
-1. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template
-1. Select on the **Apply** to save changes and close the console
-
-#### Mark the template as the Windows Hello Sign-in template
-
-Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials
-
-Open an elevated command prompt end execute the following command
-
-```cmd
-certutil.exe -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY
-```
-
->[!NOTE]
->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace *WHFBAuthentication* in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on your certification authority.
-
-
-
+[!INCLUDE [dc-certificate-template](includes/auth-certificate-template.md)]
-
-Unpublish Superseded Certificate Templates
[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md
index 30e97f6c96..a08ffcd7d9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md
@@ -7,7 +7,7 @@ appliesto:
- ✅ Windows Server 2016 and later
ms.topic: tutorial
---
-# Configure and validate the Public Key Infrastructure - hybrids certificate trust
+# Configure and validate the Public Key Infrastructure - hybrid certificate trust
[!INCLUDE [hello-hybrid-key-trust](./includes/hello-on-premises-cert-trust.md)]
@@ -15,34 +15,11 @@ Windows Hello for Business must have a Public Key Infrastructure (PKI) when usin
Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to the domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
-## Deploy an enterprise certification authority
-
-This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role.\
-If you don't have an existing PKI, review [Certification Authority Guidance][PREV-1] to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy][PREV-2] for instructions on how to configure your PKI using the information from your design session.
-
-### Lab-based PKI
-
-The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**.
-
-Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed.
-
->[!NOTE]
->Never install a certification authority on a domain controller in a production environment.
-
-1. Open an elevated Windows PowerShell prompt
-1. Use the following command to install the Active Directory Certificate Services role.
- ```PowerShell
- Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
- ```
-3. Use the following command to configure the CA using a basic certification authority configuration
- ```PowerShell
- Install-AdcsCertificationAuthority
- ```
- ```
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
## Configure the enterprise PKI
-The configuration of the enterprise PKI to support Windows Hello for Business consists of the following steps (expand each step to learn more):
+Expand the following sections to configure the PKI for Windows Hello for Business.
@@ -67,7 +44,7 @@ The configuration of the enterprise PKI to support Windows Hello for Business co
-Publish the certificate template to the CA
+Publish the certificate templates to the CA
A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
@@ -77,7 +54,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
1. Expand the parent node from the navigation pane
1. Select **Certificate Templates** in the navigation pane
1. Right-click the **Certificate Templates** node. Select **New > Certificate Template to issue**
-1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)* template you created in the previous steps > select **OK**
+1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *WHFB Enrollment Agent* and *WHFB Authentication* templates you created in the previous steps > select **OK**
1. Close the console
@@ -109,6 +86,4 @@ Before moving to the next section, ensure the following steps are complete:
> [Next: configure and provision Windows Hello for Business >](hello-hybrid-cert-trust-provision.md)
-[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
-[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)
-[PREV-2]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)
\ No newline at end of file
+[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 2e03da09bd..60baaa4b0e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -62,118 +62,6 @@ Sign-in to a certificate authority or management workstation with *Domain Admin*
10. Close the console.
-### Creating Windows Hello for Business authentication certificate template
-
-During Windows Hello for Business provisioning, a Windows client requests an authentication certificate from the Active Directory Federation Service, which requests an authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You set the name of the certificate template when configuring it.
-
-Sign-in to a certificate authority or management workstation with _Domain Admin equivalent_ credentials.
-
-1. Open the **Certification Authority** management console.
-
-2. Right-click **Certificate Templates** and click **Manage**.
-
-3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
-
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list.
-
-5. On the **General** tab, type **WHFB Authentication** or your choice of template name in **Template display name**. Note the short template name for later use with CertUtil. Adjust the validity and renewal period to meet your enterprise's needs.
-
- > [!NOTE]
- > If you use different template names, you'll need to remember and substitute these names in the relevant portions of the deployment.
-
-6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
-
-7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
-
-8. On the **Issuance Requirements** tab, select the **This number of authorized signatures** check box. Type **1** in the text box.
-
- Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
-
-9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
-
-10. On the **Request Handling** tab, select the **Renew with same key** check box.
-
-11. On the **Security** tab, click **Add**. Type **Windows Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
-
-12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
-
-13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template.
-
-14. Click on the **Apply** to save changes and close the console.
-
-#### Mark the template as the Windows Hello Sign-in template
-
-Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials.
-
-1. Open an elevated command prompt.
-
-2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
-
-If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example:
-
-```console
-CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication
-
-Old Value:
-msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888)
-CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
-CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
-TEMPLATE_SERVER_VER_WINBLUE< [!NOTE]
-> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
-
-## Publish Templates
-
-### Publish Certificate Templates to a Certificate Authority
-
-The certificate authority only issues certificates for certificate templates which are published by that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
-
-#### Publish Certificate Templates to the Certificate Authority
-
-Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
-
-1. Open the **Certification Authority** management console.
-
-2. Expand the parent node from the navigation pane.
-
-3. Click **Certificate Templates** in the navigation pane.
-
-4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**.
-
-5. In the **Enable Certificates Templates** window, Ctrl-select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
-
-6. Close the console.
