From 5d02359252a6e9cd028089a3648a3e2c5ce8fabf Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 29 Dec 2023 15:40:22 -0500
Subject: [PATCH] Update domain controller certificate configuration

---
 .../hello-for-business/deploy/cloud-only.md   |  14 ++-
 .../deploy/hybrid-cert-trust-enroll.md        |   4 +-
 .../deploy/hybrid-key-trust-enroll.md         |   3 +
 .../deploy/hybrid-key-trust.md                |   2 +-
 .../deploy/includes/user-experience.md        |   1 -
 .../deploy/on-premises-key-trust-adfs.md      |   2 +
 .../deploy/on-premises-key-trust-enroll.md    | 106 ++++--------------
 .../deploy/on-premises-key-trust-pki.md       |  50 ---------
 .../deploy/on-premises-key-trust.md           |  60 ++++++++--
 .../hello-for-business/deploy/toc.yml         |   8 +-
 10 files changed, 95 insertions(+), 155 deletions(-)
 delete mode 100644 windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md

diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
index 4ad1e131fc..91bff136bd 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
@@ -32,7 +32,12 @@ When you Microsoft Entra join a device, the system attempts to automatically enr
 
 Cloud-only deployments use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
 
-Policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
+Policy settings can be configured to control the behavior of Windows Hello for Business, via configuration service provider (CSP) or group policy (GPO). Cloud-only deployments typically configure devices via an MDM solution like Microsoft Intune, using the [PassportForWork CSP][WIN-1].
+
+> [!TIP]
+> If you're using Microsoft Intune, and you're not using the [tenant-wide policy](../configure.md#verify-the-tenant-wide-policy), enable the Enrollment Status Page (ESP) to ensure that the devices receive the Windows Hello for Business policy settings before users can access their desktop. For more information about ESP, see [Set up the Enrollment Status Page][MEM-1].
+
+For a list of settings to configure Windows Hello for Business, see [Windows Hello for Business policy settings](../policy-settings.md).
 
 ## Enroll in Windows Hello for Business
 
@@ -42,9 +47,16 @@ The Windows Hello for Business provisioning process begins immediately after a u
 
 [!INCLUDE [user-experience](includes/user-experience.md)]
 
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
+
 ## Disable automatic enrollment
 
 If you want to disable the automatic Windows Hello for Business enrollment prompt, you can configure your devices with a policy setting or registry key. For more information, see [Disable Windows Hello for Business enrollment](../configure.md#disable-windows-hello-for-business-enrollment).
 
 > [!NOTE]
 > During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you are guided to enroll in Windows Hello for Business when you don't have Intune. You can cancel the PIN screen and configure this cancellation with registry keys to prevent future prompts.
+
+<!--links-->
+
+[MEM-1]: /mem/intune/enrollment/windows-enrollment-status
+[WIN-1]: /windows/client-management/mdm/passportforwork-csp
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
index 26fde9c804..d874beeff4 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
@@ -9,8 +9,6 @@ ms.topic: tutorial
 
 [!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
 
-## Policy Configuration
-
 After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
 
 # [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
@@ -88,6 +86,8 @@ This information is also available using the `dsregcmd.exe /status` command from
 
 [!INCLUDE [user-experience](includes/user-experience.md)]
 
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
+
 After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate.  Windows send the certificate request to the AD FS server for certificate enrollment.
 
 The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
index 3fea24bad0..30567a525b 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
@@ -58,6 +58,9 @@ This information is also available using the `dsregcmd.exe /status` command from
 
 [!INCLUDE [user-experience](includes/user-experience.md)]
 
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
+
 While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key from Microsoft Entra ID to Active Directory.
 
 > [!IMPORTANT]
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
index 383f79cd18..452c34becf 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
@@ -79,7 +79,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 > [!div class="checklist"]
 > Before moving to the next section, ensure the following steps are complete:
 >
-> - Configure domain controller certificates
+> - Configure domain controller certificate template
 > - Supersede existing domain controller certificates
 > - Unpublish superseded certificate templates
 > - Publish the certificate template to the CA
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md b/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md
index 2c8a409803..3fec064d3e 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md
@@ -11,4 +11,3 @@ After a user signs in, the Windows Hello for Business enrollment process begins:
 1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
 1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and access their desktop.
 
-> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
index 5d508d4b14..c23189a6f4 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
@@ -20,6 +20,7 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
 Before you continue with the deployment, validate your deployment progress by reviewing the following items:
 
 > [!div class="checklist"]
+>
 > - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate)
 > - Confirm you added the AD FS service account to the KeyAdmins group
 > - Confirm you enabled the Device Registration service
@@ -33,6 +34,7 @@ Before you continue with the deployment, validate your deployment progress by re
 Before you continue with the deployment, validate your deployment progress by reviewing the following items:
 
 > [!div class="checklist"]
+>
 > - Confirm all AD FS servers have a valid server authentication certificate. The subject of the certificate is the common name (FQDN) of the host or a wildcard name. The alternate name of the certificate contains a wildcard or the FQDN of the federation service
 > - Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load
 > - Confirm you restarted the AD FS service
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
index eca8d12e30..96068a45d6 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
@@ -7,102 +7,42 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.topic: tutorial
 ---
-# Configure Windows Hello for Business group policy settings - on-premises key trust
+
+# Configure and enroll in Windows Hello for Business in an on-premises key trust model
 
 [!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
 
-On-premises key trust deployments of Windows Hello for Business need one Group Policy setting: *Enable Windows Hello for Business*.
-The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
+After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
 
-If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business.
+[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)]
 
-## Enable Windows Hello for Business group policy setting
+[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
 
-The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**<br>or<br> **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
 
-If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business.
+> [!NOTE]
+> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
 
-## Create the GPO
+[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
 
-Sign in to a domain controller or management workstations with *Domain Administrator* equivalent credentials.
+> [!TIP]
+> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
 
-1. Start the **Group Policy Management Console** (gpmc.msc)
-1. Expand the domain and select the **Group Policy Object** node in the navigation pane
-1. Right-click **Group Policy object** and select **New**
-1. Type *Enable Windows Hello for Business* in the name box and select **OK**
-1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and select **Edit**
-1. In the navigation pane, select **User Configuration > Policies > **Administrative Templates > Windows Component > Windows Hello for Business**
-1. In the content pane, double-click **Use Windows Hello for Business**. Select **Enable** and **OK**
-1. Close the **Group Policy Management Editor**
+Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
 
-## Configure security in the Windows Hello for Business GPO
+## Enroll in Windows Hello for Business
 
-The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases.
+The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.
 
-Sign in to a domain controller or management workstations with *Domain Administrator* equivalent credentials.
+You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\
+This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4].
 
-1. Start the **Group Policy Management Console** (gpmc.msc)
-1. Expand the domain and select the **Group Policy Object** node in the navigation pane
-1. Double-click the **Enable Windows Hello for Business** Group Policy object
-1. In the **Security Filtering** section of the content pane, select **Add**.  Type *Windows Hello for Business Users* or the name of the security group you previously created and select **OK**
-1. Select the **Delegation** tab. Select **Authenticated Users** and **Advanced**
-1. In the **Group or User names** list, select **Authenticated Users**.  In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK**
+### User experience
 
-## Deploy the Windows Hello for Business Group Policy object
+[!INCLUDE [user-experience](includes/user-experience.md)]
 
-The application of the Windows Hello for Business Group Policy object uses security group filtering. This solution enables you to link the Group Policy object at the domain level, ensuring the GPO is within scope to all users. However, the security group filtering ensures that only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business.
-
-1. Start the **Group Policy Management Console** (gpmc.msc)
-1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…**
-1. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK**
-
-## Other Related Group Policy settings
-
-There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment.  These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. 
-
-### Use a hardware security device
-
-The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential.
-
-You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
-
-Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Some organizations may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
-
-### Use biometrics
-
-Windows Hello for Business provides a great user experience when combined with the use of biometrics.  Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security.  
-
-The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disables all biometrics. Currently, Windows does not provide the ability to set granular policies that enable you to disable specific modalities of biometrics, such as allowing facial recognition, but disallowing fingerprint recognition.
-
-### PIN Complexity
-
-PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
-
-Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically. The policy settings included are:
-
-- Require digits
-- Require lowercase letters
-- Maximum PIN length
-- Minimum PIN length
-- Expiration
-- History
-- Require special characters
-- Require uppercase letters
-
-The settings can be found in *Administrative Templates\System\PIN Complexity*, under both the Computer and User Configuration nodes of the Group Policy editor.
-
-## Review to validate the configuration
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
-> [!div class="checklist"]
-> * Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User)
-> * Confirm you configured the proper security settings for the Group Policy object   
-> * Confirm you removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions)
-> * Confirm you added the Windows Hello for Business Users group to the Group Policy object, and gave the group the allow permission to Apply Group Policy
-> * Linked the Group Policy object to the correct locations within Active Directory
-> * Deployed any additional Windows Hello for Business Group Policy settings
-
-## Add users to the Windows Hello for Business Users group
-
-Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the *Windows Hello for Business Users* group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business.
+<!--links-->
+[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md
deleted file mode 100644
index fb5552e61d..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Configure and validate the Public Key Infrastructure in an on-premises key trust model
-description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a key trust model.
-ms.date: 12/18/2023
-ms.topic: tutorial
----
-
-# Configure and validate the Public Key Infrastructure - on-premises key trust
-
-[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
-
-Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
-
-[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
-
-## Configure the enterprise PKI
-
-[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)]
-
-[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
-
-[!INCLUDE [web-server-certificate-template](includes/certificate-template-web-server.md)]
-
-[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
-
-### Publish certificate templates to the CA
-
-A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
-
-Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
-
-1. Open the **Certification Authority** management console
-1. Expand the parent node from the navigation pane
-1. Select **Certificate Templates** in the navigation pane
-1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
-1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
-1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
-   - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
-1. Close the console
-
-## Configure and deploy certificates to domain controllers
-
-[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
-
-## Validate the configuration
-
-[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
-
-> [!div class="nextstepaction"]
-> [Next: prepare and deploy AD FS >](on-premises-key-trust-adfs.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
index d14fedcde3..901d216a22 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
@@ -27,24 +27,60 @@ Once the prerequisites are met, deploying Windows Hello for Business consists of
 
