Cert trust deployment guides refresh

windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md

@@ -1,7 +1,7 @@
 ---
 title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust model
 description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business on-premises certificate trust model.
-ms.date: 09/07/2023
+ms.date: 12/15/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
@@ -29,6 +29,7 @@ Prepare the AD FS deployment by installing and **updating** two Windows Servers.
 Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
 
 The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm:
+
  - **Subject Name**: the internal FQDN of the federation server
  - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*)
 
@@ -318,4 +319,4 @@ Each file in this folder represents a certificate in the service account's Perso
 For detailed information about the certificate, use `Certutil -q -v <certificateThumbprintFileName>`.
 
 > [!div class="nextstepaction"]
-> [Next: validate and deploy multi-factor authentication (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+> [Next: validate and deploy multi-factor authentication (MFA) >](hello-cert-trust-validate-deploy-mfa.md)

windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md

@@ -1,7 +1,7 @@
 ---
 title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
 description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
-ms.date: 09/07/2023
+ms.date: 12/15/2023
 ms.topic: tutorial
 ---
 # Configure Windows Hello for Business group policy settings - on-premises certificate Trust
@@ -9,6 +9,7 @@ ms.topic: tutorial
 [!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)]
 
 On-premises certificate-based deployments of Windows Hello for Business need three Group Policy settings:
+
 - Enable Windows Hello for Business
 - Use certificate for on-premises authentication
 - Enable automatic enrollment of certificates

windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md

@@ -1,33 +0,0 @@
----
-title: Validate Active Directory prerequisites in an on-premises certificate trust
-description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a certificate trust model.
-ms.date: 09/07/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
-ms.topic: tutorial
----
-# Validate Active Directory prerequisites - on-premises certificate trust
-
-[!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)]
-
-The key registration process for the on-premises deployment of Windows Hello for Business requires the Windows Server 2016 Active Directory or later schema.
-
-## Create the Windows Hello for Business Users security group
-
-The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
-
-Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
-
-1. Open **Active Directory Users and Computers**
-1. Select **View > Advanced Features**
-1. Expand the domain node from the navigation pane
-1. Right-click the **Users** container. Select **New > Group**
-1. Type *Windows Hello for Business Users* in the **Group Name**
-1. Select **OK**
-
-> [!div class="nextstepaction"]
-> [Next: validate and configure PKI >](hello-cert-trust-validate-pki.md)

windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md

@@ -1,7 +1,7 @@
 ---
 title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
 description: Validate and deploy multifactor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model.
-ms.date: 09/07/2023
+ms.date: 12/15/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
@@ -28,4 +28,4 @@ For information about third-party authentication methods, see [Configure Additio
 Follow the integration and deployment guide for the authentication provider you plan to integrate to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies, see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
 
 > [!div class="nextstepaction"]
-> [Next: configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
+> [Next: configure Windows Hello for Business Policy settings >](hello-cert-trust-policy-settings.md)

windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md

@@ -10,6 +10,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
 ms.topic: tutorial
 ---
+
 # Configure and validate the Public Key Infrastructure - on-premises certificate trust
 
 [!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)]

windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md

@@ -1,7 +1,7 @@
 ---
 title: Windows Hello for Business deployment guide for the on-premises certificate trust model
 description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust model.
-ms.date: 09/07/2023
+ms.date: 12/15/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
@@ -14,10 +14,29 @@ ms.topic: tutorial
 
 [!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)]
 
-Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment:
+Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment.
 
-1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
+There are four steps to deploying Windows Hello for Business in an on-premises certificate trust model:
-2. [Validate and configure a PKI](hello-cert-trust-validate-pki.md)
+
-3. [Prepare and deploy AD FS](hello-cert-trust-adfs.md)
+1. [Validate and configure a PKI](hello-cert-trust-validate-pki.md)
-4. [Validate and deploy multi-factor authentication (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+1. [Prepare and deploy AD FS](hello-cert-trust-adfs.md)
-5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
+1. [Validate and deploy multi-factor authentication (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+1. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
+
+## Create the Windows Hello for Business Users security group
+
+While this is not a required step, it is recommended to create a security group to simplify the deployment.
+
+The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign certificate templates and group policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
+
+Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
+
+1. Open **Active Directory Users and Computers**
+1. Select **View > Advanced Features**
+1. Expand the domain node from the navigation pane
+1. Right-click the **Users** container. Select **New > Group**
+1. Type *Windows Hello for Business Users* in the **Group Name**
+1. Select **OK**
+
+> [!div class="nextstepaction"]
+> [Next: validate and configure a PKI >](hello-cert-trust-validate-pki.md)

