updates

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md

@@ -240,7 +240,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
 
 ## Deploy the root CA certificate to Azure AD-joined devices
 
-The domain controllers have a certificate that include the new CRL distribution point. Next, you need the enterprise root certificate so you can deploy it to Azure AD-joined devices. When you deploy the enterprise root certificates to a device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD-joined devices don't trust domain controller certificates and authentication fails. Expand each step to learn more:
+The domain controllers have a certificate that includes the new CRL distribution point. Next, you need the enterprise root certificate so you can deploy it to Azure AD-joined devices. When you deploy the enterprise root certificates to a device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD-joined devices don't trust domain controller certificates and authentication fails. Expand each step to learn more:
 
 <br>
 <details>

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md

@@ -82,7 +82,7 @@ The best way to deploy the Windows Hello for Business GPO is to use security gro
 
 ### Deploy the Windows Hello for Business Group Policy object
 
-The application of Group Policy object uses security group filtering. This solution allows to link the GPO to the domain, ensuring the GPO is scoped to all users. The security group filtering ensures that only the members of the *Windows Hello for Business Users* global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
+The application of Group Policy object uses security group filtering. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all users. The security group filtering ensures that only the members of the *Windows Hello for Business Users* global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
 
 1. Start the **Group Policy Management Console** (gpmc.msc)
 1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO**
@@ -108,7 +108,7 @@ There are different ways to enable and configure Windows Hello for Business in I
 - Using a policy applied at the tenant level. The tenant policy:
   - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune
   - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group
-- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to chose from:
+- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. Chose from the following policy types:
   - [Settings catalog][MEM-1]
   - [Security baselines][MEM-2]
   - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4]

windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md

@@ -24,7 +24,7 @@ There are different ways to enable and configure Windows Hello for Business in I
 - Using a policy applied at the tenant level. The tenant policy:
   - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune
   - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group
-- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to chose from:
+- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from:
   - [Settings catalog][MEM-1]
   - [Security baselines][MEM-2]
   - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4]
@@ -118,7 +118,7 @@ The best way to deploy the Windows Hello for Business GPO is to use security gro
 
 ### Deploy the Windows Hello for Business Group Policy object
 
-The application of Group Policy object uses security group filtering. This solution allows to link the GPO to the domain, ensuring the GPO is scoped to all users. The security group filtering ensures that only the members of the *Windows Hello for Business Users* global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
+The application of Group Policy object uses security group filtering. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all users. The security group filtering ensures that only the members of the *Windows Hello for Business Users* global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
 
 1. Start the **Group Policy Management Console** (gpmc.msc)
 1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO**
@@ -137,7 +137,7 @@ The Windows Hello for Business provisioning process begins immediately after the
 You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\
 This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
 
-:::image type="content" source="images/Event358.png" alt-text="Details about event ID 358 showing that the device is ready to enroll in in Windows Hello for Business." border="false" lightbox="images/Event358.png":::
+:::image type="content" source="images/Event358.png" alt-text="Details about event ID 358 showing that the device is ready to enroll in Windows Hello for Business." border="false" lightbox="images/Event358.png":::
 
 ### PIN Setup
 

windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md

@@ -1,6 +1,6 @@
 ---
-title: Configure and validate the Public Key Infrastructure in a hybrid key trust model
+title: Configure and validate the Public Key Infrastructure in an hybrid key trust model
-description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid key trust model.
+description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in an hybrid key trust model.
 ms.date: 01/03/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>

windows/security/identity-protection/vpn/vpn-authentication.md

@@ -88,7 +88,7 @@ See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EA
 
 The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
 
-![EAP XML configuration in Intune profile.](images/vpn-eap-xml.png)
+:::image type="content" source="images/vpn-eap-xml.png" alt-text="EAP XML configuration in Intune profile.":::
 
 ## Related topics