updates

windows/security/identity-protection/hello-for-business/includes/auth-certificate-template.md

@@ -41,9 +41,9 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
 1. On the **Security** tab, select **Add**. Target an Active Directory security group that contains the users that you want to enroll in Windows Hello for Business. For example, if you have a group called *Window Hello for Business Users*, type it in the **Enter the object names to select** text box and select **OK**
 1. Select the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section:
    - Select the **Allow** check box for the **Enroll** permission
-   - Excluding the group above (e.g. *Window Hello for Business Users*), clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared
+   - Excluding the group above (for example, *Window Hello for Business Users*), clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes aren't already cleared
    - Select **OK**
-1. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template
+1. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they'll be superseded by this template for the users that have Enroll permission for this template
 1. Select on the **Apply** to save changes and close the console
 
 #### Mark the template as the Windows Hello Sign-in template

windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md

@@ -9,7 +9,7 @@ Expand the following sections to configure the group policy for domain controlle
 <details>
 <summary><b>Configure automatic certificate enrollment for the domain controllers</b></summary>
 
-Domain controllers automatically request a certificate from the *Domain controller certificate* template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates, create and configure a Group Policy Object (GPO) for automatic certificate enrollment, linking the Group Policy object to the *Domain Controllers* Organizational Unit (OU).
+Domain controllers automatically request a certificate from the *Domain controller certificate* template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. For domain controllers to automatically enroll and renew of certificates, configure a GPO for automatic certificate enrollment, and link it to the *Domain Controllers* OU.
 
 1. Open the **Group Policy Management Console** (gpmc.msc)
 1. Expand the domain and select the **Group Policy Object** node in the navigation pane

windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md

@@ -6,7 +6,7 @@ ms.topic: include
 <details>
 <summary><b>Supersede existing domain controller certificates</b></summary>
 
-The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called *domain controller certificate*. Later releases of Windows Server provided a new certificate template called *domain controller authentication certificate*. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the *KDC Authentication* extension. 
+The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called *domain controller certificate*. Later releases of Windows Server provided a new certificate template called *domain controller authentication certificate*. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the *KDC Authentication* extension.
 
 The *Kerberos Authentication* certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers.\
 The *autoenrollment* feature allows you to replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the *Kerberos Authentication* certificate template.
@@ -23,7 +23,8 @@ Sign in to a CA or management workstations with *Enterprise Administrator* equiv
 1. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab
 1. Select **OK** and close the **Certificate Templates** console
 
-The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates isn't active until the certificate template is published to one or more certificate authorities.
+The certificate template is configured to supersede all the certificate templates provided in the *superseded templates* list.\
+However, the certificate template and the superseding of certificate templates isn't active until the template is published to one or more certificate authorities.
 
 > [!NOTE]
 > The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.

windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md

@@ -6,9 +6,9 @@ ms.topic: include
 <details>
 <summary><b>Configure domain controller certificates</b></summary>
 
-Clients must trust the domain controllers, and the best way to do it is to ensure each domain controller has a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the *enterprise certification authority*.
+Clients must trust the domain controllers, and the best way to enable the trust is to ensure that each domain controller has a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the *enterprise certification authority*.
 
-Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise CA is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates don't include the *KDC Authentication* object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the *Kerberos Authentication* certificate template.
+Domain controllers automatically request a *domain controller certificate* (if published) when they discover an enterprise CA is added to Active Directory. The certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates don't include the *KDC Authentication* object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the *Kerberos Authentication* certificate template.
 
 By default, the Active Directory CA provides and publishes the *Kerberos Authentication* certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the *Kerberos Authentication* certificate template as a *baseline* to create an updated domain controller certificate template.
 

windows/security/identity-protection/hello-for-business/includes/dc-certificate-validate.md

@@ -3,9 +3,9 @@ ms.date: 12/28/2022
 ms.topic: include
 ---
 
-Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase.
+Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful deployment is to validate phases of work prior to moving to the next phase.
 
-You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred.
+Confirm your domain controllers enroll the correct certificates and not any superseded certificate templates. Check that each domain controller completed the certificate autoenrollment.
 
 ### Use the event logs
 

windows/security/identity-protection/hello-for-business/includes/enrollment-agent-certificate-template.md

@@ -27,7 +27,7 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
 1. On the **General** tab:
    - Type *WHFB Enrollment Agent* in **Template display name**
    - Adjust the validity and renewal period to meet your enterprise's needs
-1. On the **Subject** tab, select the **Supply in the request** button if it is not already selected
+1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected
 
    > [!NOTE]
    > Group Managed Service Accounts (GMSA) do not support the *Build from this Active Directory information* option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with *Supply in the request* to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
@@ -42,7 +42,7 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
 1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK**
 1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section:
    - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission
-   - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared
+   - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list
    - Select **OK**
 1. Close the console
 
@@ -74,7 +74,7 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
 1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK**
 1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section:
    - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission
-   - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared
+   - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list
    - Select **OK**
 1. Close the console
 

windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md

@@ -3,5 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[on-premises :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Azure AD. Device management is usually done via Group Policy")
-
+[on-premises :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Azure AD. Device management is usually done via Group Policy")

windows/security/identity-protection/hello-for-business/includes/unpublish-superseded-templates.md

@@ -6,7 +6,7 @@ ms.topic: include
 <details>
 <summary><b>Unpublish Superseded Certificate Templates</b></summary>
 
-The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
+The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue, including the pre-published templates from the role installation and any superseded templates.
 
 The newly created *domain controller authentication* certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
 

windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md

@@ -6,7 +6,7 @@ ms.topic: include
 <details>
 <summary><b>Configure an internal web server certificate template</b></summary>
 
-Windows clients use the https protocol when communicating with Active Directory Federation Services (AD FS). To meet this need, you must issue a server authentication certificate to all the nodes in the AD FS farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running AD FS can request the certificate.
+Windows clients communicate with AD FS via HTTPS. To meet this need, a *server authentication* certificate must be issued to all the nodes in the AD FS farm. On-premises deployments can use a *server authentication* certificate issued by the enterprise PKI. A *server authentication* certificate template must be configured, so the AD FS nodes can request a certificate.
 
 Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
 
@@ -36,5 +36,5 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
    - Select **SHA256** from the **Request hash** list
    - Select **OK**
 1. Close the console
- 
+
 </details>