From 49064c416e12cac976e9695b3284559d4bef3d8f Mon Sep 17 00:00:00 2001
From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com>
Date: Mon, 27 May 2019 18:44:04 -0500
Subject: [PATCH] Update hello-hybrid-key-trust-prereqs.md

---
 .../hello-for-business/hello-hybrid-key-trust-prereqs.md        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 9b3432c015..49d1951638 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -63,7 +63,7 @@ The minimum required enterprise certificate authority that can be used with Wind
 * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL.
 * Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name).
 * The certificate Key Usage section must contain Digital Signature and Key Encipherment.
-* Optionally, the certificate Basic Constraints section should contain:
+* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
 * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1).
 * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.  
 * The certificate template must have an extension that has the BMP data value "DomainController".