updates

windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md

@@ -17,7 +17,7 @@ When you Azure Active Directory (Azure AD) join a Windows device, the system pro
 You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
 
 > [!NOTE]
-> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
+> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don't have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
 
 ## Prerequisites
 
@@ -25,7 +25,7 @@ Cloud only deployments will use Azure AD multi-factor authentication (MFA) durin
 
 The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment).
 
-Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge.
+Also note that it's possible for federated domains to enable the *Supports MFA* flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge.
 
 Check and view this setting with the following MSOnline PowerShell command:
 

windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md

@@ -70,6 +70,7 @@ The certificate trust model uses a securely issued certificate based on the user
 - [Deployment type](#deployment-type)
 - [Hybrid Azure AD join](#hybrid-azure-ad-join)
 - [Hybrid deployment](#hybrid-deployment)
+- [Cloud Kerberos trust](#cloud-kerberos-trust)
 - [Key trust](#key-trust)
 - [On-premises deployment](#on-premises-deployment)
 - [Trust type](#trust-type)
@@ -102,6 +103,27 @@ In Windows 10 and Windows 11, cloud experience host is an application used while
 
 [Windows Hello for Business and device registration](./hello-how-it-works-device-registration.md)
 
+## Cloud Kerberos trust
+
+The cloud Kerberos trust model offers a simplified deployment experience, when compared to the key trust model.\
+With cloud Kerberos trust, there's no need to deploy certificated to the users or to the domain controllers, which is ideal for those environments without a PKI. 
+
+Giving the simplicity offered by this model, cloud Kerberos trust is the recommended deployment model when compared to the key trust model. It is also the preferred deployment model if you do not need to support certificate authentication scenarios.
+
+### Related to cloud Kerberos trust
+
+- [Deployment type](#deployment-type)
+- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+- [Hybrid deployment](#hybrid-deployment)
+- [Cloud Kerberos trust](#cloud-kerberos-trust)
+- [Key trust](#key-trust)
+- [On-premises deployment](#on-premises-deployment)
+- [Trust type](#trust-type)
+
+### More information about cloud Kerberos trust
+
+[Cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md)
+
 ## Deployment type
 
 Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include: