Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into ado5385752-appv

windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md

@@ -1,6 +1,6 @@
 ---
 title: Multi-factor Unlock
-description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals. 
+description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. 
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -19,17 +19,19 @@ ms.reviewer:
 # Multi-factor Unlock
 
 **Applies to:**
--   Windows 10
+
+- Windows 10
+- Windows 11
 
 **Requirements:**
 * Windows Hello for Business deployment (Hybrid or On-premises)
 * Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
-* Windows 10, version 1709 or newer
+* Windows 10, version 1709 or newer, or Windows 11
 * Bluetooth, Bluetooth capable phone - optional
 
 Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
 
-Windows 10 offers Multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. 
+Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure their Windows to request a combination of factors and trusted signals to unlock their devices.
 
 Which organizations can take advantage of Multi-factor unlock? Those who:
 * Have expressed that PINs alone do not meet their security needs.
@@ -92,13 +94,13 @@ You represent signal rules in XML.  Each signal rule has an starting and ending
 ```
 
 ### Signal element
-Each rule element has a **signal** element.  All signal elements have a **type** element and value.  Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.
+Each rule element has a **signal** element.  All signal elements have a **type** element and value. Windows 10, version 1709 or later supports the **ipConfig** and **bluetooth** type values.
 
 
 |Attribute|Value|
 |---------|-----|
-| type| "bluetooth" or "ipConfig" (Windows 10, version 1709)| 
+| type| "bluetooth" or "ipConfig" (Windows 10, version 1709) or later| 
-| type| "wifi" (Windows 10, version 1803)
+| type| "wifi" (Windows 10, version 1803 or later) 
 
 #### Bluetooth
 You define the bluetooth signal with additional attributes in the signal element. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>".
@@ -133,7 +135,7 @@ The **classofDevice** attribute defaults to Phone and uses the values from the f
 |Health|2304|
 |Uncategorized|7936|
 
-The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range".  The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device.  The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.  
+The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range".  The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device.  The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.  
 
 RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
 
@@ -220,7 +222,7 @@ The fully qualified domain name of your organization's internal DNS suffix where
 #### Wi-Fi
 
 **Applies to:**
--   Windows 10, version 1803
+-   Windows 10, version 1803 or later
 
 You define Wi-Fi signals using one or more wifi elements.  Each element has a string value.  Wifi elements do not have attributes or nested elements.
 
@@ -322,7 +324,7 @@ This example configures the same as example 2 using compounding And elements.  T
 ```
 
 #### Example 4 
-This example configures Wi-Fi as a trusted signal (Windows 10, version 1803)
+This example configures Wi-Fi as a trusted signal (Windows 10, version 1803 or later)
 
 ```xml
 <rule schemaVersion="1.0"> 
@@ -343,11 +345,10 @@ This example configures Wi-Fi as a trusted signal (Windows 10, version 1803)
 
 ### How to configure Multifactor Unlock policy settings
 
-You need a Windows 10, version 1709 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business  Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1709.
+You need at least a Windows 10, version 1709 or later workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business  Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1709 or later.
 
 Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
 
-
 ### Create the Multifactor Unlock Group Policy object
 
 The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed.

windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md

@@ -1,6 +1,6 @@
 ---
 title: Azure Active Directory join cloud only deployment
-description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 device. 
+description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device. 
 keywords: identity, Hello, Active Directory, cloud, 
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -20,7 +20,7 @@ ms.reviewer:
 
 ## Introduction
 
-When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed.
+When you Azure Active Directory (Azure AD) join a Windows 10 or Windows 11 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed.
 
 You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
 

windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md

@@ -20,7 +20,7 @@ ms.reviewer:
 
 **Applies to**
 
-- Windows 10, version 1703 or later
+- Windows 10, version 1703 or later, or Windows 11
 - Windows Server, versions 2016 or later
 - Hybrid or On-Premises deployment
 - Key trust
@@ -32,7 +32,7 @@ ms.reviewer:
 
 How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic.  Windows Server 2016 and above includes the KDC AS Requests performance counter. You can use this counter to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication - it remains unchanged.
 
-Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 or later domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers and above. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 and above domain controller.
+Windows 10 or Windows 11 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 or later domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers and above. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 and above domain controller.
