diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
index ce9a382eea..091e90e2ed 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
@@ -87,7 +87,9 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 1. Close the console
 
 </details>
-<br>
+
+> [!IMPORTANT]
+> If you plan to deploy Azure AD joined devices, and require single sign-on (SSO) when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md).
 
 ## Configure and deploy certificates to domain controllers
 
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/dsregcmd.png b/windows/security/identity-protection/hello-for-business/images/aadj/dsregcmd.png
deleted file mode 100644
index bb4b46478a..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/dsregcmd.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md
index 7eaedf722c..0601e2412a 100644
--- a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md
+++ b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md
@@ -27,7 +27,6 @@ Domain controllers automatically request a certificate from the *Domain controll
 1. Close the **Group Policy Management Editor**
 
 </details>
-<br>
 
 <details>
 <summary><b>Deploy the domain controller auto certificate enrollment GPO</b></summary>
@@ -39,5 +38,4 @@ Sign in to domain controller or management workstations with *Domain Administrat
 1. In the **Select GPO** dialog box, select *Domain Controller Auto Certificate Enrollment* or the name of the domain controller certificate enrollment Group Policy object you previously created
 1. Select **OK**
 
-</details>
-<br>
+</details>
\ No newline at end of file