diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
index 4d0a170a65..0639e1edaf 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
@@ -14,26 +14,10 @@ ms.topic: tutorial
 
 [!INCLUDE [requirements](includes/requirements.md)]
 
-### Directories and directory synchronization
-
-Hybrid Windows Hello for Business needs two directories:
-
-- An on-premises Active Directory
-- A Microsoft Entra tenant with a Microsoft Entra ID P1 or P2 subscription
-
-The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.
-A *Microsoft Entra ID P1 or P2* subscription is required for the device write-back synchronization feature.
-
-> [!NOTE]
-> Windows Hello for Business hybrid certificate trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID.
-
-> [!IMPORTANT]
-> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory.
-
 ### Federated authentication to Microsoft Entra ID
 
 Windows Hello for Business hybrid certificate trust doesn't support Microsoft Entra ID *Pass-through Authentication* (PTA) or *password hash sync* (PHS).\
-Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
+Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. You must also configure the AD FS farm to support Azure registered devices.
 
 If you're new to AD FS and federation services:
 
@@ -68,21 +52,6 @@ The enterprise PKI and a certificate registration authority (CRA) are required t
 
 During Windows Hello for Business provisioning, users receive a sign-in certificate through the CRA.
 
-### Multifactor authentication
-
-The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\
-Hybrid deployments can use:
-
-- [Microsoft Entra multifactor authentication][AZ-2]
-- A multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS
-
-For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][AZ-3].\
-For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
-
-### Device management
-
-To configure Windows Hello for Business, devices can be configured through a mobile device management (MDM) solution like Intune, or via group policy.
-
 ## Next steps
 
 > [!div class="checklist"]
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
index 8d0e8758d5..487d376dd3 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
@@ -13,48 +13,6 @@ ms.topic: tutorial
 > Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md).
 
 [!INCLUDE [requirements](includes/requirements.md)]
-[!INCLUDE [requirement-directory-sync](includes/requirement-directory-sync.md)]
-[!INCLUDE [requirement-auth-to-entra-id](includes/requirement-auth-to-entra-id.md)]
-[!INCLUDE [requirement-device-registration](includes/requirement-device-registration.md)]
-
-
-:::row-end:::
-
-:::row:::
-    :::column span="1":::
-Public Key Infrastructure
-    :::column-end:::
-    :::column span="3":::
-An enterprise PKI is required as *trust anchor* for authentication. Domain controllers require a certificate for Windows clients to trust them.
-    :::column-end:::
-
-:::row-end:::
-
-:::row:::
-    :::column span="1":::
-Multifactor authentication
-    :::column-end:::
-    :::column span="3":::
-The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\
-Hybrid deployments can use:
-
-- [Microsoft Entra multifactor authentication][AZ-2]
-- A multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS
-
-For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][AZ-3].\
-For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
-    :::column-end:::
-:::row-end:::
-
-:::row:::
-    :::column span="1":::
-Device management
-    :::column-end:::
-    :::column span="3":::
-To configure Windows Hello for Business, devices can be configured through a mobile device management (MDM) solution like Intune, or via group policy.
-    :::column-end:::
-
-:::row-end:::
 
 ## Next steps
 
@@ -72,8 +30,6 @@ To configure Windows Hello for Business, devices can be configured through a mob
 <!--links-->
 
 [AZ-2]: /azure/multi-factor-authentication/multi-factor-authentication
-[AZ-3]: /azure/multi-factor-authentication/multi-factor-authentication-whats-next
+
 [AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
 [AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler
-
-[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-auth-to-entra-id.md b/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-auth-to-entra-id.md
deleted file mode 100644
index 0403e8f5d0..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-auth-to-entra-id.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-:::row:::
-    :::column span="1":::
-    :ballot_box_with_check: Authentication to Microsoft Entra ID
-    :::column-end:::
-    :::column span="3":::
-    Authentication to Microsoft Entra ID can be configured with or without federation:
-    - [Password hash synchronization][AZ-6] or [Microsoft Entra pass-through authentication][AZ-7] is required for non-federated environments
-    - Active Directory Federation Services (AD FS) or a third-party federation service is required for federated environments
-    :::column-end:::
-:::row-end:::
-
-[AZ-6]: /azure/active-directory/hybrid/whatis-phs
-[AZ-7]: /azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-device-registration.md b/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-device-registration.md
deleted file mode 100644
index 5c3fabbbfb..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-device-registration.md
+++ /dev/null
@@ -1,15 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-:::row:::
-    :::column span="1":::
-    :ballot_box_with_check: Device registration
-    :::column-end:::
-    :::column span="3":::
-The Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\
-For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan your Microsoft Entra hybrid join implementation][AZ-8] page.
-    :::column-end:::
-
-[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-directory-sync.md b/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-directory-sync.md
deleted file mode 100644
index 740228e93f..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-directory-sync.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-:::row:::
-    :::column span="1":::
-    :ballot_box_with_check: Directories and directory synchronization
-    :::column-end:::
-    :::column span="3":::
-Hybrid Windows Hello for Business needs two directories:
-
-- An on-premises Active Directory
-- A Microsoft Entra tenant
-
-The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.\
-During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. *Microsoft Entra Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory.
-
-> [!NOTE]
-> Windows Hello for Business hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID.
-
-> [!IMPORTANT]
-> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory.
-    :::column-end:::
-
-:::row-end:::
-
-[AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
diff --git a/windows/security/identity-protection/hello-for-business/deploy/index.md b/windows/security/identity-protection/hello-for-business/deploy/index.md
index 4948f1b6d9..768910086f 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/index.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/index.md
@@ -83,6 +83,16 @@ The goal of Windows Hello for Business cloud Kerberos trust is to provide a simp
 >
 > For more information about how Microsoft Entra Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][ENTRA-1].
 