   
 Determining an adequate number of Windows Server domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding a domain controller that supports public key mapping (in this case Windows Server 2016 or later) to a deployment of existing domain controllers which do not support public key mapping (Windows Server 2008R2, Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario:
 

windows/security/identity-protection/hello-for-business/hello-and-password-changes.md

@@ -1,5 +1,5 @@
 ---
-title: Windows Hello and password changes (Windows 10)
+title: Windows Hello and password changes (Windows)
 description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
 ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
 ms.reviewer: 
@@ -19,7 +19,9 @@ ms.date: 07/27/2017
 # Windows Hello and password changes
 
 **Applies to**
--   Windows 10
+
+- Windows 10
+- Windows 11
 
 When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
 

windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md

@@ -1,5 +1,5 @@
 ---
-title: Windows Hello biometrics in the enterprise (Windows 10)
+title: Windows Hello biometrics in the enterprise (Windows)
 description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
 ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
 ms.reviewer: 
@@ -21,7 +21,9 @@ ms.date: 01/12/2021
 # Windows Hello biometrics in the enterprise
 
 **Applies to:**
--   Windows 10
+
+- Windows 10
+- Windows 11
 
 Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
 

windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md

@@ -1,6 +1,6 @@
 ---
-title: Prepare & Deploy Windows AD FS certificate trust (Windows Hello for Business)
+title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business)
-description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
+description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -16,11 +16,12 @@ localizationpriority: medium
 ms.date: 01/14/2021
 ms.reviewer: 
 ---
-# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust
 
 **Applies to**
 
 - Windows 10, version 1703 or later
+- Windows 11
 - On-premises deployment
 - Certificate trust
 
@@ -123,7 +124,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
 8. Click **Next** on the **Active Directory Federation Service** page.
 9. Click **Install** to start the role installation.
 
-## Review
+## Review & validate
 
 Before you continue with the deployment, validate your deployment progress by reviewing the following items:
 
@@ -265,7 +266,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. Th
 3. In the details pane, click **Configure Device Registration**.
 4. In the **Configure Device Registration** dialog, click **OK**.
 
-## Review
+## Review to validate
 
 Before you continue with the deployment, validate your deployment progress by reviewing the following items:
 * Confirm you followed the correct procedures based on the domain controllers used in your deployment. 

windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md

@@ -16,15 +16,17 @@ localizationpriority: medium
 ms.date: 08/20/2018
 ms.reviewer: 
 ---
-# Configure Windows Hello for Business Policy settings
+# Configure Windows Hello for Business Policy settings - Certificate Trust
 
 **Applies to**
--   Windows 10, version 1703 or later
--   On-premises deployment
--   Certificate trust
 
-You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings.  To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+- Windows 10, version 1703 or later
-Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
+- Windows 11
+- On-premises deployment
+- Certificate trust
+
+You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings.  To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
 
 On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings:
 * Enable Windows Hello for Business
@@ -116,9 +118,9 @@ The default Windows Hello for Business enables users to enroll and use biometric
 
 ### PIN Complexity
 
-PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. 
+PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. 
 
-Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use.  If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations.  The policy settings included are:
+Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use.  If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations.  The policy settings included are:
 * Require digits
 * Require lowercase letters
 * Maximum PIN length

windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md

@@ -16,13 +16,14 @@ localizationpriority: medium
 ms.date: 08/19/2018
 ms.reviewer: 
 ---
-# Validate Active Directory prerequisites
+# Validate Active Directory prerequisites for cert-trust deployment
 
 **Applies to**
--   Windows 10, version 1703 or later
--   On-premises deployment
--   Certificate trust
 
+- Windows 10, version 1703 or later
+- Windows 11
+- On-premises deployment
+- Certificate trust
 
 The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema.  The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest.  The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps.
 

windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md

@@ -16,19 +16,20 @@ localizationpriority: medium
 ms.date: 08/19/2018
 ms.reviewer: 
 ---
-# Validate and Deploy Multi-factor Authentication (MFA)
+# Validate and Deploy Multifactor Authentication (MFA)
 
 **Applies to**
 
 - Windows 10, version 1703 or later
+- Windows 11
 - On-premises deployment
 - Certificate trust
 
-Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential.  On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
+Windows Hello for Business requires all users perform multifactor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
 
 For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
 
-Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
+Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
 
 ## Follow the Windows Hello for Business on premises certificate trust deployment guide
 1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)

windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md

@@ -16,12 +16,14 @@ localizationpriority: medium
 ms.date: 08/19/2018
 ms.reviewer: 
 ---
-# Validate and Configure Public Key Infrastructure
+# Validate and Configure Public Key Infrastructure - Certificate Trust Model
 
 **Applies to**
--   Windows 10, version 1703 or later
+
--   On-premises deployment
+- Windows 10, version 1703 or later
--   Certificate trust
+- Windows 11
+- On-premises deployment
+- Certificate trust
 
 
 Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model.  All trust models depend on the domain controllers having a certificate.  The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.  The certificate trust model extends certificate issuance to client computers.  During Windows Hello for Business provisioning, the user receives a sign-in certificate.
@@ -94,7 +96,7 @@ The certificate template is configured to supersede all the certificate template
 
 ### Configure an Internal Web Server Certificate template
 
-Windows 10 clients use the https protocol when communicating with Active Directory Federation Services.  To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm.  On-premises deployments can use a server authentication certificate issued by their enterprise PKI.  You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. 
+Windows 10 or Windows 11 clients use the https protocol when communicating with Active Directory Federation Services.  To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm.  On-premises deployments can use a server authentication certificate issued by their enterprise PKI.  You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
 
 Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
 1. Open the **Certificate Authority** management console.

windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md

@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -   Windows 10, version 1703 or later
+-   Windows 11
 -   On-premises deployment
 -   Certificate trust
 

windows/security/identity-protection/hello-for-business/hello-deployment-guide.md

@@ -21,6 +21,7 @@ ms.reviewer:
 **Applies to**
 
 - Windows 10, version 1703 or later
+- Windows 11
 
 Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
 
@@ -41,7 +42,7 @@ This guide assumes that baseline infrastructure exists which meets the requireme
 - Proper name resolution, both internal and external names
 - Active Directory and an adequate number of domain controllers per site to support authentication
 - Active Directory Certificate Services 2012 or later
-- One or more workstation computers running Windows 10, version 1703
+- One or more workstation computers running Windows 10, version 1703 or later
 
 If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.  
 

windows/security/identity-protection/hello-for-business/hello-deployment-issues.md

@@ -27,16 +27,17 @@ Applies to:
 
 - Azure AD joined deployments
 - Windows 10, version 1803 and later
+- Windows 11
 
 PIN reset on Azure AD joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will shows a page with the error message "We can't open that page right now".
 
 ### Identifying Azure AD joined PIN Reset Allowed Domains Issue
 
-The user can launch the PIN reset flow from above lock using the "I forgot my PIN" link in the PIN credential provider. Selecting this link will launch a full screen UI for the PIN experience on Azure AD Join devices. Typically, this UI will display an Azure authentication server page where the user will authenticate using Azure AD credentials and complete multi-factor authentication.
+The user can launch the PIN reset flow from above lock using the "I forgot my PIN" link in the PIN credential provider. Selecting this link will launch a full screen UI for the PIN experience on Azure AD Join devices. Typically, this UI will display an Azure authentication server page where the user will authenticate using Azure AD credentials and complete multifactor authentication.
 
-In federated environments authentication may be configured to route to AD FS or a third party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list.
+In federated environments authentication may be configured to route to AD FS or a third-party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list.
 
-If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allow list. This results in "We can't open that page right now".
+If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allowlist. This results in "We can't open that page right now".
 
 ### Resolving Azure AD joined PIN Reset Allowed Domains Issue
 

windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md

@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -   Windows 10, version 1703 or later
+-   Windows 11
 -   On-premises deployment
 -   Key trust 
 

windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md

@@ -22,6 +22,7 @@ ms.reviewer:
 **Applies To**
 
 - Windows 10, version 1703 or later
+- Windows 11
 - Hybrid deployment
 - Key trust
 

windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md

@@ -1,5 +1,5 @@
 ---
-title: Windows Hello errors during PIN creation (Windows 10)
+title: Windows Hello errors during PIN creation (Windows)
 description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step.
 ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
 ms.reviewer: 
@@ -21,7 +21,9 @@ ms.date: 05/05/2018
 # Windows Hello errors during PIN creation
 
 **Applies to**
--   Windows 10
+
+- Windows 10
+- Windows 11
 
 When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
 

windows/security/identity-protection/hello-for-business/hello-event-300.md

@@ -1,5 +1,5 @@
 ---
-title: Event ID 300 - Windows Hello successfully created (Windows 10)
+title: Event ID 300 - Windows Hello successfully created (Windows)
 description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
 ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04
 ms.reviewer: 
@@ -21,19 +21,21 @@ ms.date: 07/27/2017
 # Event ID 300 - Windows Hello successfully created
 
 **Applies to**
--   Windows 10
+
+- Windows 10
+- Windows 11
 
 
 This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
 
 ## Event details
 
-| **Product:** |                                                                                                                                            Windows 10 operating system                                                                                                                                            |
+| **Product:** |                                                                                                                                            Windows 10 or Windows 11 operating system                                                                                                                                            |
 |--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | **Log:**     | Event Viewer > Applications and Service Logs\Microsoft\Windows\User Device Registration\Admin |
 |   **ID:**    |                                                                                                                                                        300                                                                                                                                                        |
 | **Source:**  |                                                                                                                                    Microsoft Azure Device Registration Service                                                                                                                                    |
-| **Version:** |                                                                                                                                                        10                                                                                                                                                         |
+| **Version:** |                                                                                                                                                        10    or 11                                                                                                                                                     |
 | **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da.</br>Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |
  
 ## Resolve

windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md

@@ -23,7 +23,7 @@ ms.reviewer:
 
 * Hybrid and On-premises Windows Hello for Business deployments
 * Enterprise joined or Hybrid Azure joined devices
-* Windows 10, version 1709
+* Windows 10, version 1709 or later
 * Certificate trust
 
 > [!NOTE]
@@ -34,12 +34,12 @@ ms.reviewer:
 
 Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
 
-By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session.  Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
+By design, Windows does not enumerate all Windows Hello for Business users from within a user's session.  Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
 
-With this setting, administrative users can sign in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN.  Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument.  This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
+With this setting, administrative users can sign in to Windows 10, version 1709 or later using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN.  Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument.  This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
 
 > [!IMPORTANT]
-> You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business.  Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
+> You must configure a Windows computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business.  Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
 
 ## Configure Windows Hello for Business Dual Enrollment
 
@@ -69,7 +69,7 @@ where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and
 
 ### Configuring Dual Enrollment using Group Policy
 
-You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object.
+You configure Windows 10 or Windows 11 to support dual enrollment using the computer configuration portion of a Group Policy object.
 
 1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
 2. Edit the Group Policy object from step 1.

windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md

@@ -1,6 +1,6 @@
 ---
 title: Dynamic lock
-description: Learn how to set Dynamic lock on Windows 10 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
+description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -21,9 +21,9 @@ ms.reviewer:
 
 **Requirements:**
 
-* Windows 10, version 1703
+* Windows 10, version 1703 or later
 
-Dynamic lock enables you to configure Windows 10 devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
+Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
 
 You configure the dynamic lock policy using Group Policy.  You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.  The name of the policy is **Configure dynamic lock factors**.
 
@@ -54,7 +54,7 @@ For this policy setting, the **type** and **scenario** attribute values are stat
 |Health|2304|
 |Uncategorized|7936|
 
-The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range".  The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device.  The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.  
+The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range".  The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device.  The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.  
 
 RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
 

windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md

@@ -22,6 +22,7 @@ ms.reviewer:
 **Applies to:**
 
 - Windows 10, version 1709 or later
+- Windows 11
 
 Windows Hello for Business provides the capability for users to reset forgotten PINs using the "I forgot my PIN link" from the Sign-in options page in Settings or from above the lock screen. User's are required to authenticate and complete multifactor authentication to reset their PIN.
 
@@ -81,7 +82,7 @@ Visit the [Windows Hello for Business Videos](./hello-videos.md) page and watch
 
 When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication to Azure, and completes multifactor authentication, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory.
 
-Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
+Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
 
 >[!IMPORTANT]
 > The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809.  The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and newer.
@@ -114,7 +115,7 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
 
 ### Configure Windows devices to use PIN reset using Group Policy
 
-You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
+You can configure Windows to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
 
 1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
 1. Edit the Group Policy object from Step 1.
@@ -188,6 +189,7 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta
 **Applies to:**
 
 - Windows 10, version 1803 or later
+- Windows 11
 - Azure AD joined
 
 The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that are allowed to be navigated to during PIN reset flows on Azure AD joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset.

windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md

@@ -22,6 +22,7 @@ ms.reviewer:
 **Requirements**
 
 - Windows 10
+- Windows 11
 - Cloud only, Hybrid, and On-premises only  Windows Hello for Business deployments
 - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
 
@@ -36,9 +37,9 @@ Microsoft continues to investigate supporting using keys trust for supplied cred
 - Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments
 - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
 - Biometric enrollments
-- Windows 10, version 1809
+- Windows 10, version 1809 or later
 
-Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture.  Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture.  The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809.
+Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture.  Windows 10, version 1809 or later introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture.  The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809.
 
 ### How does it work
 
@@ -48,7 +49,7 @@ A certificate on a smart card starts with creating an asymmetric key pair using
 
 This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric).  The certificate APIs hide this complexity.  When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider.  The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate.  This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card).
 
-Windows Hello for Business emulates a smart card for application compatibility.  Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN.  Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN.
+Windows Hello for Business emulates a smart card for application compatibility.  Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN.  Windows 10, version 1809 or later no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows to prompt the user for their biometric gesture or PIN.
 
 ### Compatibility
 

windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md

@@ -18,7 +18,9 @@ ms.reviewer:
 # Windows Hello for Business and Authentication
 
 **Applies to:**
--   Windows 10
+
+- Windows 10
+- Windows 11
 
 Windows Hello for Business authentication is passwordless, two-factor authentication.  Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.<br>
 Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory.  Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.<br>

windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md

@@ -16,9 +16,10 @@ ms.date: 08/19/2018
 ms.reviewer: 
 ---
 # Windows Hello for Business Provisioning
-<span id="windows-hello-for-business-provisioning" />
+
-<b>Applies to:</b>
+**Applies to:**
--   Windows 10
+- Windows 10
+- Windows 11
 
 Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication.  Provisioning experience vary based on:
 - How the device is joined to Azure Active Directory
@@ -48,7 +49,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 [Return to top](#windows-hello-for-business-provisioning)
 ## Azure AD joined provisioning in a Federated environment
-![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-federated.png)
+![Azure AD joined provisioning in Managed environment.](images/howitworks/prov-aadj-federated.png)
 
 | Phase  | Description  |
 | :----: | :----------- |

windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md

@@ -19,6 +19,7 @@ ms.reviewer:
 
 **Applies to:**
 - Windows 10
+- Windows 11
 
 - [Attestation Identity Keys](#attestation-identity-keys)
 - [Azure AD Joined](#azure-ad-joined)
@@ -44,15 +45,15 @@ ms.reviewer:
   <hr>
 
 ## Attestation Identity Keys
-Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
+Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
 
 > [!NOTE]
-> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
+> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
 > The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
 
-Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10 device.
+Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device.
 
-Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
+Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
 
 In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate.
 
@@ -102,7 +103,7 @@ The Windows Hello for Business Cloud deployment is exclusively for organizations
 
 [Return to Top](hello-how-it-works-technology.md)
 ## Cloud Experience Host
-In Windows 10, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. 
+In Windows 10 and Windows 11, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. 
 
 ### Related topics
 [Windows Hello for Business](./hello-identity-verification.md), [Managed Windows Hello in Organization](./hello-manage-in-organization.md)
@@ -138,7 +139,7 @@ The endorsement key is often accompanied by one or two digital certificates:
 -   One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
 -   The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
 
-For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
+For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10 and Windows 11.
 
 ### Related topics
 [Attestation Identity Keys](#attestation-identity-keys), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module)
@@ -279,15 +280,15 @@ The trust type determines how a user authenticates to the Active Directory to ac
 
 A Trusted Platform Module (TPM) is a hardware component that provides unique security features.<br>
 
-Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
+Windows leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
 
 A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other:
 - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
 - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
 
-Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](../../information-protection/tpm/tpm-recommendations.md).
+Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../information-protection/tpm/tpm-recommendations.md).
 
-Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. 
+Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 and Windows 11 support only TPM 2.0.
 
 TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
 

windows/security/identity-protection/hello-for-business/hello-how-it-works.md

@@ -15,11 +15,12 @@ localizationpriority: medium
 ms.date: 05/05/2018
 ms.reviewer: 
 ---
-# How Windows Hello for Business works
+# How Windows Hello for Business works in Windows Devices
 
 **Applies to**
 
 - Windows 10
+- Windows 11
 
 Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
 
@@ -34,7 +35,7 @@ Windows Hello for Business is a distributed system that uses several components
 
 Registration is a fundamental prerequisite for Windows Hello for Business.  Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
 
-For more information read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works).
+For more information, read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works).
 
 ### Provisioning
 
@@ -44,11 +45,11 @@ Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business pr
 
 > [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
 
-For more information read [how provisioning works](hello-how-it-works-provisioning.md).
+For more information, read [how provisioning works](hello-how-it-works-provisioning.md).