 > [!div class="checklist"]
 >
-> - [Validate and configure a PKI](on-premises-key-trust-pki.md)
+> - [Configure and validate the Public Key Infrastructure](#configure-and-validate-the-public-key-infrastructure)
 > - [Prepare and deploy AD FS with MFA](on-premises-key-trust-adfs.md)
 > - [Configure and enroll in Windows Hello for Business](on-premises-key-trust-enroll.md)
 
-## Create the Windows Hello for Business Users security group
+## Configure and validate the Public Key Infrastructure
 
-While this isn't a required step, it's recommended to create a security group to simplify the deployment.
+Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
 
-The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
 
-Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
+## Configure the enterprise PKI
 
-1. Open **Active Directory Users and Computers**
-1. Select **View > Advanced Features**
-1. Expand the domain node from the navigation pane
-1. Right-click the **Users** container. Select **New > Group**
-1. Type *Windows Hello for Business Users* in the **Group Name**
-1. Select **OK**
+[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)]
+
+[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
+
+[!INCLUDE [web-server-certificate-template](includes/certificate-template-web-server.md)]
+
+[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
+
+### Publish certificate templates to the CA
+
+A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
+
+Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Expand the parent node from the navigation pane
+1. Select **Certificate Templates** in the navigation pane
+1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
+1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
+1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
+   - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
+1. Close the console
+
+## Configure and deploy certificates to domain controllers
+
+[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
+
+## Validate the configuration
+
+[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
+
+## Section review and next steps
+
+> [!div class="checklist"]
+> Before moving to the next section, ensure the following steps are complete:
+>
+> - Configure domain controller and web server certificate templates
+> - Supersede existing domain controller certificates
+> - Unpublish superseded certificate templates
+> - Publish the certificate templates to the CA
+> - Deploy certificates to the domain controllers
+> - Validate the domain controllers configuration
 
 > [!div class="nextstepaction"]
-> [Next: validate and configure PKI >](on-premises-key-trust-pki.md)
+> [Next: prepare and deploy AD FS >](on-premises-key-trust-adfs.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/toc.yml b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
index abf5610e69..6dcc14ab61 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
@@ -20,7 +20,7 @@ items:
       displayName: key trust
   - name: Certificate trust deployment
     items: 
-    - name: Overview
+    - name: Requirements and validation
       href: hybrid-cert-trust.md
       displayName: certificate trust
     - name: Configure and validate Public Key Infrastructure (PKI)
@@ -42,17 +42,15 @@ items:
   items:
   - name: Key trust deployment
     items: 
-    - name: Overview
+    - name: Requirements and validation
       href: on-premises-key-trust.md
-    - name: Configure and validate the PKI
-      href: on-premises-key-trust-pki.md
     - name: Prepare and deploy Active Directory Federation Services (AD FS)
       href: on-premises-key-trust-adfs.md
     - name: Configure and enroll in Windows Hello for Business
       href: on-premises-key-trust-enroll.md
   - name: Certificate trust deployment
     items: 
-    - name: Overview
+    - name: Requirements and validation
       href: on-premises-cert-trust.md
     - name: Configure and validate Public Key Infrastructure (PKI)
       href: on-premises-cert-trust-pki.md