From 5c201c955e83cba073dc554fdbeaf3a98a488e27 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 15 Dec 2023 15:56:54 -0500
Subject: [PATCH] Restructure of deployment guides

---
 .../cloud.md}                                 |  4 +--
 .../deploy/hybrid-cert-trust-pki.md           | 16 ++++-----
 .../deploy/hybrid-cert-trust.md               |  2 +-
 .../hybrid-cloud-kerberos-trust-enroll.md}    |  2 +-
 .../hybrid-cloud-kerberos-trust.md}           |  4 +--
 .../hybrid-key-trust-enroll.md}               |  2 +-
 .../hybrid-key-trust-pki.md}                  |  4 +--
 .../hybrid-key-trust.md}                      |  6 ++--
 .../deploy/includes/apply-to-cloud.md         |  9 +++++
 .../apply-to-hybrid-cert-trust-entra.md       |  6 ++--
 .../includes/apply-to-hybrid-cert-trust.md    |  8 ++---
 .../apply-to-hybrid-cloud-kerberos-trust.md   | 10 ++++++
 .../apply-to-hybrid-key-and-cert-trust.md     | 10 ++++++
 .../includes/apply-to-hybrid-key-trust.md     | 10 ++++++
 .../apply-to-on-premises-cert-trust-entra.md  |  6 ++--
 .../apply-to-on-premises-key-trust.md         | 10 ++++++
 .../includes/auth-certificate-template.md     |  0
 .../includes/dc-certificate-deployment.md     |  0
 .../includes/dc-certificate-supersede.md      |  0
 .../includes/dc-certificate-template.md       |  0
 .../includes/dc-certificate-validate.md       |  0
 .../enrollment-agent-certificate-template.md  |  0
 .../deploy/includes/information.svg           |  3 ++
 .../includes/intro.md}                        |  0
 .../includes/lab-based-pki-deploy.md          |  0
 .../includes/tooltip-deployment-cloud.md      |  6 ++++
 .../includes/tooltip-deployment-hybrid.md     |  6 ++++
 .../includes/tooltip-deployment-onpremises.md |  6 ++++
 .../deploy/includes/tooltip-join-domain.md    |  6 ++++
 .../deploy/includes/tooltip-join-entra.md     |  6 ++++
 .../deploy/includes/tooltip-join-hybrid.md    |  6 ++++
 ...ip-cert-trust.md => tooltip-trust-cert.md} |  0
 .../includes/tooltip-trust-cloud-kerberos.md  |  6 ++++
 .../deploy/includes/tooltip-trust-key.md      |  6 ++++
 .../unpublish-superseded-templates.md         |  0
 .../web-server-certificate-template.md        | 12 +++----
 .../index.md}                                 | 16 ++++-----
 .../deploy/on-premises-cert-trust-pki.md      | 18 +++++-----
 .../on-premises-key-trust-adfs.md}            |  4 +--
 .../on-premises-key-trust-enroll.md}          |  2 +-
 .../on-premises-key-trust-mfa.md}             |  4 +--
 .../on-premises-key-trust-pki.md}             |  4 +--
 .../deploy/on-premises-key-trust.md           | 35 +++++++++++++++++++
 .../requirements.md}                          |  0
 .../hello-for-business/deploy/toc.yml         | 28 +++++++--------
 .../hello-deployment-key-trust.md             | 17 ---------
 .../hello-how-it-works-technology.md          |  2 +-
 .../hello-hybrid-aadj-sso.md                  |  2 +-
 .../hello-key-trust-validate-ad-prereq.md     | 35 -------------------
 .../hello-planning-guide.md                   |  2 +-
 .../includes/hello-cloud.md                   |  9 -----
 .../includes/hello-deployment-cloud.md        |  6 ----
 .../includes/hello-deployment-hybrid.md       |  6 ----
 .../includes/hello-deployment-onpremises.md   |  6 ----
 .../includes/hello-hybrid-cloudkerb-trust.md  | 10 ------
 .../includes/hello-hybrid-key-trust.md        | 10 ------
 .../hello-hybrid-keycert-trust-aad.md         | 10 ------
 .../includes/hello-join-aad.md                |  6 ----
 .../includes/hello-join-domain.md             |  6 ----
 .../includes/hello-join-hybrid.md             |  6 ----
 .../includes/hello-on-premises-key-trust.md   | 10 ------
 .../includes/hello-trust-cloud-kerberos.md    |  6 ----
 .../includes/hello-trust-key.md               |  6 ----
 .../hello-for-business/toc.yml                |  2 ++
 64 files changed, 213 insertions(+), 227 deletions(-)
 rename windows/security/identity-protection/hello-for-business/{hello-aad-join-cloud-only-deploy.md => deploy/cloud.md} (97%)
 rename windows/security/identity-protection/hello-for-business/{hello-hybrid-cloud-kerberos-trust-provision.md => deploy/hybrid-cloud-kerberos-trust-enroll.md} (99%)
 rename windows/security/identity-protection/hello-for-business/{hello-hybrid-cloud-kerberos-trust.md => deploy/hybrid-cloud-kerberos-trust.md} (98%)
 rename windows/security/identity-protection/hello-for-business/{hello-hybrid-key-trust-provision.md => deploy/hybrid-key-trust-enroll.md} (99%)
 rename windows/security/identity-protection/hello-for-business/{hello-hybrid-key-trust-validate-pki.md => deploy/hybrid-key-trust-pki.md} (98%)
 rename windows/security/identity-protection/hello-for-business/{hello-hybrid-key-trust.md => deploy/hybrid-key-trust.md} (96%)
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-cloud.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cloud-kerberos-trust.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-trust.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-key-trust.md
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/auth-certificate-template.md (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/dc-certificate-deployment.md (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/dc-certificate-supersede.md (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/dc-certificate-template.md (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/dc-certificate-validate.md (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/enrollment-agent-certificate-template.md (100%)
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/information.svg
 rename windows/security/identity-protection/hello-for-business/{includes/hello-intro.md => deploy/includes/intro.md} (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/lab-based-pki-deploy.md (100%)
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
 rename windows/security/identity-protection/hello-for-business/deploy/includes/{tooltip-cert-trust.md => tooltip-trust-cert.md} (100%)
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/unpublish-superseded-templates.md (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/web-server-certificate-template.md (79%)
 rename windows/security/identity-protection/hello-for-business/{hello-deployment-guide.md => deploy/index.md} (89%)
 rename windows/security/identity-protection/hello-for-business/{hello-key-trust-adfs.md => deploy/on-premises-key-trust-adfs.md} (99%)
 rename windows/security/identity-protection/hello-for-business/{hello-key-trust-policy-settings.md => deploy/on-premises-key-trust-enroll.md} (99%)
 rename windows/security/identity-protection/hello-for-business/{hello-key-trust-validate-deploy-mfa.md => deploy/on-premises-key-trust-mfa.md} (93%)
 rename windows/security/identity-protection/hello-for-business/{hello-key-trust-validate-pki.md => deploy/on-premises-key-trust-pki.md} (95%)
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
 rename windows/security/identity-protection/hello-for-business/{hello-identity-verification.md => deploy/requirements.md} (100%)
 delete mode 100644 windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-cloud.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md

diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/deploy/cloud.md
similarity index 97%
rename from windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
rename to windows/security/identity-protection/hello-for-business/deploy/cloud.md
index 58eac4892c..d2695cb7eb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/cloud.md
@@ -6,7 +6,7 @@ ms.topic: how-to
 ---
 # Cloud-only deployment
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-cloud.md)]
+[!INCLUDE [apply-to-cloud](includes/apply-to-cloud.md)]
 
 ## Introduction
 
@@ -21,7 +21,7 @@ You may wish to disable the automatic Windows Hello for Business enrollment prom
 
 Cloud only deployments will use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
 
-The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment).
+The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](requirements.md#azure-ad-cloud-only-deployment).
 
 It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command:
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
index 38b871bba1..b20e3a55c4 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
@@ -18,11 +18,11 @@ Windows Hello for Business must have a Public Key Infrastructure (PKI) when usin
 
 Hybrid certificate trust deployments issue users a sign-in certificate, enabling them to authenticate to Active Directory using Windows Hello for Business credentials. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
 
-[!INCLUDE [lab-based-pki-deploy](../includes/lab-based-pki-deploy.md)]
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
 
 ## Configure the enterprise PKI
 
-[!INCLUDE [dc-certificate-template](../includes/dc-certificate-template.md)]
+[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
 
 > [!NOTE]
 > Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
@@ -33,13 +33,13 @@ Hybrid certificate trust deployments issue users a sign-in certificate, enabling
 > - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
 > - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
 
-[!INCLUDE [dc-certificate-template-supersede](../includes/dc-certificate-supersede.md)]
+[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
 
