Restructure of deployment guides

windows/security/identity-protection/hello-for-business/deploy/cloud.md

@@ -6,7 +6,7 @@ ms.topic: how-to
 ---
 # Cloud-only deployment
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-cloud.md)]
+[!INCLUDE [apply-to-cloud](includes/apply-to-cloud.md)]
 
 ## Introduction
 
@@ -21,7 +21,7 @@ You may wish to disable the automatic Windows Hello for Business enrollment prom
 
 Cloud only deployments will use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
 
-The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment).
+The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](requirements.md#azure-ad-cloud-only-deployment).
 
 It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command:
 

windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md

@@ -18,11 +18,11 @@ Windows Hello for Business must have a Public Key Infrastructure (PKI) when usin
 
 Hybrid certificate trust deployments issue users a sign-in certificate, enabling them to authenticate to Active Directory using Windows Hello for Business credentials. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
 
-[!INCLUDE [lab-based-pki-deploy](../includes/lab-based-pki-deploy.md)]
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
 
 ## Configure the enterprise PKI
 
-[!INCLUDE [dc-certificate-template](../includes/dc-certificate-template.md)]
+[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
 
 > [!NOTE]
 > Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
@@ -33,13 +33,13 @@ Hybrid certificate trust deployments issue users a sign-in certificate, enabling
 > - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
 > - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
 
-[!INCLUDE [dc-certificate-template-supersede](../includes/dc-certificate-supersede.md)]
+[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
 
-[!INCLUDE [enrollment-agent-certificate-template](../includes/enrollment-agent-certificate-template.md)]
+[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
 
-[!INCLUDE [auth-certificate-template](../includes/auth-certificate-template.md)]
+[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
 
-[!INCLUDE [unpublish-superseded-templates](../includes/unpublish-superseded-templates.md)]
+[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
 
 ### Publish the certificate templates to the CA
 
@@ -59,11 +59,11 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 
 ## Configure and deploy certificates to domain controllers
 
-[!INCLUDE [dc-certificate-deployment](../includes/dc-certificate-deployment.md)]
+[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
 
 ## Validate the configuration
 
-[!INCLUDE [dc-certificate-validate](../includes/dc-certificate-validate.md)]
+[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
 
 ## Section review and next steps
 

windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md

@@ -20,7 +20,7 @@ Hybrid environments are distributed systems that enable organizations to use on-
 This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
 
 > [!IMPORTANT]
-> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](../hello-hybrid-cloud-kerberos-trust.md).
+> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](../hybrid-clud-kerberos-trust.md).
 
 It's recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
 

windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md

@@ -8,7 +8,7 @@ ms.topic: tutorial
 ---
 # Configure and provision Windows Hello for Business - cloud Kerberos trust
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cloudkerb-trust.md)]
+[!INCLUDE [hello-hybrid-key-trust](includes/hello-hybrid-cloudkerb-trust.md)]
 
 ## Deployment steps
 

windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md

@@ -8,7 +8,7 @@ ms.topic: tutorial
 ---
 # Cloud Kerberos trust deployment
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cloudkerb-trust.md)]
+[!INCLUDE [apply-to-hybrid-cloud-kerberos-trust](includes/apply-to-hybrid-cloud-kerberos-trust.md)]
 
 Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in a *cloud Kerberos trust* scenario.
 
@@ -84,7 +84,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a clou
 > * Provision Windows Hello for Business on Windows clients
 
 > [!div class="nextstepaction"]
-> [Next: configure and provision Windows Hello for Business >](hello-hybrid-cloud-kerberos-trust-provision.md)
+> [Next: configure and provision Windows Hello for Business >](hybrid-clud-kerberos-trust-enroll.md)
 
 <!--Links-->
 

windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md

@@ -7,7 +7,7 @@ ms.topic: tutorial
 
 # Configure and enroll in Windows Hello for Business - hybrid key trust
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-key-trust.md)]
+[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
 
 After the prerequisites are met and the PKI configuration is validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
 

windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md

@@ -12,7 +12,7 @@ ms.topic: tutorial
 ---
 # Configure and validate the Public Key Infrastructure - hybrid key trust
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-key-trust.md)]
+[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
 
 Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
 
@@ -97,7 +97,7 @@ Before moving to the next section, ensure the following steps are complete:
 > - Validate the domain controllers configuration
 
 > [!div class="nextstepaction"]
-> [Next: configure and provision Windows Hello for Business >](hello-hybrid-key-trust-provision.md)
+> [Next: configure and provision Windows Hello for Business >](hybrid-key-trust-enroll.md)
 
 <!--links-->
 [SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller

windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md

@@ -12,14 +12,14 @@ ms.topic: how-to
 ---
 # Hybrid key trust deployment
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-key-trust.md)]
+[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
 
 Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
 
 This deployment guide describes how to deploy Windows Hello for Business in a hybrid key trust scenario.
 
 > [!IMPORTANT]
-> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md).
+> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-clud-kerberos-trust.md).
 
 It is recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
 
@@ -94,7 +94,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a hybr
 > * Configure single sign-on (SSO) for Microsoft Entra joined devices
 
 > [!div class="nextstepaction"]
-> [Next: configure and validate the Public Key Infrastructure >](hello-hybrid-key-trust-validate-pki.md)
+> [Next: configure and validate the Public Key Infrastructure >](hybrid-key-trust-pki.md)
 
 <!--links-->
 [AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis

windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-cloud.md

@@ -0,0 +1,9 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-cloud](tooltip-deployment-cloud.md)]
+- **Join type:** [!INCLUDE [tootip-join-entra](tooltip-join-entra.md)]
+---

windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md

@@ -3,8 +3,8 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[!INCLUDE [hello-intro](../../includes/hello-intro.md)]
+[!INCLUDE [intro](intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](../../includes/hello-deployment-hybrid.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
 - **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](../../includes/hello-join-aad.md)]
+- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)]
 ---

windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust.md

@@ -3,8 +3,8 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[!INCLUDE [hello-intro](../../includes/hello-intro.md)]
+[!INCLUDE [intro](intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](../../includes/hello-deployment-hybrid.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
+- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-trust-cert.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](../../includes/hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](../../includes/hello-join-hybrid.md)]
+- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)], [!INCLUDE [tooltip-join-hybrid](tooltip-join-hybrid.md)]
 ---

windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cloud-kerberos-trust.md

@@ -0,0 +1,10 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [tooltip-trust-cloud-kerberos](tooltip-trust-cloud-kerberos.md)]
+- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)], [!INCLUDE [tooltip-join-hybrid](tooltip-join-hybrid.md)]
+---

windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md

@@ -0,0 +1,10 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)],[!INCLUDE [tooltip-cert-trust](../deploy/includes/tooltip-cert-trust.md)]
+- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)]
+---

windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-trust.md

@@ -0,0 +1,10 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)]
+- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)], [!INCLUDE [tooltip-join-hybrid](tooltip-join-hybrid.md)]
+---

windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md

@@ -3,8 +3,8 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[!INCLUDE [hello-intro](../../includes/hello-intro.md)]
+[!INCLUDE [intro](intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-onpremises](../../includes/hello-deployment-onpremises.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](tooltip-deployment-onpremises.md)]
 - **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
-- **Join type:** [!INCLUDE [hello-join-domain](../../includes/hello-join-domain.md)]
+- **Join type:** [!INCLUDE [tooltip-join-domain](tooltip-join-domain.md)]
 ---

windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-key-trust.md

@@ -0,0 +1,10 @@
+---
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](tooltip-deployment-onpremises.md)]
+- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)]
+- **Join type:** [!INCLUDE [tooltip-join-domain](tooltip-join-domain.md)]
+---

windows/security/identity-protection/hello-for-business/deploy/includes/information.svg

@@ -0,0 +1,3 @@
+<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <path d="M8 7C8.27614 7 8.5 7.22386 8.5 7.5V10.5C8.5 10.7761 8.27614 11 8 11C7.72386 11 7.5 10.7761 7.5 10.5V7.5C7.5 7.22386 7.72386 7 8 7ZM8.00001 6.24907C8.41369 6.24907 8.74905 5.91371 8.74905 5.50003C8.74905 5.08635 8.41369 4.751 8.00001 4.751C7.58633 4.751 7.25098 5.08635 7.25098 5.50003C7.25098 5.91371 7.58633 6.24907 8.00001 6.24907ZM2 8C2 4.68629 4.68629 2 8 2C11.3137 2 14 4.68629 14 8C14 11.3137 11.3137 14 8 14C4.68629 14 2 11.3137 2 8ZM8 3C5.23858 3 3 5.23858 3 8C3 10.7614 5.23858 13 8 13C10.7614 13 13 10.7614 13 8C13 5.23858 10.7614 3 8 3Z" fill="#0078D4" />
+</svg>

windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md

@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[cloud :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")

windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md

@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[hybrid :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")

windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md

@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[on-premises :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")

windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md

@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[domain join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md)

windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md

@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[Microsoft Entra join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")

windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md

@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[Microsoft Entra hybrid join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")

windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md

@@ -0,0 +1,6 @@
+---
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[cloud Kerberos trust :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")

windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md

@@ -0,0 +1,6 @@
+---
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[key trust :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")

windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md

@@ -15,13 +15,13 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
 1. Use the following table to configure the template:
 
     | Tab Name | Configurations |
-    | --- | --- |
+    |--|--|
-    | *Compatibility* | <ul><li>Clear the **Show resulting changes** check box</li><li>Select **Windows Server 2016** from the *Certification Authority list*</li><li>Select **Windows 10 / Windows Server 2016** from the *Certification Recipient list*</li></ul>|
+    | *Compatibility* | <ul><li>Clear the **Show resulting changes** check box</li><li>Select **Windows Server 2016** from the *Certification Authority list*</li><li>Select **Windows 10 / Windows Server 2016** from the *Certification Recipient list*</li></ul> |
-    | *General* | <ul><li>Specify a **Template display name**, for example *Internal Web Server*</li><li>Set the validity period to the desired value</li><li>Take note of the template name for later, which should be the same as the Template display name minus spaces</li></ul>|
+    | *General* | <ul><li>Specify a **Template display name**, for example *Internal Web Server*</li><li>Set the validity period to the desired value</li><li>Take note of the template name for later, which should be the same as the Template display name minus spaces</li></ul> |
     | *Request Handling* | Select **Allow private key to be exported** |
-    | *Subject Name* | Select **Supply in the request**|
+    | *Subject Name* | Select **Supply in the request** |
-    |*Security*|Add **Domain Computers** with **Enroll** access|
+    | *Security* | Add **Domain Computers** with **Enroll** access |
-    |*Cryptography*|<ul><li>Set the *Provider Category* to **Key Storage Provider**</li><li>Set the *Algorithm name* to **RSA**</li><li>Set the *minimum key size* to **2048**</li><li>Set the *Request hash* to **SHA256**</li>|
+    | *Cryptography* | <ul><li>Set the *Provider Category* to **Key Storage Provider**</li><li>Set the *Algorithm name* to **RSA**</li><li>Set the *minimum key size* to **2048**</li><li>Set the *Request hash* to **SHA256**</li> |
 
 1. Select **OK** to finalize your changes and create the new template
 1. Close the console

windows/security/identity-protection/hello-for-business/deploy/index.md

@@ -12,7 +12,7 @@ Windows Hello for Business is the springboard to a world without passwords. It r
 
 This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.
 
-Once you've chosen a deployment model, the deployment guide for that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. Read the [Windows Hello for Business Deployment Prerequisite Overview](hello-identity-verification.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
+Once you've chosen a deployment model, the deployment guide for that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. Read the [Windows Hello for Business Deployment Prerequisite Overview](requirements.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
 
 ## Requirements
 
@@ -44,18 +44,18 @@ The trust model determines how you want users to authenticate to the on-premises
 - The certificate trust model also supports enterprises, which aren't ready to deploy Windows Server 2016 Domain Controllers.
 
 > [!NOTE]
-> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Remote Credential Guard](../remote-credential-guard.md).
+> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Remote Credential Guard](../../remote-credential-guard.md).
 
