Remove deprecated Intune account protection policy and update TOC

windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md

@@ -63,9 +63,9 @@ After setting up the Microsoft Entra Kerberos object, Windows Hello for business
 
 Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
 
-If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Configure cloud Kerberos trust policy](#configure-the-cloud-kerberos-trust-policy). Otherwise, follow the instructions below to enable Windows Hello for Business a policy using an *account protection* policy.
+If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Configure cloud Kerberos trust policy](#configure-the-cloud-kerberos-trust-policy). Otherwise, follow the instructions below to enable Windows Hello for Business a policy using an *settings catalog* policy.
 
-[!INCLUDE [intune-account-protection-policy](includes/intune-account-protection-policy.md)]
+[!INCLUDE [intune-settings-catalog-enable-whfb](includes/intune-settings-catalog-enable-whfb.md)]
 
 ### Configure the cloud Kerberos trust policy
 
@@ -92,7 +92,7 @@ For more information about the cloud Kerberos trust policy, see [Windows Hello f
 > [!NOTE]
 > Cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
 
-#### Update administrative templates
+### Update administrative templates
 
 You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files.
 
@@ -128,7 +128,7 @@ Additional policy settings can be configured to control the behavior of Windows
 The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Microsoft Entra hybrid joined devices when cloud Kerberos trust is enabled by policy.
 
 You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\
-This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
+This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4].
 
 The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Microsoft Entra Kerberos is set up for the user's domain and tenant. If Microsoft Entra Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Microsoft Entra joined.
 

windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md

@@ -15,9 +15,9 @@ After the prerequisites are met and the PKI configuration is validated, Windows
 
 Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
 
-If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Configure cloud Kerberos trust policy](#configure-the-cloud-kerberos-trust-policy). Otherwise, follow the instructions below to enable Windows Hello for Business a policy using an *account protection* policy.
+If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to enable Windows Hello for Business a policy using an *settings catalog* policy.
 
-[!INCLUDE [intune-account-protection-policy](includes/intune-account-protection-policy.md)]
+[!INCLUDE [intune-settings-catalog-enable-whfb](includes/intune-settings-catalog-enable-whfb.md)]
 
 # [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
 
@@ -49,7 +49,7 @@ Additional policy settings can be configured to control the behavior of Windows
 The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.
 
 You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\
-This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
+This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4].
 
 :::image type="content" source="images/Event358.png" alt-text="Details about event ID 358 showing that the device is ready to enroll in Windows Hello for Business." border="false" lightbox="images/Event358.png":::
 

windows/security/identity-protection/hello-for-business/deploy/includes/intune-account-protection-policy.md

@@ -1,31 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-
-## Enable Windows Hello for Business
-
-To configure Windows Hello for Business using an account protection policy:
-
-1. Sign in to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
-1. Select **Endpoint security** > **Account protection**
-1. Select **+ Create Policy**
-1. For **Platform**, select **Windows 10 and later** and for **Profile** select **Account protection**
-1. Select **Create**
-1. Specify a **Name** and, optionally, a **Description** > **Next**
-1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available
-    - These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**
-    - For more information about these policies, see [Windows Hello for Business policy settings](../../policy-settings)
-1. Under **Enable to certificate for on-premises resources**, select **Not configured**
-1. Select **Next**
-1. Optionally, add **scope tags** and select **Next**
-1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
-1. Review the policy configuration and select **Create**
-
-> [!TIP]
-> If you want to enforce the use of digits for your Windows Hello for Business PIN, use the settings catalog and choose **Digits** or **Digits (User)** instead of using the Account protection template.
-
-:::image type="content" source="../images/whfb-intune-account-protection-enable.png" alt-text="Screenshot of the enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="../images/whfb-intune-account-protection-enable.png":::
-
-Assign the policy to a security group that contains as members the devices or users that you want to configure.

windows/security/identity-protection/hello-for-business/deploy/includes/intune-settings-catalog-enable-whfb.md

@@ -0,0 +1,20 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+### Enable Windows Hello for Business
+
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Windows Hello for Business** | Use Passport For Work | true |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy](/mem/intune/configuration/custom-settings-configure) with the [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp).
+
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`<br>- **Data type:** `bool`<br>- **Value:** `True`|

windows/security/identity-protection/hello-for-business/deploy/toc.yml

@@ -9,7 +9,7 @@ items:
     href: hybrid-cloud-kerberos-trust.md
   - name: Key trust deployment
     items: 
-    - name: Overview
+    - name: Requirements and validation
       href: hybrid-key-trust.md
       displayName: key trust
     - name: Configure and provision Windows Hello for Business
@@ -20,7 +20,7 @@ items:
       displayName: key trust
   - name: Certificate trust deployment
     items: 
-    - name: Overview
+    - name: Requirements and validation
       href: hybrid-cert-trust.md
       displayName: certificate trust
     - name: Configure and validate Public Key Infrastructure (PKI)