-[!INCLUDE [enrollment-agent-certificate-template](../includes/enrollment-agent-certificate-template.md)]
+[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
 
-[!INCLUDE [auth-certificate-template](../includes/auth-certificate-template.md)]
+[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
 
-[!INCLUDE [unpublish-superseded-templates](../includes/unpublish-superseded-templates.md)]
+[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
 
 ### Publish the certificate templates to the CA
 
@@ -59,11 +59,11 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 
 ## Configure and deploy certificates to domain controllers
 
-[!INCLUDE [dc-certificate-deployment](../includes/dc-certificate-deployment.md)]
+[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
 
 ## Validate the configuration
 
-[!INCLUDE [dc-certificate-validate](../includes/dc-certificate-validate.md)]
+[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
 
 ## Section review and next steps
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
index 44cb5bf3a4..1e1abbb130 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
@@ -20,7 +20,7 @@ Hybrid environments are distributed systems that enable organizations to use on-
 This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
 
 > [!IMPORTANT]
-> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](../hello-hybrid-cloud-kerberos-trust.md).
+> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](../hybrid-clud-kerberos-trust.md).
 
 It's recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
similarity index 99%
rename from windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
rename to windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
index 7b4394d51f..918d86d832 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
@@ -8,7 +8,7 @@ ms.topic: tutorial
 ---
 # Configure and provision Windows Hello for Business - cloud Kerberos trust
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cloudkerb-trust.md)]
+[!INCLUDE [hello-hybrid-key-trust](includes/hello-hybrid-cloudkerb-trust.md)]
 
 ## Deployment steps
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
similarity index 98%
rename from windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
rename to windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
index 464e918a1e..fb61f15acf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
@@ -8,7 +8,7 @@ ms.topic: tutorial
 ---
 # Cloud Kerberos trust deployment
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cloudkerb-trust.md)]
+[!INCLUDE [apply-to-hybrid-cloud-kerberos-trust](includes/apply-to-hybrid-cloud-kerberos-trust.md)]
 
 Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in a *cloud Kerberos trust* scenario.
 
@@ -84,7 +84,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a clou
 > * Provision Windows Hello for Business on Windows clients
 
 > [!div class="nextstepaction"]
-> [Next: configure and provision Windows Hello for Business >](hello-hybrid-cloud-kerberos-trust-provision.md)
+> [Next: configure and provision Windows Hello for Business >](hybrid-clud-kerberos-trust-enroll.md)
 
 <!--Links-->
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
similarity index 99%
rename from windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
rename to windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
index dc8d3d3a24..c36e2167e1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
@@ -7,7 +7,7 @@ ms.topic: tutorial
 
 # Configure and enroll in Windows Hello for Business - hybrid key trust
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-key-trust.md)]
+[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
 
 After the prerequisites are met and the PKI configuration is validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
similarity index 98%
rename from windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
rename to windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
index f39545b8e8..299039ae2e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
 ---
 # Configure and validate the Public Key Infrastructure - hybrid key trust
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-key-trust.md)]
+[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
 
 Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
 
@@ -97,7 +97,7 @@ Before moving to the next section, ensure the following steps are complete:
 > - Validate the domain controllers configuration
 
 > [!div class="nextstepaction"]
-> [Next: configure and provision Windows Hello for Business >](hello-hybrid-key-trust-provision.md)
+> [Next: configure and provision Windows Hello for Business >](hybrid-key-trust-enroll.md)
 
 <!--links-->
 [SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
similarity index 96%
rename from windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
rename to windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
index a0a36f2cc0..ac811a8a9d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
@@ -12,14 +12,14 @@ ms.topic: how-to
 ---
 # Hybrid key trust deployment
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-key-trust.md)]
+[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
 
 Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
 
 This deployment guide describes how to deploy Windows Hello for Business in a hybrid key trust scenario.
 
 > [!IMPORTANT]
-> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md).
+> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-clud-kerberos-trust.md).
 
