Update Windows Hello for Business deployment documentation

windows/security/identity-protection/hello-for-business/deploy/cloud.md

@@ -8,6 +8,8 @@ ms.topic: how-to
 
 [!INCLUDE [apply-to-cloud](includes/apply-to-cloud.md)]
 
+[!INCLUDE [requirements](includes/requirements.md)]
+
 ## Introduction
 
 When you Microsoft Entra join a device, the system attempts to automatically enroll you in Windows Hello for Business, by default. If you want to use Windows Hello for Business in a cloud-only environment, there's no additional configuration needed.
@@ -17,29 +19,4 @@ If you want to disable the automatic Windows Hello for Business enrollment promp
 > [!NOTE]
 > During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you are guided to enroll in Windows Hello for Business when you don't have Intune. You can cancel the PIN screen and configure this cancellation with registry keys to prevent future prompts.
 
-## Prerequisites
-
-> [!div class="checklist"]
-> The following prerequisites must be met for a cloud-only deployment:
->
-> - Authentication to Microsoft Entra ID
-> - Microsoft Entra multifactor authentication
-> - Microsoft Entra ID P1 or P2 subscription - optional, needed for automatic MDM enrollment when the device joins Microsoft Entra ID
-
 Cloud-only deployments use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
-
-It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command:
-
-```powershell
-Connect-MgGraph
-$DomainId = "<your federated domain name>"
-Get-MgDomainFederationConfiguration -DomainId $DomainId |fl
-```
-
-To reject the MFA claim from the federated IdP, use the following command. This change impacts all MFA scenarios for the federated domain.
-
-```powershell
-Update-MgDomainFederationConfiguration -DomainId $DomainId -FederatedIdpMfaBehavior rejectMfaByFederatedIdp
-```
-
-If you configure the flag with a value of either `acceptIfMfaDoneByFederatedIdp` (default) or `enforceMfaByFederatedIdp`, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IdP.

windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md

@@ -21,7 +21,7 @@ Once the prerequisites are met, deploying Windows Hello for Business consists of
 > - Configure Windows Hello for Business settings
 > - Provision Windows Hello for Business on Windows clients
 
-### Deploy Microsoft Entra Kerberos
+## Deploy Microsoft Entra Kerberos
 
 If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Microsoft Entra Kerberos in your hybrid environment. You don't need to redeploy or change your existing Microsoft Entra Kerberos deployment to support Windows Hello for Business and you can skip this section.
 
@@ -48,7 +48,7 @@ For more information about how Microsoft Entra Kerberos works with Windows Hello
 
 When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
 
-### Configure Windows Hello for Business policy
+## Configure Windows Hello for Business policy
 
 After setting up the Microsoft Entra Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
 
@@ -224,7 +224,7 @@ If you deployed Windows Hello for Business using the certificate trust model, an
 
 For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](../hello-faq.yml#cloud-kerberos-trust).
 
-### Unsupported scenarios
+## Unsupported scenarios
 
 The following scenarios aren't supported using Windows Hello for Business cloud Kerberos trust:
 

windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md

@@ -14,8 +14,11 @@ ms.topic: tutorial
 
 [!INCLUDE [requirements](includes/requirements.md)]
 
-### Directories and directory synchronization
+:::row:::
-
+    :::column span="1":::
+Directories and directory synchronization
+    :::column-end:::
+    :::column span="3":::
 Hybrid Windows Hello for Business needs two directories:
 
 - An on-premises Active Directory
@@ -29,25 +32,48 @@ During the Window Hello for Business provisioning process, users register the pu
 
 > [!IMPORTANT]
 > Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory.
+    :::column-end:::
 
-### Authentication to Microsoft Entra ID
+:::row-end:::
 
+:::row:::
+    :::column span="1":::
+        Authentication to Microsoft Entra ID
+    :::column-end:::
+    :::column span="3":::
 Authentication to Microsoft Entra ID can be configured with or without federation:
-
 - [Password hash synchronization][AZ-6] or [Microsoft Entra pass-through authentication][AZ-7] is required for non-federated environments
 - Active Directory Federation Services (AD FS) or a third-party federation service is required for federated environments
+    :::column-end:::
 
-### Device registration
+:::row-end:::
 
+:::row:::
+    :::column span="1":::
+        Device registration
+    :::column-end:::
+    :::column span="3":::
 The Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\
 For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan your Microsoft Entra hybrid join implementation][AZ-8] page.
+    :::column-end:::
 
-### Public Key Infrastructure
+:::row-end:::
 
+:::row:::
+    :::column span="1":::
+Public Key Infrastructure
+    :::column-end:::
+    :::column span="3":::
 An enterprise PKI is required as *trust anchor* for authentication. Domain controllers require a certificate for Windows clients to trust them.
+    :::column-end:::
 
-### Multifactor authentication
+:::row-end:::
 
+:::row:::
+    :::column span="1":::
+Multifactor authentication
+    :::column-end:::
+    :::column span="3":::
 The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\
 Hybrid deployments can use:
 
@@ -56,10 +82,18 @@ Hybrid deployments can use:
 
 For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][AZ-3].\
 For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
+    :::column-end:::
+:::row-end:::
 
-### Device management
+:::row:::
-
+    :::column span="1":::
+Device management
+    :::column-end:::
+    :::column span="3":::
 To configure Windows Hello for Business, devices can be configured through a mobile device management (MDM) solution like Intune, or via group policy.
+    :::column-end:::
+
+:::row-end:::
 
 ## Next steps
 

windows/security/identity-protection/hello-for-business/deploy/index.md

@@ -138,6 +138,24 @@ The goal of Windows Hello for Business is to move organizations away from passwo
 | :black_square_button:|Hybrid| :black_square_button:Microsoft Entra MFA <br> :black_square_button: Third-party MFA via Microsoft Entra ID custom controls or federation|
 | :black_square_button:|On-premises | AD FS MFA adapter |
 
+#### MFA and federated authentication
+
+It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command:
+
+```powershell
+Connect-MgGraph
+$DomainId = "<your federated domain name>"
+Get-MgDomainFederationConfiguration -DomainId $DomainId |fl
+```
+
+To reject the MFA claim from the federated IdP, use the following command. This change impacts all MFA scenarios for the federated domain:
+
+```powershell
+Update-MgDomainFederationConfiguration -DomainId $DomainId -FederatedIdpMfaBehavior rejectMfaByFederatedIdp
+```
+
+If you configure the flag with a value of either `acceptIfMfaDoneByFederatedIdp` (default) or `enforceMfaByFederatedIdp`, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IdP.
+
 ### Device configuration
 
 Windows Hello for Business provides organizations with a rich set of granular policy settings with which they can use to configure their devices. There are two main options to configure Windows Hello for Business: configuration service provider (CSP) and group policy (GPO).
@@ -181,7 +199,7 @@ Here are some considerations regarding licensing requirements for cloud services
 | :black_square_button: |Hybrid| :black_square_button: **Cloud Kerberos trust**: not required <br> :black_square_button: **Key trust**: not required <br> :black_square_button: **Certificate trust**: Microsoft Entra ID P1|
 | :black_square_button: |On-premises | Azure MFA |
 
-### Windows and Windows Server requirements
+### Windows requirements
 
 All supported Windows 10 and Windows 11 versions can be used with Windows Hello for Business. However, cloud Kerberos trust requires minimum versions:
 
@@ -191,6 +209,8 @@ All supported Windows 10 and Windows 11 versions can be used with Windows Hello
 | :black_square_button:|Hybrid| :black_square_button: **Cloud Kerberos trust**: Windows 10 21H2, with [KB5010415][KB-1] and later; Windows 11 21H2, with [KB5010414][KB-2] and later  <br> :black_square_button: **Key trust**: All supported versions <br> :black_square_button: **Certificate trust**: All supported versions|
 | :black_square_button:|On-premises | All supported versions |
 
+### Windows and Windows Server requirements
+
 All supported Windows Server versions can be used with Windows Hello for Business as Domain Controller. However, cloud Kerberos trust requires minimum versions:
 
 | :ballot_box_with_check:| Deployment model | Domain Controller OS version |