diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json
index 9596a8434e..dad06f4747 100644
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@@ -8272,7 +8272,7 @@
     },
     {
       "source_path": "windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md",
-      "redirect_url": "/windows/security/identity-protection/hello-for-business/glossary",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/",
       "redirect_document_id": false
     },
     {
diff --git a/windows/security/identity-protection/hello-for-business/glossary.md b/windows/security/identity-protection/hello-for-business/_glossary.md
similarity index 57%
rename from windows/security/identity-protection/hello-for-business/glossary.md
rename to windows/security/identity-protection/hello-for-business/_glossary.md
index d8795cefa4..95035f706a 100644
--- a/windows/security/identity-protection/hello-for-business/glossary.md
+++ b/windows/security/identity-protection/hello-for-business/_glossary.md
@@ -21,41 +21,10 @@ Many existing devices that will upgrade to Windows 10 won't have a TPM, or the T
 
 In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be used by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that's not backed by an endorsement certificate.
 
-## Microsoft Entra join
-
-Microsoft Entra join is intended for organizations that desire to be cloud-first or cloud-only. There's no restriction on the size or type of organizations that can deploy Microsoft Entra join. Microsoft Entra join also works in a hybrid environment and can enable access to on-premises applications and resources.
-
-## Microsoft Entra registration
-
-The goal of Microsoft Entra registered devices is to provide you with support for the _bring your own device_ (BYOD) scenario. In this scenario, a user can access your organization's Microsoft Entra ID-controlled resources using a personal device.
-
-## Certificate trust
-
-The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers.
-
-## Cloud deployment
-
-The Windows Hello for Business cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Microsoft Entra joined or Microsoft Entra registered devices.
-
 ## Cloud experience host
 
 In Windows 10 and Windows 11, cloud experience host is an application used while joining the workplace environment or Microsoft Entra ID for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Microsoft Entra ID, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
 
-## Cloud Kerberos trust
-
-The cloud Kerberos trust model offers a simplified deployment experience, when compared to the other trust types.\
-With cloud Kerberos trust, there's no need to deploy certificates to the users or to the domain controllers, which is ideal for environments without an existing PKI.
-
-Giving the simplicity offered by this model, cloud Kerberos trust is the recommended model when compared to the key trust model. It is also the preferred deployment model if you do not need to support certificate authentication scenarios.
-
-## Deployment type
-
-Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include:
-
-- Cloud
-- Hybrid
-- On-premises
-
 ## Endorsement key
 
 The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits).
@@ -67,29 +36,9 @@ The endorsement key acts as an identity card for the TPM.
 The endorsement key is often accompanied by one or two digital certificates:
 
 - One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
-
 - The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
 
-For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10 and Windows 11.
-
-## Federated environment
-
-Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Microsoft Entra ID and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Microsoft Entra ID.
-
-## Microsoft Entra hybrid join
-
-For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
-
-- IT departments to manage work-owned devices from a central location.
-- Users to sign in to their devices with their Active Directory work or school accounts.
-
-Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy to manage them.
-
-If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Microsoft Entra ID, you can implement Microsoft Entra hybrid joined devices. These devices are joined to both your on-premises Active Directory and your Microsoft Entra ID.
-
-## Hybrid deployment
-
-The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Microsoft Entra ID. Hybrid deployments support devices that are Microsoft Entra registered, Microsoft Entra joined, and Microsoft Entra hybrid joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
+For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during Windows OOBE.
 
 ## Join type
 
@@ -101,18 +50,10 @@ When combined with a mobile device management (MDM) solution such as Microsoft I
 
 Joining a device is an extension to registering a device. This method provides you with all the benefits of registering a device, and changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.
 
-## Key trust
-
-The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
-
 ## Managed environment
 
 Managed environments are for non-federated environments where Microsoft Entra ID manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services (ADFS).
 