 It is recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
 
@@ -94,7 +94,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a hybr
 > * Configure single sign-on (SSO) for Microsoft Entra joined devices
 
 > [!div class="nextstepaction"]
-> [Next: configure and validate the Public Key Infrastructure >](hello-hybrid-key-trust-validate-pki.md)
+> [Next: configure and validate the Public Key Infrastructure >](hybrid-key-trust-pki.md)
 
 <!--links-->
 [AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-cloud.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-cloud.md
new file mode 100644
index 0000000000..69c159b0a2
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-cloud.md
@@ -0,0 +1,9 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-cloud](tooltip-deployment-cloud.md)]
+- **Join type:** [!INCLUDE [tootip-join-entra](tooltip-join-entra.md)]
+---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md
index 97bfdbe297..ce40bf460b 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md
@@ -3,8 +3,8 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[!INCLUDE [hello-intro](../../includes/hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](../../includes/hello-deployment-hybrid.md)]
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
 - **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](../../includes/hello-join-aad.md)]
+- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)]
 ---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust.md
index 0b5a246fbe..4f8eb7e613 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust.md
@@ -3,8 +3,8 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[!INCLUDE [hello-intro](../../includes/hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](../../includes/hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](../../includes/hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](../../includes/hello-join-hybrid.md)]
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-trust-cert.md)]
+- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)], [!INCLUDE [tooltip-join-hybrid](tooltip-join-hybrid.md)]
 ---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cloud-kerberos-trust.md
new file mode 100644
index 0000000000..9fd4c16a63
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cloud-kerberos-trust.md
@@ -0,0 +1,10 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [tooltip-trust-cloud-kerberos](tooltip-trust-cloud-kerberos.md)]
+- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)], [!INCLUDE [tooltip-join-hybrid](tooltip-join-hybrid.md)]
+---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md
new file mode 100644
index 0000000000..7b367e4025
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md
@@ -0,0 +1,10 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)],[!INCLUDE [tooltip-cert-trust](../deploy/includes/tooltip-cert-trust.md)]
+- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)]
+---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-trust.md
new file mode 100644
index 0000000000..a74e9ead78
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-trust.md
@@ -0,0 +1,10 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)]
+- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)], [!INCLUDE [tooltip-join-hybrid](tooltip-join-hybrid.md)]
+---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md
index 5f64fba40f..d7a1ab9c2f 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md
@@ -3,8 +3,8 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[!INCLUDE [hello-intro](../../includes/hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-onpremises](../../includes/hello-deployment-onpremises.md)]
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](tooltip-deployment-onpremises.md)]
 - **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
-- **Join type:** [!INCLUDE [hello-join-domain](../../includes/hello-join-domain.md)]
+- **Join type:** [!INCLUDE [tooltip-join-domain](tooltip-join-domain.md)]
 ---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-key-trust.md
new file mode 100644
index 0000000000..1966807ca5
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-key-trust.md
@@ -0,0 +1,10 @@
+---
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](tooltip-deployment-onpremises.md)]
+- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)]
+- **Join type:** [!INCLUDE [tooltip-join-domain](tooltip-join-domain.md)]
+---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/auth-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/auth-certificate-template.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/auth-certificate-template.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/auth-certificate-template.md
diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md
diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md
diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-template.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-template.md
diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-validate.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/dc-certificate-validate.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md
diff --git a/windows/security/identity-protection/hello-for-business/includes/enrollment-agent-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/enrollment-agent-certificate-template.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/information.svg b/windows/security/identity-protection/hello-for-business/deploy/includes/information.svg
new file mode 100644
index 0000000000..bc692eabb9
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/information.svg
@@ -0,0 +1,3 @@
+<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <path d="M8 7C8.27614 7 8.5 7.22386 8.5 7.5V10.5C8.5 10.7761 8.27614 11 8 11C7.72386 11 7.5 10.7761 7.5 10.5V7.5C7.5 7.22386 7.72386 7 8 7ZM8.00001 6.24907C8.41369 6.24907 8.74905 5.91371 8.74905 5.50003C8.74905 5.08635 8.41369 4.751 8.00001 4.751C7.58633 4.751 7.25098 5.08635 7.25098 5.50003C7.25098 5.91371 7.58633 6.24907 8.00001 6.24907ZM2 8C2 4.68629 4.68629 2 8 2C11.3137 2 14 4.68629 14 8C14 11.3137 11.3137 14 8 14C4.68629 14 2 11.3137 2 8ZM8 3C5.23858 3 3 5.23858 3 8C3 10.7614 5.23858 13 8 13C10.7614 13 13 10.7614 13 8C13 5.23858 10.7614 3 8 3Z" fill="#0078D4" />
+</svg>
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-intro.md b/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/hello-intro.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/intro.md
diff --git a/windows/security/identity-protection/hello-for-business/includes/lab-based-pki-deploy.md b/windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/lab-based-pki-deploy.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
new file mode 100644
index 0000000000..dc0a2c315a
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[cloud :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
new file mode 100644
index 0000000000..5df4ec742e
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[hybrid :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
new file mode 100644
index 0000000000..12dfec5f8a
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[on-premises :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
new file mode 100644
index 0000000000..bb7302821e
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[domain join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
new file mode 100644
index 0000000000..8c5916ead4
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[Microsoft Entra join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
new file mode 100644
index 0000000000..e825d14f2d
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[Microsoft Entra hybrid join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-cert-trust.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
new file mode 100644
index 0000000000..4f19945d64
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[cloud Kerberos trust :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
new file mode 100644
index 0000000000..2f901dc761
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[key trust :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/unpublish-superseded-templates.md b/windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/unpublish-superseded-templates.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md
diff --git a/windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md
similarity index 79%
rename from windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md
index 8ba241a5c8..1bde4860fe 100644
--- a/windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md
@@ -15,13 +15,13 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
 1. Use the following table to configure the template:
 
