diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in2.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in2.md
index 46809132a1..eb6a22fe3a 100644
--- a/windows/security/identity-protection/hello-for-business/rdp-sign-in2.md
+++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in2.md
@@ -70,9 +70,9 @@ You must first create a *certificate template*, and then deploy certificates bas
| Tab Name | Configurations |
| --- | --- |
| *Compatibility* | - Clear the **Show resulting changes** check box
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*
|
- | *General* | - Specify a **Template display name**, for example *WHfB Certificate Authentication*
- Set the validity period to the desired value
- Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)
|
- | *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**|
- | *Subject Name* | - Select the **Build from this Active Directory** information button if it isn't already selected
- Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected
- Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
**Note:** If you deploy certificates via Intune, select **Supply in the request** instead of *Build from this Active Directory*.|
+ | *General* | - Specify a **Template display name**, for example *WHfB Certificate Authentication*
- Set the validity period to the desired value
|
+ | *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**.|
+ | *Subject Name* | Select **Supply in the request**.|
|*Request Handling*|- Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
- Select the **Renew with same key** check box
- Select **Prompt the user during enrollment**
**Note:** If you deploy certificates via Intune with a PKCS profile, select the option **Allow private key to be exported**|
|*Cryptography*|- Set the Provider Category to **Key Storage Provider**
- Set the Algorithm name to **RSA**
- Set the minimum key size to **2048**
- Select **Requests must use one of the following providers**
- Select **Microsoft Software Key Storage Provider**
- Set the Request hash to **SHA256**
|
|*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them.
**Note:** If you deploy certificates via Intune, grant **Enroll** access to the security principal used for SCEP or PKCS.|
@@ -80,12 +80,6 @@ You must first create a *certificate template*, and then deploy certificates bas
1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
1. Close the Certificate Templates console
-### Issue the certificate template
-
-1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue**
-1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list
-1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service**
-
# [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
This process is applicable to scenarios where you deploy certificates using an on-premises Active Directory Certificate Services infrastrusture and the certificates are distributed using an AD CS enrollment policy.
@@ -104,10 +98,10 @@ You must first create a *certificate template*, and then deploy certificates bas
| *Compatibility* | - Clear the **Show resulting changes** check box
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*
|
| *General* | - Specify a **Template display name**, for example *WHfB Certificate Authentication*
- Set the validity period to the desired value
- Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)
|
| *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**|
- | *Subject Name* | - Select the **Build from this Active Directory** information button if it isn't already selected
- Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected
- Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
**Note:** If you deploy certificates via Intune, select **Supply in the request** instead of *Build from this Active Directory*.|
- |*Request Handling*|- Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
- Select the **Renew with same key** check box
- Select **Prompt the user during enrollment**
**Note:** If you deploy certificates via Intune with a PKCS profile, select the option **Allow private key to be exported**|
+ | *Subject Name* | - Select the **Build from this Active Directory** information button if it isn't already selected
- Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected
- Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
|
+ |*Request Handling*|- Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
- Select the **Renew with same key** check box
- Select **Prompt the user during enrollment**
|
|*Cryptography*|- Set the Provider Category to **Key Storage Provider**
- Set the Algorithm name to **RSA**
- Set the minimum key size to **2048**
- Select **Requests must use one of the following providers**
- Select **Microsoft Software Key Storage Provider**
- Set the Request hash to **SHA256**
|
- |*Security*|Add the security principal used for SCEP or PKCS **Enroll** access.|
+ |*Security*|Add the security principal used for SCEP or PKCS **Enroll** access|
1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
1. Close the Certificate Templates console
@@ -144,14 +138,14 @@ You must first create a *certificate template*, and then deploy certificates bas
:::column-end:::
:::row-end:::
-### Issue the certificate template
+---
+
+## Issue the certificate template
1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue**
1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list
1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service**
----
-
## Deploy certificates
[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]