 Following are the various deployment guides and models included in this topic:
 
-- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hello-hybrid-cloud-kerberos-trust.md)
+- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hybrid-clud-kerberos-trust.md)
-- [Microsoft Entra hybrid joined Key Trust Deployment](hello-hybrid-key-trust.md)
+- [Microsoft Entra hybrid joined Key Trust Deployment](hybrid-key-trust.md)
-- [Microsoft Entra hybrid joined Certificate Trust Deployment](deploy/hybrid-cert-trust.md)
+- [Microsoft Entra hybrid joined Certificate Trust Deployment](hybrid-cert-trust.md)
 - [Microsoft Entra join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
-- [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
+- [On Premises Key Trust Deployment](hybrid-clud-kerberos-trust.md)
-- [On Premises Certificate Trust Deployment](deploy/on-premises-cert-trust.md)
+- [On Premises Certificate Trust Deployment](on-premises-cert-trust.md)
 
-For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](deploy/on-premises-cert-trust-mfa.md) deployments.
+For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](on-premises-key-trust-mfa.md) and [for certificate trust](deploy/on-premises-cert-trust-mfa.md) deployments.
 
 ## Provisioning
 

windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md

@@ -17,21 +17,21 @@ ms.topic: tutorial
 
 Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
 
-[!INCLUDE [lab-based-pki-deploy](../includes/lab-based-pki-deploy.md)]
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
 
 ## Configure the enterprise PKI
 
-[!INCLUDE [dc-certificate-template](../includes/dc-certificate-template.md)]
+[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
 
-[!INCLUDE [dc-certificate-template-supersede](../includes/dc-certificate-supersede.md)]
+[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
 
-[!INCLUDE [web-server-certificate-template](../includes/web-server-certificate-template.md)]
+[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)]
 
-[!INCLUDE [enrollment-agent-certificate-template](../includes/enrollment-agent-certificate-template.md)]
+[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
 
-[!INCLUDE [auth-certificate-template](../includes/auth-certificate-template.md)]
+[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
 
-[!INCLUDE [unpublish-superseded-templates](../includes/unpublish-superseded-templates.md)]
+[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
 
 ### Publish certificate templates to the CA
 
@@ -50,11 +50,11 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 
 ## Configure and deploy certificates to domain controllers
 
-[!INCLUDE [dc-certificate-deployment](../includes/dc-certificate-deployment.md)]
+[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
 
 ## Validate the configuration
 
-[!INCLUDE [dc-certificate-validate](../includes/dc-certificate-validate.md)]
+[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
 
 > [!div class="nextstepaction"]
 > [Next: prepare and deploy AD FS >](on-premises-cert-trust-adfs.md)

windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md

@@ -12,7 +12,7 @@ ms.topic: tutorial
 ---
 # Prepare and deploy Active Directory Federation Services - on-premises key trust
 
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
+[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
 
 Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises key trust deployment model uses AD FS for *key registration* and *device registration*.
 
@@ -261,4 +261,4 @@ Before you continue with the deployment, validate your deployment progress by re
 > * Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server
 
 > [!div class="nextstepaction"]
-> [Next: validate and deploy multi-factor authentication (MFA)](hello-key-trust-validate-deploy-mfa.md)
+> [Next: validate and deploy multi-factor authentication (MFA)](on-premises-key-trust-mfa.md)

windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md

@@ -9,7 +9,7 @@ ms.topic: tutorial
 ---
 # Configure Windows Hello for Business group policy settings - on-premises key trust
 
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
+[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
 
 On-premises key trust deployments of Windows Hello for Business need one Group Policy setting: *Enable Windows Hello for Business*.
 The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.

windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-mfa.md

@@ -13,7 +13,7 @@ ms.topic: tutorial
 
 # Validate and deploy multifactor authentication - on-premises key trust
 
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
+[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
 
 Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
 
@@ -29,4 +29,4 @@ For information on available third-party authentication methods see [Configure A
 Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
 
 > [!div class="nextstepaction"]
-> [Next: configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
+> [Next: configure Windows Hello for Business Policy settings](on-premises-key-trust-enroll.md)

windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md

@@ -12,7 +12,7 @@ ms.topic: tutorial
 ---
 # Configure and validate the Public Key Infrastructure - on-premises key trust
 
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
+[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
 
 Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
 
@@ -52,4 +52,4 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 [!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
 