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md

@@ -1,7 +1,7 @@
 ---
 title: Configure and validate the Public Key Infrastructure in an hybrid certificate trust model
 description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model.
-ms.date: 01/03/2023
+ms.date: 12/15/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md

@@ -1,7 +1,7 @@
 ---
 title: Windows Hello for Business hybrid certificate trust deployment
 description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
-ms.date: 03/16/2023
+ms.date: 12/15/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
@@ -51,8 +51,6 @@ The hybrid-certificate trust deployment needs an *Microsoft Entra ID P1 or P2* s
 > [!IMPORTANT]
 > Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory.
 
-<a name='federated-authentication-to-azure-ad'></a>
-
 ### Federated authentication to Microsoft Entra ID
 
 Windows Hello for Business hybrid certificate trust doesn't support Microsoft Entra ID *Pass-through Authentication* (PTA) or *password hash sync* (PHS).\
@@ -91,8 +89,6 @@ The enterprise PKI and a certificate registration authority (CRA) are required t
 
 During Windows Hello for Business provisioning, users receive a sign-in certificate through the CRA.
 
-<a name='multi-factor-authentication'></a>
-
 ### Multifactor authentication
 
 The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md

@@ -1,7 +1,7 @@
 ---
 title: Windows Hello for Business hybrid certificate trust clients configuration and enrollment
 description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario.
-ms.date: 01/03/2023
+ms.date: 12/15/2023
 ms.topic: tutorial
 ---
 

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md

@@ -1,7 +1,7 @@
 ---
 title: Configure Active Directory Federation Services in a hybrid certificate trust model
 description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business hybrid certificate trust model.
-ms.date: 01/03/2023
+ms.date: 12/15/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
@@ -10,6 +10,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
 ms.topic: tutorial
 ---
+
 # Configure Active Directory Federation Services - hybrid certificate trust
 
 [!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cert-trust.md)]

windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/28/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/28/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 
@@ -30,4 +30,3 @@ However, the certificate template and the superseding of certificate templates i
 >To see all certificates in the NTAuth store, use the following command:
 >
 > `Certutil -viewstore -enterprise NTAuth`
-

windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/28/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 
@@ -27,25 +27,14 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
 1. Open the **Certification Authority** management console
 1. Right-click **Certificate Templates > Manage**
 1. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and select **Duplicate Template**
-1. On the **Compatibility** tab:
+1. Use the following table to configure the template:
-   - Clear the **Show resulting changes** check box
-   - Select **Windows Server 2016** from the **Certification Authority** list
-   - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
-1. On the **General** tab
-   - Type *Domain Controller Authentication (Kerberos)* in Template display name
-   - Adjust the validity and renewal period to meet your enterprise's needs
-   > [!NOTE]
-   > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
-1. On the **Subject Name** tab:
-   - Select the **Build from this Active Directory information** button if it isn't already selected
-   - Select **None** from the **Subject name format** list
-   - Select **DNS name** from the **Include this information in alternate subject** list
-   - Clear all other items
-1. On the **Cryptography** tab:
-   - Select **Key Storage Provider** from the **Provider Category** list
-   - Select **RSA** from the **Algorithm name** list
-   - Type *2048* in the **Minimum key size** text box
-   - Select **SHA256** from the **Request hash** list
-1. Select **OK**
-1. Close the console
 
+    | Tab Name | Configurations |
+    | --- | --- |
+    | *Compatibility* | <ul><li>Clear the **Show resulting changes** check box</li><li>Select **Windows Server 2016** from the *Certification Authority list*</li><li>Select **Windows 10 / Windows Server 2016** from the *Certification Recipient list*</li></ul>|
+    | *General* | <ul><li>Specify a **Template display name**, for example *Domain Controller Authentication (Kerberos)*</li><li>Set the validity period to the desired value</li><li>Take note of the template name for later, which should be the same as the Template display name minus spaces</li></ul>|
+    | *Subject Name* | <ul><li>Select **Build from this Active Directory information**</li><li>Select **None** from the **Subject name format** list</li><li>Select **DNS name** from the **Include this information in alternate subject** list</li><li>Clear all other items</li></ul>|
+    |*Cryptography*|<ul><li>Set the *Provider Category* to **Key Storage Provider**</li><li>Set the *Algorithm name* to **RSA**</li><li>Set the *minimum key size* to **2048**</li><li>Set the *Request hash* to **SHA256**</li>|
+
+1. Select **OK** to finalize your changes and create the new template
+1. Close the console

