Refactor cloud.md and hybrid-cloud-kerberos-trust.md files

windows/security/identity-protection/hello-for-business/deploy/cloud.md

@@ -10,10 +10,10 @@ ms.topic: how-to
 
 [!INCLUDE [requirements](includes/requirements.md)]
 
-:ballot_box_with_check: Authentication to Microsoft Entra ID
+1. Authentication to Microsoft Entra ID
-  :ballot_box_with_check: Multifactor authentication
+  1. Multifactor authentication
-:ballot_box_with_check: Device configuration
+1. Device configuration
-:ballot_box_with_check: Licensing for cloud services
+1. Licensing for cloud services
 
 ## Introduction
 

windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md

@@ -11,19 +11,19 @@ ms.topic: tutorial
 
 [!INCLUDE [requirements](includes/requirements.md)]
 
-:ballot_box_with_check: Deployment options
+1. Deployment options
-  :ballot_box_with_check: Deploment models
+  1. Deploment models
-  :ballot_box_with_check: Trust types
+  1. Trust types
-:ballot_box_with_check: Authentication
+1. Authentication
-  :ballot_box_with_check: Device registration
+  1. Device registration
-  :ballot_box_with_check: Key registration
+  1. Key registration
-  :ballot_box_with_check: Directory synchronization
+  1. Directory synchronization
-  :ballot_box_with_check: Multifactor authentication
+  1. Multifactor authentication
-:ballot_box_with_check: Device configuration
+1. Device configuration
-:ballot_box_with_check: Public Key Infrastructure
+1. Public Key Infrastructure
-:ballot_box_with_check: Licensing for cloud services
+1. Licensing for cloud services
-:ballot_box_with_check: Windows requirements
+1. Windows requirements
-:ballot_box_with_check: Windows Server requirements
+1. Windows Server requirements
 
 ## Deployment steps
 

windows/security/identity-protection/hello-for-business/deploy/index.md

@@ -24,21 +24,22 @@ This guide removes the appearance of complexity by helping you make decisions on
 
 Read this document and record your decisions. When finished, you should have all the necessary information to determine requirements and the next steps for your Windows Hello for Business deployment.
 
-There are 7 major categories to consider when planning a Windows Hello for Business deployment:
+There are 8 major categories to consider when planning a Windows Hello for Business deployment:
 
-:ballot_box_with_check: Deployment options
+- Deployment options
-  :ballot_box_with_check: Deploment models
+  - Deploment models
-  :ballot_box_with_check: Trust types
+  - Trust types
-:ballot_box_with_check: Authentication
+- Authentication
-  :ballot_box_with_check: Device registration
+  - Device registration
-  :ballot_box_with_check: Key registration
+  - Key registration
-  :ballot_box_with_check: Directory synchronization
+  - Directory synchronization
-  :ballot_box_with_check: Multifactor authentication
+  - Multifactor authentication
-:ballot_box_with_check: Device configuration
+- Device configuration
-:ballot_box_with_check: Public Key Infrastructure
+- Public Key Infrastructure
-:ballot_box_with_check: Licensing for cloud services
+- Licensing for cloud services
-:ballot_box_with_check: Windows requirements
+- Windows requirements
-:ballot_box_with_check: Windows Server requirements
+- Windows Server requirements
+- Prepare users to use Windows Hello
 
 ## Deployment Options
 
@@ -180,7 +181,7 @@ Update-MgDomainFederationConfiguration -DomainId $DomainId -FederatedIdpMfaBehav
 
 If you configure the flag with a value of either `acceptIfMfaDoneByFederatedIdp` (default) or `enforceMfaByFederatedIdp`, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IdP.
 
-### Device configuration
+## Device configuration
 
 Windows Hello for Business provides organizations with a rich set of granular policy settings with which they can use to configure their devices. There are two main options to configure Windows Hello for Business: configuration service provider (CSP) and group policy (GPO).
 