-## On-premises deployment
-
-The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust.
-
 ## Pass-through authentication
 
 Pass-through authentication provides a simple password validation for Microsoft Entra authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Microsoft Entra ID and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Microsoft Entra ID. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network.
@@ -133,45 +74,3 @@ The PRT is needed for SSO. Without it, the user will be prompted for credentials
 
 The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048-bits length). The SRK has a major role and is used to protect TPM keys, so that these keys can't be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
 
-## Trust type
-
-The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type doesn't affect authentication to Microsoft Entra ID. Windows Hello for Business authentication to Microsoft Entra ID always uses the key, not a certificate (excluding smart card authentication in a federated environment).
-
-## Trusted platform module
-
-A trusted platform module (TPM) is a hardware component that provides unique security features.
-
-Windows uses security characteristics of a TPM for the following functions:
-
-- Measuring boot integrity sequence. Based on that sequence, it automatically unlocks BitLocker-protected drives
-- Protecting credentials
-- Health attestation
-
-A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). There are currently two versions of the TPM specification produced by TCG that aren't compatible with each other:
-
-- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
-- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
-
-Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../hardware-security/tpm/tpm-recommendations.md).
-
-Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 and Windows 11 support only TPM 2.0.
-
-TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
-
-- Update cryptography strength to meet modern security needs
-  - Support for SHA-256 for PCRs
-  - Support for HMAC command
-- Cryptographic algorithms flexibility to support government needs
-  - TPM 1.2 is severely restricted in terms of what algorithms it can support
-  - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
-- Consistency across implementations
-  - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
-  - TPM 2.0 standardizes much of this behavior
-
-In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device. A TPM incorporates in a single component:
-
-- An RSA 2048-bit key generator
-- A random number generator
-- Nonvolatile memory for storing EK, SRK, and AIK keys
-- A cryptographic engine to encrypt, decrypt, and sign
-- Volatile memory for storing the PCRs and RSA keys
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/gpo-enable-whfb.md b/windows/security/identity-protection/hello-for-business/deploy/includes/gpo-enable-whfb.md
index b14532be8d..0442108445 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/gpo-enable-whfb.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/gpo-enable-whfb.md
@@ -3,10 +3,9 @@ ms.date: 01/03/2024
 ms.topic: include
 ---
 
-The *Enable Windows Hello for Business* policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is **enabled**.\
-You can configure the *Enable Windows Hello for Business* setting for computer or users:
+You can configure the [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business) policy setting in the computer or user node of a GPO:
 
-- Deploying this policy setting to computers (or group of computers) results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment
-- Deploying this policy setting to a user (or group of users), results in only that user attempting a Windows Hello for Business enrollment
+- Deploying the computer node policy setting, results in all users that sign-in to the targeted devices to attempt a Windows Hello for Business enrollment
+- Deploying the user node policy setting, results in only the targeted users to attempt a Windows Hello for Business enrollment
 
 If both user and computer policy settings are deployed, the user policy setting has precedence.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
index f045a07ed8..128a9cd1a5 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
@@ -3,4 +3,4 @@ ms.date: 01/03/2024
 ms.topic: include
 ---
 
-[cloud-only :::image type="icon" source="../images/information.svg" border="false":::](../../how-it-works.md "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
+[cloud-only :::image type="icon" source="../images/information.svg" border="false":::](../index.md#deployment-models "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
index 82be24f2e5..7ebb44bfc0 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
@@ -3,4 +3,4 @@ ms.date: 01/03/2024
 ms.topic: include
 ---
 
-[hybrid :::image type="icon" source="../images/information.svg" border="false":::](../../how-it-works.md "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
+[hybrid :::image type="icon" source="../images/information.svg" border="false":::](../index.md#deployment-models "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
index 0ce20d2da1..6406e82fc4 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
@@ -3,4 +3,4 @@ ms.date: 01/03/2024
 ms.topic: include
 ---
 
-[on-premises :::image type="icon" source="../images/information.svg" border="false":::](../../how-it-works.md "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
+[on-premises :::image type="icon" source="../images/information.svg" border="false":::](../index.md#deployment-models "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
index 45158c830c..512be88987 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
@@ -3,4 +3,4 @@ ms.date: 01/03/2024
 ms.topic: include
 ---
 