 > [!div class="nextstepaction"]
-> [Next: prepare and deploy AD FS >](hello-key-trust-adfs.md)
+> [Next: prepare and deploy AD FS >](on-premises-key-trust-adfs.md)

windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md

@@ -0,0 +1,35 @@
+---
+title: Windows Hello for Business deployment guide for the on-premises key trust model
+description: Learn how to deploy Windows Hello for Business in an on-premises, key trust model.
+ms.date: 12/12/2022
+ms.topic: tutorial
+---
+
+# Deployment guide overview - on-premises key trust
+
+[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
+
+Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment:
+
+1. [Validate and configure a PKI](on-premises-key-trust-pki.md)
+1. [Prepare and deploy AD FS](on-premises-key-trust-adfs.md)
+1. [Validate and deploy multi-factor authentication (MFA)](on-premises-key-trust-mfa.md)
+1. [Configure Windows Hello for Business Policy settings](on-premises-key-trust-enroll.md)
+
+## Create the Windows Hello for Business Users security group
+
+While this is not a required step, it is recommended to create a security group to simplify the deployment.
+
+The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
+
+Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
+
+1. Open **Active Directory Users and Computers**
+1. Select **View > Advanced Features**
+1. Expand the domain node from the navigation pane
+1. Right-click the **Users** container. Select **New > Group**
+1. Type *Windows Hello for Business Users* in the **Group Name**
+1. Select **OK**
+
+> [!div class="nextstepaction"]
+> [Next: validate and configure PKI >](on-premises-key-trust-pki.md)

windows/security/identity-protection/hello-for-business/deploy/toc.yml

@@ -1,32 +1,30 @@
 items:
 - name: Windows Hello for Business deployment overview
-  href: ../hello-deployment-guide.md
+  href: index.md
-- name: Planning a Windows Hello for Business deployment
-  href: ../hello-planning-guide.md
 - name: Deployment prerequisite overview
-  href: ../hello-identity-verification.md
+  href: requirements.md
 - name: Cloud-only deployment
-  href: ../hello-aad-join-cloud-only-deploy.md
+  href: cloud.md
 - name: Hybrid deployments
   items:
   - name: Cloud Kerberos trust deployment
     items:
       - name: Overview
-        href: ../hello-hybrid-cloud-kerberos-trust.md
+        href: hybrid-clud-kerberos-trust.md
         displayName: cloud Kerberos trust
       - name: Configure and provision Windows Hello for Business
-        href: ../hello-hybrid-cloud-kerberos-trust-provision.md
+        href: hybrid-clud-kerberos-trust-enroll.md
         displayName: cloud Kerberos trust
   - name: Key trust deployment
     items: 
     - name: Overview
-      href: ../hello-hybrid-key-trust.md
+      href: hybrid-key-trust.md
       displayName: key trust
     - name: Configure and validate the PKI
-      href: ../hello-hybrid-key-trust-validate-pki.md
+      href: hybrid-key-trust-pki.md
       displayName: key trust
     - name: Configure and provision Windows Hello for Business
-      href: ../hello-hybrid-key-trust-provision.md
+      href: hybrid-key-trust-enroll.md
       displayName: key trust
     - name: Configure SSO for Microsoft Entra joined devices
       href: ../hello-hybrid-aadj-sso.md
@@ -56,15 +54,15 @@ items:
   - name: Key trust deployment
     items: 
     - name: Overview
-      href: ../hello-deployment-key-trust.md
+      href: hybrid-clud-kerberos-trust.md
     - name: Configure and validate the PKI
-      href: ../hello-key-trust-validate-pki.md
+      href: on-premises-key-trust-pki.md
     - name: Prepare and deploy Active Directory Federation Services (AD FS)
-      href: ../hello-key-trust-adfs.md
+      href: on-premises-key-trust-adfs.md
     - name: Validate and deploy multi-factor authentication (MFA) services
-      href: ../hello-key-trust-validate-deploy-mfa.md
+      href: on-premises-key-trust-mfa.md
     - name: Configure Windows Hello for Business policy settings
-      href: ../hello-key-trust-policy-settings.md
+      href: on-premises-key-trust-enroll.md
   - name: Certificate trust deployment
     items: 
     - name: Overview

windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md

@@ -1,17 +0,0 @@
----
-title: Windows Hello for Business deployment guide for the on-premises key trust model
-description: Learn how to deploy Windows Hello for Business in an on-premises, key trust model.
-ms.date: 12/12/2022
-ms.topic: tutorial
----
-# Deployment guide overview - on-premises key trust
-
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
-
-Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment::
-
-1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
-1. [Validate and configure a PKI](hello-key-trust-validate-pki.md)
-1. [Prepare and deploy AD FS](hello-key-trust-adfs.md)
-1. [Validate and deploy multi-factor authentication (MFA)](hello-key-trust-validate-deploy-mfa.md)
-1. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)

windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md

@@ -131,7 +131,7 @@ Giving the simplicity offered by this model, cloud Kerberos trust is the recomme
 