 
 ### Authentication
 
-With the device registered and provisioning complete, users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
+With the device registered and provisioning complete, users can sign-in to Windows using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
 
 Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
 

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md

@@ -21,6 +21,7 @@ ms.reviewer:
 **Applies to**
 
 - Windows 10
+- Windows 11
 - Azure Active Directory joined
 - Hybrid Deployment
 - Key trust model
@@ -50,7 +51,7 @@ You can use the **dsregcmd.exe** command to determine if your device is register
 
 ### CRL Distribution Point (CDP)
 
-Certificates issued by a certificate authority can be revoked.  When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list.  During certificate validation, Windows 10 consults the CRL distribution point within the certificate to get a list of revoked certificates.  Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid.  
+Certificates issued by a certificate authority can be revoked.  When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list.  During certificate validation, Windows consults the CRL distribution point within the certificate to get a list of revoked certificates.  Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid.  
 
 ![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png)
 
@@ -75,7 +76,7 @@ Certificate authorities write CRL distribution points in certificates as they ar
 
 #### Why does Windows need to validate the domain controller certificate?
 
-Windows Hello for Business enforces the strict KDC validation security feature when authenticating from an Azure AD joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on an Azure AD joined device, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met:
+Windows Hello for Business enforces the strict KDC validation security feature when authenticating from an Azure AD joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on an Azure AD joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met:
 
 - The domain controller has the private key for the certificate provided.
 - The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**.
@@ -212,7 +213,7 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 4. On the **Extensions** tab, click **Add**.  Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share).  For example, **\\\app\cdp$\\** (do not forget the trailing backwards slash).
 5. Select **\<CaName>** from the **Variable** list and click **Insert**.  Select **\<CRLNameSuffix>** from the **Variable** list and click **Insert**.  Select **\<DeltaCRLAllowed>** from the **Variable** list and click **Insert**.
 6. Type **.crl** at the end of the text in **Location**. Click **OK**.
-7. Select the CDP you just created.
+7. Select the CDP you just created. <br/>
    ![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png)
 8. Select **Publish CRLs to this location**.
 9. Select **Publish Delta CRLs to this location**.
@@ -261,7 +262,6 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
 5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate.  Click **OK**.</br>
 ![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png)
 
-
 ## Configure and Assign a Trusted Certificate Device Configuration Profile
 
 Your domain controllers have new certificate that include the new CRL distribution point.  Next, you need your enterprise root certificate so you can deploy it to Azure AD joined devices.  Deploying the enterprise root certificates to the device, ensures the device trusts any certificates issued by the certificate authority.  Without the certificate, Azure AD joined devices do not trust domain controller certificates and authentication fails. 
@@ -281,7 +281,7 @@ Steps you will perform include:
 ![Details tab and copy to file.](images/aadj/certlm-root-cert-details-tab.png)
 6. In the **Certificate Export Wizard**, click **Next**.  
 7. On the **Export File Format** page of the wizard, click **Next**.  
-8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box.
+8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box. <br>
 ![Export root certificate.](images/aadj/certlm-export-root-certificate.png)
 9. Click **OK**  two times to return to the **Certificate Manager** for the local computer.  Close the **Certificate Manager**.
 
@@ -315,7 +315,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys.
 8. Enter the desired **Minimum PIN length** and **Maximum PIN length**.
     > [!IMPORTANT]
-    > The default minimum PIN length for Windows Hello for Business on Windows 10 is six.  Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN.  If you do not have a desired PIN length, set the minimum PIN length to six.
+    > The default minimum PIN length for Windows Hello for Business on Windows 10 and Windows 11 is six.  Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN.  If you do not have a desired PIN length, set the minimum PIN length to six.
 
 9. Select the appropriate configuration for the following settings:
     * **Lowercase letters in PIN**
@@ -325,7 +325,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
     * **Remember PIN history**
     
     > [!NOTE]
-    > The Windows Hello for Business PIN is not a symmetric key (a password).  A copy of the current PIN is not stored locally or on a server like in the case of passwords.  Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs.  Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN.  If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
+    > The Windows Hello for Business PIN is not a symmetric key (a password).  A copy of the current PIN is not stored locally or on a server like in the case of passwords.  Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs.  Additionally, enabling PIN history is the only scenario that requires Windows to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN.  If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
 
 10. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**.