-[domain join :::image type="icon" source="../images/information.svg" border="false":::](../../how-it-works.md)
+[domain join :::image type="icon" source="../images/information.svg" border="false":::](../index.md "Devices that are Active Directory joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
index 961034d420..05bbdd63e1 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
@@ -3,4 +3,4 @@ ms.date: 01/03/2024
 ms.topic: include
 ---
 
-[Microsoft Entra join :::image type="icon" source="../images/information.svg" border="false":::](../../how-it-works.md "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
+[Microsoft Entra join :::image type="icon" source="../images/information.svg" border="false":::](../index.md "Devices that are Microsoft Entra joined don't have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
index 17262579c9..b878a41559 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
@@ -3,4 +3,4 @@ ms.date: 01/03/2024
 ms.topic: include
 ---
 
-[Microsoft Entra hybrid join :::image type="icon" source="../images/information.svg" border="false":::](../../how-it-works.md "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
+[Microsoft Entra hybrid join :::image type="icon" source="../images/information.svg" border="false":::](../index.md "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID have single-sign on to both Active Directory and Microsoft Entra protected resources")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
index 3f52ae0044..17ffcc98b4 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
@@ -3,4 +3,4 @@ ms.date: 01/03/2024
 ms.topic: include
 ---
 
-[certificate trust :::image type="icon" source="../images/information.svg" border="false":::](../../how-it-works.md "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
\ No newline at end of file
+[certificate trust :::image type="icon" source="../images/information.svg" border="false":::](../index.md#trust-types "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
index e4079292ad..58bad86a1c 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[cloud Kerberos trust :::image type="icon" source="../images/information.svg" border="false":::](../../how-it-works.md "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that don't need certificate authentication")
\ No newline at end of file
+[cloud Kerberos trust :::image type="icon" source="../images/information.svg" border="false":::](../index.md#trust-types "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that don't need certificate authentication")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
index 1a90a9ac97..41d9b6cdf9 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[key trust :::image type="icon" source="../images/information.svg" border="false":::](../../how-it-works.md "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
+[key trust :::image type="icon" source="../images/information.svg" border="false":::](../index.md#trust-types "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/index.md b/windows/security/identity-protection/hello-for-business/deploy/index.md
index 626cf1c3dc..9a093117d7 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/index.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/index.md
@@ -60,7 +60,9 @@ There are three deployment models from which you can choose:
 
 ### Trust types
 
-A deployment's trust type defines how Windows Hello for Business clients **authenticate to Active Directory**. For this reason, the trust type isn't applicable to a cloud-only deployment model.
+A deployment's trust type defines how Windows Hello for Business clients **authenticate to Active Directory**. The trust type doesn't affect authentication to Microsoft Entra ID. For this reason, the trust type isn't applicable to a cloud-only deployment model.
+
+Windows Hello for Business authentication to Microsoft Entra ID always uses the key, not a certificate (excluding smart card authentication in a federated environment).
 
 The trust type determines whether you issue authentication certificates to your users. One trust model isn't more secure than the other.
 
@@ -106,9 +108,9 @@ Cloud Kerberos trust is the only hybrid deployment option that doesn't require t
 
 ## Authentication
 
-For cloud-only and hybrid deployments, users and devices must authenticate to Microsoft Entra ID. Authentication to Microsoft Entra ID can use federation to enable single sign-on (SSO) from another identity provider.
+### Federation
 
-For on-premises deployments, the identity provider is the on-premises server running the Active Directory Federation Services (AD FS) role.
+For cloud-only and hybrid deployments, users and devices must authenticate to Microsoft Entra ID. Authentication to Microsoft Entra ID can use federation to enable single sign-on (SSO) from another identity provider.
 
 Here's a list of requirements for federated and nonfederated deployments.
 