-
-#### Unpublish Superseded Certificate Templates
-
-The certificate authority only issues certificates based on published certificate templates. For defense-in-depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes any pre-published certificate templates from the role installation and any superseded certificate templates.
-
-The newly-created Kerberos authentication-based Domain Controller certificate template supersedes any previous domain controller certificate templates. Therefore, you should unpublish these certificate templates from all issuing certificate authorities.
-
-Sign-in to each certificate authority, or a management workstation with _Enterprise Admin_ equivalent credentials.
-
-1. Open the **Certification Authority** management console.
-
-2. Expand the parent node from the navigation pane.
-
-3. Click **Certificate Templates** in the navigation pane.
-
-4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
-
-5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
-
### Section Review
> [!div class="checklist"]
diff --git a/windows/security/identity-protection/hello-for-business/includes/auth-certificate-template.md b/windows/security/identity-protection/hello-for-business/includes/auth-certificate-template.md
new file mode 100644
index 0000000000..f7abfdf765
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/auth-certificate-template.md
@@ -0,0 +1,84 @@
+---
+ms.date: 12/28/2022
+ms.topic: include
+---
+
+
+Configure a Windows Hello for Business authentication certificate template
+
+During Windows Hello for Business provisioning, Windows clients request an authentication certificate from AD FS, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template.
+
+Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Right-click **Certificate Templates** and select **Manage**
+1. Right-click the **Smartcard Logon** template and choose **Duplicate Template**
+1. On the **Compatibility** tab:
+ - Clear the **Show resulting changes** check box
+ - Select **Windows Server 2016** from the **Certification Authority** list
+ - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
+1. On the **General** tab:
+ - Type *WHFB Authentication* in **Template display name**
+ - Adjust the validity and renewal period to meet your enterprise's needs
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
+1. On the **Cryptography** tab
+ - Select **Key Storage Provider** from the **Provider Category** list
+ - Select **RSA** from the **Algorithm name** list
+ - Type *2048* in the **Minimum key size** text box
+ - Select **SHA256** from the **Request hash** list
+1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**
+1. On the **Issuance Requirements** tab,
+ - Select the **This number of authorized signatures** check box. Type *1* in the text box
+ - Select **Application policy** from the **Policy type required in signature**
+ - Select **Certificate Request Agent** from in the **Application policy** list
+ - Select the **Valid existing certificate** option
+1. On the **Subject** tab,
+ - Select the **Build from this Active Directory information** button
+ - Select **Fully distinguished name** from the **Subject name format** list
+ - Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
+1. On the **Request Handling** tab, select the **Renew with same key** check box
+1. On the **Security** tab, select **Add**. Type *Window Hello for Business Users* in the **Enter the object names to select** text box and select **OK**
+1. Select the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section:
+ - Select the **Allow** check box for the **Enroll** permission
+ - Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared
+ - Select **OK**
+1. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template
+1. Select on the **Apply** to save changes and close the console
+
+#### Mark the template as the Windows Hello Sign-in template
+
+Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials
+
+Open an elevated command prompt end execute the following command
+
+```cmd
+certutil.exe -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY
+```
+
+If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example:
+
+```console
+CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication
+
+Old Value:
+msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888)
+CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
+CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
+TEMPLATE_SERVER_VER_WINBLUE<[!NOTE]
+>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace *WHFBAuthentication* in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on your certification authority.
+
+
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/lab-based-pki-deploy.md b/windows/security/identity-protection/hello-for-business/includes/lab-based-pki-deploy.md
new file mode 100644
index 0000000000..5cc0341b05
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/lab-based-pki-deploy.md
@@ -0,0 +1,32 @@
+---
+ms.date: 01/03/2023
+ms.topic: include
+---
+
+## Deploy an enterprise certification authority
+
+This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role.\
+If you don't have an existing PKI, review [Certification Authority Guidance][PREV-1] to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy][PREV-2] for instructions on how to configure your PKI using the information from your design session.
+
+### Lab-based PKI
+
+The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**.
+
+Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed.
+
+>[!NOTE]
+>Never install a certification authority on a domain controller in a production environment.
+
+1. Open an elevated Windows PowerShell prompt
+1. Use the following command to install the Active Directory Certificate Services role.
+ ```PowerShell
+ Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
+ ```
+3. Use the following command to configure the CA using a basic certification authority configuration
+ ```PowerShell
+ Install-AdcsCertificationAuthority
+ ```
+
+
+[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)
+[PREV-2]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md b/windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md
index 130dc7519a..0d73bcf24a 100644
--- a/windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md
+++ b/windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md
@@ -3,6 +3,9 @@ ms.date: 12/28/2022
ms.topic: include
---
+
+Configure an internal web server certificate template
+
Windows clients use the https protocol when communicating with Active Directory Federation Services (AD FS). To meet this need, you must issue a server authentication certificate to all the nodes in the AD FS farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running AD FS can request the certificate.
Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
@@ -32,4 +35,6 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
- Type *2048* in the **Minimum key size** text box
- Select **SHA256** from the **Request hash** list
- Select **OK**
-1. Close the console
\ No newline at end of file
+1. Close the console
+
+
\ No newline at end of file