 11. Select **No** to **Allow phone sign-in**. This feature has been deprecated.

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md

@@ -20,7 +20,9 @@ ms.reviewer:
 # Using Certificates for AADJ On-premises Single-sign On
 
 **Applies to:**
+
 - Windows 10
+- Windows 11
 - Azure Active Directory joined
 - Hybrid Deployment
 - Certificate trust
@@ -45,7 +47,7 @@ You need to install and configure additional infrastructure to provide Azure AD
 - An existing Windows Server 2012 R2 or later Enterprise Certificate Authority
 - A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role
 
-### High Availaibilty
+### High Availability
 The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority.  Certificate registration servers enroll certificates on behalf of the user.  Users request certificates from the NDES service rather than directly from the issuing certificate authority.
 
 The architecture of the NDES server prevents it from being clustered or load balanced for high availability.  To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion).
@@ -205,7 +207,7 @@ Sign-in to the issuing certificate authority or management workstations with _Do
 10. Click on the **Apply** to save changes and close the console.
 
 ### Create an Azure AD joined Windows Hello for Business authentication certificate template
-During Windows Hello for Business provisioning,  Windows 10 requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user.  This task configures the Windows Hello for Business authentication certificate template.  You use the name of the certificate template when configuring the NDES Server.
+During Windows Hello for Business provisioning,  Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user.  This task configures the Windows Hello for Business authentication certificate template.  You use the name of the certificate template when configuring the NDES Server.
 
 Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
 
@@ -321,7 +323,7 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
 3. Select **Trust this user for delegation to specified services only**.
 4. Select **Use any authentication protocol**.
 5. Click **Add**.
-6. Click **Users or Computers...**  Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices.  From the **Avaiable services** list, select **HOST**.  Click **OK**.
+6. Click **Users or Computers...**  Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices.  From the **Available services** list, select **HOST**.  Click **OK**.
    ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
 7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**.
 8. Click **Users or computers...**  Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices.  From the **Available services** list, select **dcom**.  Hold the **CTRL** key and select **HOST**. Click **OK**.
@@ -414,11 +416,11 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 6. Start **AADApplicationProxyConnectorInstaller.exe**.
 7. Read the license terms and then select **I agree to the license terms and conditions**.  Click **Install**.
-   ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-01.png)
+   ![Azure Application Proxy Connector: license terms](images/aadjcert/azureappproxyconnectorinstall-01.png)
 8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
-   ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-02.png)
+   ![Azure Application Proxy Connector: sign-in](images/aadjcert/azureappproxyconnectorinstall-02.png)
 9. When the installation completes. Read the information regarding outbound proxy servers.  Click **Close**.
-   ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-03.png)
+   ![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png)
 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
 
 #### Create a Connector Group
@@ -478,12 +480,12 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 
 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
 2. Expand the node that has the name of the NDES server.  Expand **Sites** and select **Default Web Site**.
-   ![NDES IIS Console.](images/aadjcert/ndes-iis-console.png)
+   ![NDES IIS Console](images/aadjcert/ndes-iis-console.png)
 3. Click **Bindings...*** under **Actions**.  Click **Add**.
-   ![NDES IIS Console.](images/aadjcert/ndes-iis-bindings.png)
+   ![NDES IIS Console: Add](images/aadjcert/ndes-iis-bindings.png)
 4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
 5. Select the certificate you previously enrolled from the **SSL certificate** list.  Select **OK**.
-   ![NDES IIS Console.](images/aadjcert/ndes-iis-bindings-add-443.png)
+   ![NDES IIS Console: Certificate List](images/aadjcert/ndes-iis-bindings-add-443.png)
 6. Select **http** from the **Site Bindings** list.  Click **Remove**.
 7. Click **Close** on the **Site Bindings** dialog box.
 8. Close **Internet Information Services (IIS) Manager**.
@@ -507,12 +509,12 @@ Sign-in the NDES server with access equivalent to _local administrator_.
    ```
    where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
 
-A web page similar to the following should appear in your web browser.  If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights.  You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
+A web page similar to the following should appear in your web browser.  If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights.  You can also review the application event log for events with the **NetworkDeviceEnrollmentService** source.
 
-![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01.png)
+![NDES IIS Console: Source](images/aadjcert/ndes-https-website-test-01.png)
 
 Confirm the web site uses the server authentication certificate.
-![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01-show-cert.png)
+![NDES IIS Console: Confirm](images/aadjcert/ndes-https-website-test-01-show-cert.png)
 
 
 ## Configure Network Device Enrollment Services to work with Microsoft Intune

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md

@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -   Windows 10
+-   Windows 11
 -   Azure Active Directory joined
 -   Hybrid deployment
 

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md

@@ -1,6 +1,6 @@
 ---
 title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business)
-description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust depoyments rely on.