@@ -121,18 +123,18 @@ Here's a list of requirements for federated and nonfederated deployments.
 |    **🔲** | **Hybrid** | Key | federated | AD FS or third-party federation service. It doesn't support [PTA][ENTRA-7] or [PHS][ENTRA-6] |
 |    **🔲** | **Hybrid** | Certificate | non-federated | AD FS |
 |    **🔲** | **Hybrid** | Certificate | federated | AD FS |
-|    **🔲** | **On-premises** | Certificate | n/a | AD FS |
-|    **🔲** | **On-premises** | Certificate | n/a | AD FS |
 
 ### Device registration
 
-All devices included in the Windows Hello for Business deployment must go through a process called *device registration*. Device registration enables devices to authenticate to identity providers:
+All devices included in the Windows Hello for Business deployment must go through a process called *device registration*. Device registration enables devices to authenticate to an identity provider (IdP).
 
-| Deployment model | Device registration IdP |
-|-|-|
-| **Cloud-only** |Microsoft Entra ID |
-| **Hybrid** |Microsoft Entra ID|
-| **On-premises** | AD FS |
+For on-premises deployments, the server running the Active Directory Federation Services (AD FS) role is responsible for device registration. For cloud-only and hybrid deployments, devices must register in Microsoft Entra ID.
+
+| Deployment model | Join type | Device registration IdP |
+|-|-|-|
+| **Cloud-only** |Microsoft Entra joined<br>Microsoft Entra registered|Microsoft Entra ID |
+| **Hybrid** |Microsoft Entra joined<br>Microsoft Entra hybrid joined<br>Microsoft Entra registered|Microsoft Entra ID|
+| **On-premises** | Active Directory domain joined | AD FS |
 
 For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan your Microsoft Entra hybrid join implementation][ENTRA-5] page.
 
diff --git a/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md b/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md
index 320c204caa..8f28f8f8d1 100644
--- a/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md
+++ b/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md
@@ -18,7 +18,7 @@ PIN recovery requires the user to perform multi-factor authentication to Microso
 
 |  | Path |
 |--|--|
-| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[EnablePinRecovery](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesenablepinrecovery) |
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[EnablePinRecovery](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesenablepinrecovery) <br> `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[EnablePinRecovery](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciesenablepinrecovery) |
 | **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** |
 
 For more information, see [PIN reset](../pin-reset.md).
diff --git a/windows/security/identity-protection/hello-for-business/policy-settings.md b/windows/security/identity-protection/hello-for-business/policy-settings.md
index 89d81d0c07..c3b827d690 100644
--- a/windows/security/identity-protection/hello-for-business/policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/policy-settings.md
@@ -46,6 +46,7 @@ Select one of the tabs to see the list of available settings:
 |[Require lowercase letters](#require-lowercase-letters)|✅|✅|
 |[Require special characters](#require-special-characters)|✅|✅|
 |[Require uppercase letters](#require-uppercase-letters)|✅|✅|
+|[Use PIN recovery](#use-pin-recovery)|✅|✅|
 
 [!INCLUDE [expiration](includes/expiration.md)]
 [!INCLUDE [history](includes/history.md)]
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 4530d1e21d..4354e4fcbe 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -3,12 +3,12 @@ items:
   href: index.md
 - name: How Windows Hello for Business works
   href: how-it-works.md
+- name: Configure Windows Hello for Business
+  href: configure.md
 - name: Deployment guides
   href: deploy/toc.yml
 - name: How-to-guides
   items:
-  - name: Configure Windows Hello for Business
-    href: configure.md
   - name: Configure PIN reset
     href: pin-reset.md
   - name: Configure dual enrollment
@@ -37,8 +37,6 @@ items:
     href: webauthn-apis.md
   - name: Windows Hello Enhanced Security Sign-in (ESS) 🔗
     href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
-  - name: Technology and terminology
-    href: glossary.md
   - name: Frequently Asked Questions (FAQ)
     href: hello-faq.yml
   - name: Windows Hello for Business videos