 ### More information about cloud Kerberos trust
 
-[Cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md)
+[Cloud Kerberos trust deployment](hybrid-clud-kerberos-trust.md)
 
 ## Deployment type
 

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md

@@ -6,7 +6,7 @@ ms.topic: how-to
 ---
 # Configure single sign-on for Microsoft Entra joined devices
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-keycert-trust-aad.md)]
+[!INCLUDE [hello-hybrid-key-trust](includes/hello-hybrid-keycert-trust-aad.md)]
 
 Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Microsoft Entra joined devices may need to access these resources. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
 

windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md

@@ -1,35 +0,0 @@
----
-title: Validate Active Directory prerequisites in an on-premises key trust
-description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a key trust model.
-ms.date: 09/07/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
-ms.topic: tutorial
----
-# Validate Active Directory prerequisites - on-premises key trust
-
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
-
-Key trust deployments need an adequate number of domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md) and the [Planning an adequate number of Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
-
-The key registration process for the on-premises deployment of Windows Hello for Business requires the Windows Server 2016 Active Directory or later schema.
-
-## Create the Windows Hello for Business Users security group
-
-The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
-
-Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
-
-1. Open **Active Directory Users and Computers**
-1. Select **View > Advanced Features**
-1. Expand the domain node from the navigation pane
-1. Right-click the **Users** container. Select **New > Group**
-1. Type *Windows Hello for Business Users* in the **Group Name**
-1. Select **OK**
-
-> [!div class="nextstepaction"]
-> [Next: validate and configure PKI >](hello-key-trust-validate-pki.md)

windows/security/identity-protection/hello-for-business/hello-planning-guide.md

@@ -82,7 +82,7 @@ It's fundamentally important to understand which deployment model to use for a s
 A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trust types: key trust and certificate trust.
 
 > [!NOTE]
-> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hello-hybrid-cloud-kerberos-trust.md).
+> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hybrid-clud-kerberos-trust.md).
 
 The key trust type doesn't require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 

windows/security/identity-protection/hello-for-business/includes/hello-cloud.md

@@ -1,9 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-cloud](hello-deployment-cloud.md)]
-- **Join type:** [!INCLUDE [hello-join-aad](hello-join-aad.md)]
----

windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md

@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[cloud :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")

windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md

@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[hybrid :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")

windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md

@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[on-premises :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")

windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md

@@ -1,10 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [hello-trust-cloud-kerberos](hello-trust-cloud-kerberos.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
----

windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust.md

@@ -1,10 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
----

windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md

@@ -1,10 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)],[!INCLUDE [tooltip-cert-trust](../deploy/includes/tooltip-cert-trust.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)]
----

windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md

@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[Microsoft Entra join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")

windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md

@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[domain join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md)

windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md

@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[Microsoft Entra hybrid join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")

windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md

@@ -1,10 +0,0 @@
----
-ms.date: 12/08/2022
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-onpremises](hello-deployment-onpremises.md)]
-- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)]
-- **Join type:** [!INCLUDE [hello-join-domain](hello-join-domain.md)]
----

windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md

@@ -1,6 +0,0 @@
----
-ms.date: 12/08/2022
-ms.topic: include
----
-
-[cloud Kerberos trust :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")

windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md

@@ -1,6 +0,0 @@
----
-ms.date: 12/08/2022
-ms.topic: include
----
-
-[key trust :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")

windows/security/identity-protection/hello-for-business/toc.yml

@@ -10,6 +10,8 @@ items:
     href: hello-biometrics-in-enterprise.md
   - name: How Windows Hello for Business works
     href: hello-how-it-works.md
+- name: Plan a Windows Hello for Business deployment
+  href: hello-planning-guide.md
 - name: Deployment guides
   href: deploy/toc.yml
 - name: How-to Guides