Disable Windows Hello for Business enrollment using Intune and cloud deployment improvements

windows/security/identity-protection/hello-for-business/configure.md

@@ -99,6 +99,23 @@ You can create a Group Policy or mobile device management (MDM) policy to config
 Windows Hello for Business is enabled by default for devices that are Microsoft Entra joined. If you need to disable the automatic enablement, there are different options to configure them.
 
 
+### Use Intune to disable Windows Hello for Business enrollment
+
+We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy. For more specific information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello).
+
+### Disable Windows Hello for Business using Intune Enrollment policy
+
+The following method explains how to disable Windows Hello for Business enrollment using Intune.
+
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens.
+3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**.
+
+    When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.
+
+> [!NOTE]
+> This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](../configure.md).
+
 ### Disable during OS deployment
 
 If you don't use Intune in your organization, then you can disable Windows Hello for Business using the registry. You can use a third-party MDM, or some other method that you use to manage these devices. Because these systems are Microsoft Entra joined only, and not domain joined, these settings can also be made manually in the registry.

windows/security/identity-protection/hello-for-business/deploy/cloud.md

@@ -10,18 +10,24 @@ ms.topic: how-to
 
 ## Introduction
 
-When you Microsoft Entra join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in a cloud-only environment, there's no additional configuration needed.
+When you Microsoft Entra join a device, the system attempts to automatically enroll you in Windows Hello for Business, by default. If you want to use Windows Hello for Business in a cloud-only environment, there's no additional configuration needed.
 
-You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. This article describes how to disable Windows Hello for Business enrollment in a cloud only environment.
+If you want to disable the automatic Windows Hello for Business enrollment prompt, you can configure your devices with a policy setting or registry key. For more information, see [Disable Windows Hello for Business]([Disable Windows Hello for Business enrollment](../configure.md#disable-windows-hello-for-business-enrollment).
 
 > [!NOTE]
-> During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you will see a provisioning PIN when you don't have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
+> During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you are guided to enroll in Windows Hello for Business when you don't have Intune. You can cancel the PIN screen and configure this cancellation with registry keys to prevent future prompts.
 
 ## Prerequisites
 
-Cloud only deployments will use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
+> [!div class="checklist"]
+> The following prerequisites must be met for a cloud-only deployment:
+>
+> - Authentication to Microsoft Entra ID
+> - Microsoft Entra multifactor authentication
+> - Device management solution (Intune or supported third-party MDM), optional
+> - Microsoft Entra ID P1 or P2 subscription - optional, needed for automatic MDM enrollment when the device joins Microsoft Entra ID
 
-The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](requirements.md#microsoft-entra-cloud-only-deployment).
+Cloud-only deployments use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
 
 It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command:
 
@@ -37,23 +43,4 @@ To reject the MFA claim from the federated IdP, use the following command. This
 Update-MgDomainFederationConfiguration -DomainId $DomainId -FederatedIdpMfaBehavior rejectMfaByFederatedIdp
 ```
 
-If you use configure the flag with a value of either `acceptIfMfaDoneByFederatedIdp` (default) or `enforceMfaByFederatedIdp`, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IdP.
-
-## Use Intune to disable Windows Hello for Business enrollment
-
-We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy. For more specific information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello).
-
-### Disable Windows Hello for Business using Intune Enrollment policy
-
-The following method explains how to disable Windows Hello for Business enrollment using Intune.
-
-1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens.
-3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**.
-
-    When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.
-
-> [!NOTE]
-> This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](../configure.md).
-
-
+If you configure the flag with a value of either `acceptIfMfaDoneByFederatedIdp` (default) or `enforceMfaByFederatedIdp`, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IdP.

windows/security/identity-protection/hello-for-business/deploy/index.md

@@ -174,9 +174,7 @@ After enrollment in Hello, users should use their gesture (such as a PIN or fing
 
 Although the organization may require users to change their Active Directory or Microsoft Entra account password at regular intervals, changes to their passwords have no effect on Hello.
 
-People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
-
-[!INCLUDE [virtual-smart-card-deprecation-notice](../../../includes/virtual-smart-card-deprecation-notice.md)]
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=44c16430-756f-490a-9fc1-80e2724fef8d]
 
 ## On devices owned by the organization
 

windows/security/identity-protection/hello-for-business/deploy/toc.yml

@@ -50,7 +50,7 @@ items:
   - name: Key trust deployment
     items: 
     - name: Overview
-      href: hybrid-cloud-kerberos-trust.md
+      href: on-premises-key-trust.md
     - name: Configure and validate the PKI
       href: on-premises-key-trust-pki.md
     - name: Prepare and deploy Active Directory Federation Services (AD FS)