@@ -193,7 +194,7 @@ Windows Hello for Business provides organizations with a rich set of granular po
 | :black_square_button:|Hybrid| CSP (MDM) or Active Directory GPOs |
 | :black_square_button:|On-premises | Active Directory GPOs |
 
-### Public Key Infrastructure (PKI)
+## Public Key Infrastructure (PKI)
 
 While cloud Kerberos trust is the only hybrid deployment option that doesn't require the deployment of any certificates, the other hybrid and on-premises models depend on an enterprise PKI as a trust anchor for authentication:
 
@@ -207,7 +208,7 @@ While cloud Kerberos trust is the only hybrid deployment option that doesn't req
 | :black_square_button:|Hybrid| :black_square_button: **Cloud Kerberos trust**: not required <br> :black_square_button: **Key trust**: required <br> :black_square_button: **Certificate trust**: required|
 | :black_square_button:|On-premises | required |
 
-### Licensing for cloud services
+## Licensing for cloud services
 
 Here are some considerations regarding licensing requirements for cloud services:
 
@@ -223,7 +224,7 @@ Here are some considerations regarding licensing requirements for cloud services
 | :black_square_button: |Hybrid| :black_square_button: **Cloud Kerberos trust**: not required <br> :black_square_button: **Key trust**: not required <br> :black_square_button: **Certificate trust**: Microsoft Entra ID P1|
 | :black_square_button: |On-premises | Azure MFA, if used as MFA solution |
 
-### Windows requirements
+## Windows requirements
 
 All supported Windows 10 and Windows 11 versions can be used with Windows Hello for Business. However, cloud Kerberos trust requires minimum versions:
 
@@ -233,7 +234,7 @@ All supported Windows 10 and Windows 11 versions can be used with Windows Hello
 | :black_square_button:|Hybrid| :black_square_button: **Cloud Kerberos trust**: Windows 10 21H2, with [KB5010415][KB-1] and later; Windows 11 21H2, with [KB5010414][KB-2] and later  <br> :black_square_button: **Key trust**: All supported versions <br> :black_square_button: **Certificate trust**: All supported versions|
 | :black_square_button:|On-premises | All supported versions |
 
-### Windows Server requirements
+## Windows Server requirements
 
 All supported Windows Server versions can be used with Windows Hello for Business as Domain Controller. However, cloud Kerberos trust requires minimum versions:
 
@@ -243,6 +244,25 @@ All supported Windows Server versions can be used with Windows Hello for Busines
 | :black_square_button:|Hybrid| :black_square_button: **Cloud Kerberos trust**: Windows Server 2016, [KB3534307][KB-3]; Windows Server 2019, [KB4534321][KB-4], Windows Server 2022  <br> :black_square_button: **Key trust**: All supported versions <br> :black_square_button: **Certificate trust**: All supported versions|
 | :black_square_button:|On-premises | All supported versions |
 
+## Prepare users to use Windows Hello
+
+When you enable Windows Hello for Business in your organization, make sure to prepare the users by explaining how to enroll and use Windows Hello.
+
+Ensure you have a strategy in place to ensure the users have an MFA option that is easy to use during enrollment.
+
+Depending on the hardware, users might be prompted to register their fingerprint or face.
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7]
+
+After enrollment in Windows Hello, users should use their gesture (such as a PIN or fingerprint) for access to their devices and corporate resources.
+
+> [!NOTE]
+> The gesture is only valid on the enrolled device.
+
+Although the organization might require users to change their Active Directory or Microsoft Entra account password at regular intervals, changes to their passwords have no effect on Hello.
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=44c16430-756f-490a-9fc1-80e2724fef8d]
+
 ## Next steps
 
 Now that you've read about the different deployment options and requirements, you can choose the implementation that best suits your organization.
@@ -258,17 +278,6 @@ Now that you've read about the different deployment options and requirements, yo
 > - [(on-premises | certificate trust)](on-premises-cert-trust.md)
 
 <!--
-## Prepare users to use Windows Hello
-
-When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to enroll and use Windows Hello.
-
-> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7]
-
-After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
-
-Although the organization may require users to change their Active Directory or Microsoft Entra account password at regular intervals, changes to their passwords have no effect on Hello.
-
-> [!VIDEO https://learn-video.azurefd.net/vod/player?id=44c16430-756f-490a-9fc1-80e2724fef8d]
 
 ## On devices owned by the organization