     | Tab Name | Configurations |
-    | --- | --- |
-    | *Compatibility* | <ul><li>Clear the **Show resulting changes** check box</li><li>Select **Windows Server 2016** from the *Certification Authority list*</li><li>Select **Windows 10 / Windows Server 2016** from the *Certification Recipient list*</li></ul>|
-    | *General* | <ul><li>Specify a **Template display name**, for example *Internal Web Server*</li><li>Set the validity period to the desired value</li><li>Take note of the template name for later, which should be the same as the Template display name minus spaces</li></ul>|
+    |--|--|
+    | *Compatibility* | <ul><li>Clear the **Show resulting changes** check box</li><li>Select **Windows Server 2016** from the *Certification Authority list*</li><li>Select **Windows 10 / Windows Server 2016** from the *Certification Recipient list*</li></ul> |
+    | *General* | <ul><li>Specify a **Template display name**, for example *Internal Web Server*</li><li>Set the validity period to the desired value</li><li>Take note of the template name for later, which should be the same as the Template display name minus spaces</li></ul> |
     | *Request Handling* | Select **Allow private key to be exported** |
-    | *Subject Name* | Select **Supply in the request**|
-    |*Security*|Add **Domain Computers** with **Enroll** access|
-    |*Cryptography*|<ul><li>Set the *Provider Category* to **Key Storage Provider**</li><li>Set the *Algorithm name* to **RSA**</li><li>Set the *minimum key size* to **2048**</li><li>Set the *Request hash* to **SHA256**</li>|
+    | *Subject Name* | Select **Supply in the request** |
+    | *Security* | Add **Domain Computers** with **Enroll** access |
+    | *Cryptography* | <ul><li>Set the *Provider Category* to **Key Storage Provider**</li><li>Set the *Algorithm name* to **RSA**</li><li>Set the *minimum key size* to **2048**</li><li>Set the *Request hash* to **SHA256**</li> |
 
 1. Select **OK** to finalize your changes and create the new template
 1. Close the console
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/deploy/index.md
similarity index 89%
rename from windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
rename to windows/security/identity-protection/hello-for-business/deploy/index.md
index 97658da366..4f8b485100 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/index.md
@@ -12,7 +12,7 @@ Windows Hello for Business is the springboard to a world without passwords. It r
 
 This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.
 
-Once you've chosen a deployment model, the deployment guide for that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. Read the [Windows Hello for Business Deployment Prerequisite Overview](hello-identity-verification.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
+Once you've chosen a deployment model, the deployment guide for that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. Read the [Windows Hello for Business Deployment Prerequisite Overview](requirements.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
 
 ## Requirements
 
@@ -44,18 +44,18 @@ The trust model determines how you want users to authenticate to the on-premises
 - The certificate trust model also supports enterprises, which aren't ready to deploy Windows Server 2016 Domain Controllers.
 
 > [!NOTE]
-> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Remote Credential Guard](../remote-credential-guard.md).
+> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Remote Credential Guard](../../remote-credential-guard.md).
 
 Following are the various deployment guides and models included in this topic:
 
-- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hello-hybrid-cloud-kerberos-trust.md)
-- [Microsoft Entra hybrid joined Key Trust Deployment](hello-hybrid-key-trust.md)
-- [Microsoft Entra hybrid joined Certificate Trust Deployment](deploy/hybrid-cert-trust.md)
+- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hybrid-clud-kerberos-trust.md)
+- [Microsoft Entra hybrid joined Key Trust Deployment](hybrid-key-trust.md)
+- [Microsoft Entra hybrid joined Certificate Trust Deployment](hybrid-cert-trust.md)
 - [Microsoft Entra join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
-- [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
-- [On Premises Certificate Trust Deployment](deploy/on-premises-cert-trust.md)
+- [On Premises Key Trust Deployment](hybrid-clud-kerberos-trust.md)
+- [On Premises Certificate Trust Deployment](on-premises-cert-trust.md)
 
-For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](deploy/on-premises-cert-trust-mfa.md) deployments.
+For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](on-premises-key-trust-mfa.md) and [for certificate trust](deploy/on-premises-cert-trust-mfa.md) deployments.
 