+### Authentication to Microsoft Entra ID
+
+In cloud-only and hybrid deployments, all users and devices must authenticate to Microsoft Entra ID.
+
+Authentication to Microsoft Entra ID can be configured with or without federation:
+
+- For key trust, [Password hash synchronization][ENTRA-6] or [Microsoft Entra pass-through authentication][ENTRA-7] is required for non-federated environments
+- Certificate trust doesn't support Microsoft Entra ID *Pass-through Authentication* (PTA) or *password hash sync* (PHS). Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices
+- Active Directory Federation Services (AD FS) or a third-party federation service is required for federated environments
+
 ### Device registration
 
 All devices included in the Windows Hello for Business deployment must go through a process called *device registration*. Device registration enables devices to authenticate to identity providers:
@@ -96,6 +106,8 @@ All devices included in the Windows Hello for Business deployment must go throug
 | :black_square_button:|Hybrid| Microsoft Entra hybrid joined <br> Microsoft Entra joined <br> Microsoft Entra registered |
 | :black_square_button:|On-premises | AD FS |
 
+For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan your Microsoft Entra hybrid join implementation][ENTRA-5] page.
+
 ### Key registration
 
 The built-in Windows Hello for Business provisioning experience creates a device-bound asymmetric key pair as the user's credentials. The private key is protected by the device's security modules. The credential is a *user key*, not a *device key*. The provisioning experience registers the user's public key with the identity provider:
@@ -113,13 +125,15 @@ The built-in Windows Hello for Business provisioning experience creates a device
 
 Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose:
 
-- Hybrid deployments use Microsoft Entra Connect to synchronize Active Directory identities (users and devices) or credentials (in key trust model) between itself and Microsoft Entra ID. This synchronization enables SSO to Microsoft Entra ID and its federated components
+- Hybrid deployments use [Microsoft Entra Connect Sync][ENTRA-3] to synchronize Active Directory identities (users and devices) or credentials between itself and Microsoft Entra ID. During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. Microsoft Entra Connect Sync synchronizes the Windows Hello for Business public key to Active Directory. This synchronization enables SSO to Microsoft Entra ID and its federated components.
+    > [!IMPORTANT]
+    > Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory.
 - On-premises deployments use directory synchronization to import users from Active Directory to the Azure MFA server, which sends data to the MFA cloud service to perform the verification
 
 | :ballot_box_with_check:| Deployment model | Directory sync options |
 |-|-|-|-|
 | :black_square_button:| Cloud-only | n/a |
-| :black_square_button:|Hybrid| Microsoft Entra Connect|
+| :black_square_button:|Hybrid| Microsoft Entra Connect Sync|
 | :black_square_button:|On-premises | Azure MFA server |
 
 ### Multifactor authentication
@@ -127,7 +141,7 @@ Hybrid and on-premises deployments use directory synchronization, however, each
 The goal of Windows Hello for Business is to move organizations away from passwords by providing them with a *strong credential* that enables easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication. However, the user must provide a second factor of authentication before Windows provisions a strong credential:
 
 - For cloud-only and hybrid deployments, ther are different choices for multifactor authentication, including [Microsoft Entra MFA][ENTRA-1]
-- On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from third-party options that offer an AD FS MFA adapter. For more infomration, see [Microsoft and third-party additional authentication methods][SERV-1]
+- On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from third-party options that offer an AD FS MFA adapter. For more infomration, see [Microsoft and third-party additional authentication methods][SER-2]
 
 > [!IMPORTANT]
 > As of July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication. Existing deployment where the MFA Server was activated prior to July 1, 2019 can download the latest version, future updates, and generate activation credentials. See [Getting started with the Azure Multi-Factor Authentication Server][ENTRA-2] for more details.
@@ -138,6 +152,11 @@ The goal of Windows Hello for Business is to move organizations away from passwo
 | :black_square_button:|Hybrid| :black_square_button:Microsoft Entra MFA <br> :black_square_button: Third-party MFA via Microsoft Entra ID custom controls or federation|
 | :black_square_button:|On-premises | AD FS MFA adapter |
 
+For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][ENTRA-4].\
+For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
+
+
+
 #### MFA and federated authentication
 
 It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command:
@@ -266,10 +285,15 @@ People can go to **Settings** > **Accounts** > **Work or school**, select the wo
 <!--links-->
 
 [ENTRA-1]: /entra/identity/authentication/concept-mfa-howitworks
-[ENTRA-2]: /entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises
-
-[SERV-1]: /windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods
 [ENTRA-2]: /entra/identity/authentication/howto-mfaserver-deploy
+[ENTRA-3]: /entra/identity/hybrid/connect/how-to-connect-sync-whatis
+[ENTRA-4]: /entra/identity/authentication/howto-mfa-mfasettings
+[ENTRA-5]: /entra/identity/devices/hybrid-join-plan
+[ENTRA-6]: /entra/identity/hybrid/connect/whatis-phs
+[ENTRA-7]: /entra/identity/hybrid/connect/how-to-connect-pta
+
+[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
+[SER-2]: /windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods
 
 [KB-1]: https://support.microsoft.com/topic/5010415
 [KB-2]: https://support.microsoft.com/topic/5010414