windows/security/identity-protection/hello-for-business/includes/dc-certificate-validate.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/28/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/enrollment-agent-certificate-template.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 01/03/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/hello-cloud.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/08/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/08/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/08/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/08/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-aad.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/08/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/08/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/08/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/08/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/08/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/hello-intro.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/08/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/08/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/08/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/08/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/hello-on-premises-cert-trust.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/08/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/lab-based-pki-deploy.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 01/03/2023
+ms.date: 12/15/2023
 ms.topic: include
 ---
 

windows/security/identity-protection/hello-for-business/includes/unpublish-superseded-templates.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 12/28/2022
+ms.date: 12/15/2023
 ms.topic: include
 ---
 
@@ -15,4 +15,3 @@ Sign in to the CA or management workstation with *Enterprise Administrator* equi
 1. Expand the parent node from the navigation pane > **Certificate Templates**
 1. Right-click the *Domain Controller* certificate template and select **Delete**. Select **Yes** on the **Disable certificate templates** window
 1. Repeat step 3 for the *Domain Controller Authentication* and *Kerberos Authentication* certificate templates
-

windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 01/23/2023
+ms.date: 12/15/2023
 ms.topic: include
 ---
 
@@ -10,29 +10,18 @@ Windows clients communicate with AD FS via HTTPS. To meet this need, a *server a
 Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
 
 1. Open the **Certification Authority** management console
-1. Right-click **Certificate Templates** and select **Manage**
+1. Right-click **Certificate Templates > Manage**
 1. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and select **Duplicate Template**
-1. On the **Compatibility** tab:
+1. Use the following table to configure the template:
-   - Clear the **Show resulting changes** check box
-   - Select **Windows Server 2016** from the **Certification Authority** list
-   - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
-1. On the **General** tab:
-   - Type *Internal Web Server* in **Template display name**
-   - Adjust the validity and renewal period to meet your enterprise's needs
-   > [!NOTE]
-   > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
-1. On the **Request Handling** tab, select **Allow private key to be exported**
-1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected
-1. On the **Security** tab:
-   - Select **Add**
-   - Type **Domain Computers** in the **Enter the object names to select** box
-   - Select **OK**
-   - Select the **Allow** check box next to the **Enroll** permission
-1. On the **Cryptography** tab:
-   - Select **Key Storage Provider** from the **Provider Category** list
-   - Select **RSA** from the **Algorithm name** list
-   - Type *2048* in the **Minimum key size** text box
-   - Select **SHA256** from the **Request hash** list
-   - Select **OK**
-1. Close the console
 
+    | Tab Name | Configurations |
+    | --- | --- |
+    | *Compatibility* | <ul><li>Clear the **Show resulting changes** check box</li><li>Select **Windows Server 2016** from the *Certification Authority list*</li><li>Select **Windows 10 / Windows Server 2016** from the *Certification Recipient list*</li></ul>|
+    | *General* | <ul><li>Specify a **Template display name**, for example *Internal Web Server*</li><li>Set the validity period to the desired value</li><li>Take note of the template name for later, which should be the same as the Template display name minus spaces</li></ul>|
+    | *Request Handling* | Select **Allow private key to be exported** |
+    | *Subject Name* | Select **Supply in the request**|
+    |*Security*|Add **Domain Computers** with **Enroll** access|
+    |*Cryptography*|<ul><li>Set the *Provider Category* to **Key Storage Provider**</li><li>Set the *Algorithm name* to **RSA**</li><li>Set the *minimum key size* to **2048**</li><li>Set the *Request hash* to **SHA256**</li>|
+
+1. Select **OK** to finalize your changes and create the new template
+1. Close the console

windows/security/identity-protection/hello-for-business/toc.yml

@@ -70,8 +70,6 @@ items:
       items: 
       - name: Overview
         href: hello-deployment-key-trust.md
-      - name: Validate Active Directory prerequisites
-        href: hello-key-trust-validate-ad-prereq.md
       - name: Configure and validate the PKI
         href: hello-key-trust-validate-pki.md
       - name: Prepare and deploy Active Directory Federation Services (AD FS)