 ## Provisioning
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md
index 98f3054069..2c8db04a8f 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md
@@ -17,21 +17,21 @@ ms.topic: tutorial
 
 Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
 
-[!INCLUDE [lab-based-pki-deploy](../includes/lab-based-pki-deploy.md)]
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
 
 ## Configure the enterprise PKI
 
-[!INCLUDE [dc-certificate-template](../includes/dc-certificate-template.md)]
+[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
 
-[!INCLUDE [dc-certificate-template-supersede](../includes/dc-certificate-supersede.md)]
+[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
 
-[!INCLUDE [web-server-certificate-template](../includes/web-server-certificate-template.md)]
+[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)]
 
-[!INCLUDE [enrollment-agent-certificate-template](../includes/enrollment-agent-certificate-template.md)]
+[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
 
-[!INCLUDE [auth-certificate-template](../includes/auth-certificate-template.md)]
+[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
 
-[!INCLUDE [unpublish-superseded-templates](../includes/unpublish-superseded-templates.md)]
+[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
 
 ### Publish certificate templates to the CA
 
@@ -50,11 +50,11 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 
 ## Configure and deploy certificates to domain controllers
 
-[!INCLUDE [dc-certificate-deployment](../includes/dc-certificate-deployment.md)]
+[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
 
 ## Validate the configuration
 
-[!INCLUDE [dc-certificate-validate](../includes/dc-certificate-validate.md)]
+[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
 
 > [!div class="nextstepaction"]
 > [Next: prepare and deploy AD FS >](on-premises-cert-trust-adfs.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
similarity index 99%
rename from windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
rename to windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
index cf93d23831..4446ced825 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
 ---
 # Prepare and deploy Active Directory Federation Services - on-premises key trust
 
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
+[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
 
 Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises key trust deployment model uses AD FS for *key registration* and *device registration*.
 
@@ -261,4 +261,4 @@ Before you continue with the deployment, validate your deployment progress by re
 > * Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server
 
 > [!div class="nextstepaction"]
-> [Next: validate and deploy multi-factor authentication (MFA)](hello-key-trust-validate-deploy-mfa.md)
+> [Next: validate and deploy multi-factor authentication (MFA)](on-premises-key-trust-mfa.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
similarity index 99%
rename from windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
rename to windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
index ed52f1c594..eca8d12e30 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
@@ -9,7 +9,7 @@ ms.topic: tutorial
 ---
 # Configure Windows Hello for Business group policy settings - on-premises key trust
 
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
+[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
 
 On-premises key trust deployments of Windows Hello for Business need one Group Policy setting: *Enable Windows Hello for Business*.
 The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-mfa.md
similarity index 93%
rename from windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
rename to windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-mfa.md
index 52c64523e9..bcc3c3b497 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-mfa.md
@@ -13,7 +13,7 @@ ms.topic: tutorial
 
 # Validate and deploy multifactor authentication - on-premises key trust
 
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
+[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
 
 Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
 
@@ -29,4 +29,4 @@ For information on available third-party authentication methods see [Configure A
 Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
 
 > [!div class="nextstepaction"]
-> [Next: configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
+> [Next: configure Windows Hello for Business Policy settings](on-premises-key-trust-enroll.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md
similarity index 95%
rename from windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
rename to windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md
index ab932d9a99..6d7aef36c5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
 ---
 # Configure and validate the Public Key Infrastructure - on-premises key trust
 
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
+[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
 
 Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
 
@@ -52,4 +52,4 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 [!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
 
 > [!div class="nextstepaction"]
-> [Next: prepare and deploy AD FS >](hello-key-trust-adfs.md)
\ No newline at end of file
+> [Next: prepare and deploy AD FS >](on-premises-key-trust-adfs.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
new file mode 100644
index 0000000000..5b0dbd90fa
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
@@ -0,0 +1,35 @@
+---
+title: Windows Hello for Business deployment guide for the on-premises key trust model
+description: Learn how to deploy Windows Hello for Business in an on-premises, key trust model.
+ms.date: 12/12/2022
+ms.topic: tutorial
+---
+
+# Deployment guide overview - on-premises key trust
+
+[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
+
+Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment:
+
+1. [Validate and configure a PKI](on-premises-key-trust-pki.md)
+1. [Prepare and deploy AD FS](on-premises-key-trust-adfs.md)
+1. [Validate and deploy multi-factor authentication (MFA)](on-premises-key-trust-mfa.md)
+1. [Configure Windows Hello for Business Policy settings](on-premises-key-trust-enroll.md)
+
+## Create the Windows Hello for Business Users security group
+
+While this is not a required step, it is recommended to create a security group to simplify the deployment.
+
+The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
+
+Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
+
+1. Open **Active Directory Users and Computers**
+1. Select **View > Advanced Features**
+1. Expand the domain node from the navigation pane
+1. Right-click the **Users** container. Select **New > Group**
+1. Type *Windows Hello for Business Users* in the **Group Name**
+1. Select **OK**
+
+> [!div class="nextstepaction"]
+> [Next: validate and configure PKI >](on-premises-key-trust-pki.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/deploy/requirements.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/hello-identity-verification.md
rename to windows/security/identity-protection/hello-for-business/deploy/requirements.md
diff --git a/windows/security/identity-protection/hello-for-business/deploy/toc.yml b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
index 9c556b0e5c..dfeb68e1f8 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
@@ -1,32 +1,30 @@
 items:
 - name: Windows Hello for Business deployment overview
-  href: ../hello-deployment-guide.md
-- name: Planning a Windows Hello for Business deployment
-  href: ../hello-planning-guide.md
+  href: index.md
 - name: Deployment prerequisite overview
-  href: ../hello-identity-verification.md
+  href: requirements.md
 - name: Cloud-only deployment
-  href: ../hello-aad-join-cloud-only-deploy.md
+  href: cloud.md
 - name: Hybrid deployments
   items:
   - name: Cloud Kerberos trust deployment
     items:
       - name: Overview
-        href: ../hello-hybrid-cloud-kerberos-trust.md
+        href: hybrid-clud-kerberos-trust.md
         displayName: cloud Kerberos trust
       - name: Configure and provision Windows Hello for Business
-        href: ../hello-hybrid-cloud-kerberos-trust-provision.md
+        href: hybrid-clud-kerberos-trust-enroll.md
         displayName: cloud Kerberos trust
   - name: Key trust deployment
     items: 
     - name: Overview
-      href: ../hello-hybrid-key-trust.md
+      href: hybrid-key-trust.md
       displayName: key trust
     - name: Configure and validate the PKI
-      href: ../hello-hybrid-key-trust-validate-pki.md
+      href: hybrid-key-trust-pki.md
       displayName: key trust
     - name: Configure and provision Windows Hello for Business
-      href: ../hello-hybrid-key-trust-provision.md
+      href: hybrid-key-trust-enroll.md
       displayName: key trust
     - name: Configure SSO for Microsoft Entra joined devices
       href: ../hello-hybrid-aadj-sso.md
@@ -56,15 +54,15 @@ items:
   - name: Key trust deployment
     items: 
     - name: Overview
-      href: ../hello-deployment-key-trust.md
+      href: hybrid-clud-kerberos-trust.md
     - name: Configure and validate the PKI
-      href: ../hello-key-trust-validate-pki.md
+      href: on-premises-key-trust-pki.md
     - name: Prepare and deploy Active Directory Federation Services (AD FS)
-      href: ../hello-key-trust-adfs.md
+      href: on-premises-key-trust-adfs.md
     - name: Validate and deploy multi-factor authentication (MFA) services
-      href: ../hello-key-trust-validate-deploy-mfa.md
+      href: on-premises-key-trust-mfa.md
     - name: Configure Windows Hello for Business policy settings
-      href: ../hello-key-trust-policy-settings.md
+      href: on-premises-key-trust-enroll.md
   - name: Certificate trust deployment
     items: 
     - name: Overview
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
deleted file mode 100644
index 56d613052d..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
+++ /dev/null
@@ -1,17 +0,0 @@
----
-title: Windows Hello for Business deployment guide for the on-premises key trust model
-description: Learn how to deploy Windows Hello for Business in an on-premises, key trust model.
-ms.date: 12/12/2022
-ms.topic: tutorial
----
-# Deployment guide overview - on-premises key trust
-
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
-
-Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment::
-
-1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
-1. [Validate and configure a PKI](hello-key-trust-validate-pki.md)
-1. [Prepare and deploy AD FS](hello-key-trust-adfs.md)
-1. [Validate and deploy multi-factor authentication (MFA)](hello-key-trust-validate-deploy-mfa.md)
-1. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index be3cce3029..b848b6347e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -131,7 +131,7 @@ Giving the simplicity offered by this model, cloud Kerberos trust is the recomme
 
 ### More information about cloud Kerberos trust
 
-[Cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md)
+[Cloud Kerberos trust deployment](hybrid-clud-kerberos-trust.md)
 
 ## Deployment type
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index e4c13dae5d..b9a871f8a9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -6,7 +6,7 @@ ms.topic: how-to
 ---
 # Configure single sign-on for Microsoft Entra joined devices
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-keycert-trust-aad.md)]
+[!INCLUDE [hello-hybrid-key-trust](includes/hello-hybrid-keycert-trust-aad.md)]
 
 Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Microsoft Entra joined devices may need to access these resources. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
deleted file mode 100644
index 2537513f37..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-title: Validate Active Directory prerequisites in an on-premises key trust
-description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a key trust model.
-ms.date: 09/07/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
-ms.topic: tutorial
----
-# Validate Active Directory prerequisites - on-premises key trust
-
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
-
-Key trust deployments need an adequate number of domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md) and the [Planning an adequate number of Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
-
-The key registration process for the on-premises deployment of Windows Hello for Business requires the Windows Server 2016 Active Directory or later schema.
-
-## Create the Windows Hello for Business Users security group
-
-The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
-
-Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
-
-1. Open **Active Directory Users and Computers**
-1. Select **View > Advanced Features**
-1. Expand the domain node from the navigation pane
-1. Right-click the **Users** container. Select **New > Group**
-1. Type *Windows Hello for Business Users* in the **Group Name**
-1. Select **OK**
-
-> [!div class="nextstepaction"]
-> [Next: validate and configure PKI >](hello-key-trust-validate-pki.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 459d5a8f44..6dfedc9c3e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -82,7 +82,7 @@ It's fundamentally important to understand which deployment model to use for a s
 A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trust types: key trust and certificate trust.
 
 > [!NOTE]
-> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hello-hybrid-cloud-kerberos-trust.md).
+> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hybrid-clud-kerberos-trust.md).
 
 The key trust type doesn't require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-cloud.md b/windows/security/identity-protection/hello-for-business/includes/hello-cloud.md
deleted file mode 100644
index 59fb36a4d6..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-cloud.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-cloud](hello-deployment-cloud.md)]
-- **Join type:** [!INCLUDE [hello-join-aad](hello-join-aad.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md
deleted file mode 100644
index dce66d7d01..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[cloud :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md
deleted file mode 100644
index 1c5a745e8c..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[hybrid :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md
deleted file mode 100644
index 1cc478a8b9..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[on-premises :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md
deleted file mode 100644
index d67281a719..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [hello-trust-cloud-kerberos](hello-trust-cloud-kerberos.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust.md
deleted file mode 100644
index 6a011daa04..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md
deleted file mode 100644
index 1ffe6b9343..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)],[!INCLUDE [tooltip-cert-trust](../deploy/includes/tooltip-cert-trust.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md
deleted file mode 100644
index e0d8d9d793..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[Microsoft Entra join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md
deleted file mode 100644
index 618568cbb7..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[domain join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md)
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md
deleted file mode 100644
index 9f10afb700..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[Microsoft Entra hybrid join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md
deleted file mode 100644
index ef66939cb2..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.date: 12/08/2022
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-onpremises](hello-deployment-onpremises.md)]
-- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)]
-- **Join type:** [!INCLUDE [hello-join-domain](hello-join-domain.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md
deleted file mode 100644
index fa465e241c..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/08/2022
-ms.topic: include
----
-
-[cloud Kerberos trust :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md b/windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md
deleted file mode 100644
index 3e4bdecccc..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/08/2022
-ms.topic: include
----
-
-[key trust :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 40b101f937..61aa6291c3 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -10,6 +10,8 @@ items:
     href: hello-biometrics-in-enterprise.md
   - name: How Windows Hello for Business works
     href: hello-how-it-works.md
+- name: Plan a Windows Hello for Business deployment
+  href: hello-planning-guide.md
 - name: Deployment guides
   href: deploy/toc.yml
 - name: How-to Guides