+description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on.
 keywords: identity, PIN, biometric, Hello, passport, WHFB
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -   Windows 10, version 1703 or later
+-   Windows 11
 -   Hybrid deployment
 -   Certificate trust
 

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md

@@ -20,10 +20,10 @@ ms.reviewer:
 
 **Applies to**
 -  Windows 10, version 1703 or later
+-  Windows 11
 -  Hybrid deployment
 -  Certificate trust
 
-
 Your environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.  
 
 > [!IMPORTANT]
@@ -33,15 +33,17 @@ Your environment is federated and you are ready to configure device registration
 >Refer to the [Tutorial: Configure hybrid Azure Active Directory join for federated domains](/azure/active-directory/devices/hybrid-azuread-join-federated-domains) to learn more about setting up Azure Active Directory Connect for a simplified join flow for Azure AD device registration.
 
 Use this three-phased approach for configuring device registration.
+
 1. [Configure devices to register in Azure](#configure-azure-for-device-registration)
 2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization)
 3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices)
 
 > [!NOTE]
 > Before proceeding, you should familiarize yourself with device registration concepts such as:
-> * Azure AD registered devices
+>
-> * Azure AD joined devices
+> - Azure AD registered devices
-> * Hybrid Azure AD joined devices
+> - Azure AD joined devices
+> - Hybrid Azure AD joined devices
 >
 > You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction)
 
@@ -49,7 +51,8 @@ Use this three-phased approach for configuring device registration.
 > To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594).
 
 ## Configure Azure for Device Registration
-Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. 
+
+Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
 
 To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal)  
 
@@ -59,7 +62,7 @@ Azure Active Directory is now configured for device registration. Next, you need
 
 ### Upgrading Active Directory to the Windows Server 2016 or later Schema 
 
-To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016 or later. 
+To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016 or later.
 
 > [!IMPORTANT]
 > If you already have a Windows Server 2016 or later domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 or later Schema** (this section).
@@ -82,110 +85,107 @@ Manually updating Active Directory uses the command-line utility **adprep.exe**
 
 Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials.
 
-1.  Open an elevated command prompt.
+1. Open an elevated command prompt.
-2.  Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
+2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
-3.  To update the schema, type ```adprep /forestprep```.
+3. To update the schema, type ```adprep /forestprep```.
-4.  Read the Adprep Warning.  Type the letter **C*** and press **Enter** to update the schema.
+4. Read the Adprep Warning.  Type the letter **C*** and press **Enter** to update the schema.
-5.  Close the Command Prompt and sign-out.
+5. Close the Command Prompt and sign-out.
 
 > [!NOTE]
 > If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured.
 
-
 ### Setup Active Directory Federation Services
+
 If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service.
 Review the [AD FS Design guide](/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service.
 
 Once you have your AD FS design ready, review [Deploying a Federation Server farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment.
 > [!IMPORTANT]
-> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures.      
+> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures.
 
 The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).  If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
 
 #### ADFS Web Proxy ###
+
 Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network.
 Use the [Setting of a Federation Proxy](/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment.
 
 ### Deploy Azure AD Connect
+
 Next, you need to synchronize the on-premises Active Directory with Azure Active Directory.  To do this, first review the [Integrating on-prem directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771).
 
 When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](/azure/active-directory/connect/active-directory-aadconnect-get-started-custom).  Select the **Federation with AD FS** option on the **User sign-in** page.  At the **AD FS Farm** page, select the use an existing option and click **Next**.  
 
-### Create AD objects for AD FS Device Authentication  
+### Create AD objects for AD FS Device Authentication
-If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.  
 
-![Device Registration.](images/hybridct/device1.png)
+If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.
+![Device Registration: AD FS](images/hybridct/device1.png)
 
 > [!NOTE]
 > The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below.  Otherwise you can skip step 1.  
 
-1.  Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**.
+1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**.
-
+    ![Device Registration: Overview](images/hybridct/device2.png)
-![Device Registration.](images/hybridct/device2.png)
-
 2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt.  Then, run the following commands:  
-
    `Import-module activedirectory`  
    `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "<your service account>"` 
 3. On the pop-up window click **Yes**.
 
-> [!NOTE]
+   > [!NOTE]
-> If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$"
+   > If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$"
 
-![Device Registration.](images/hybridct/device3.png)  
+   ![Device Registration: Domain](images/hybridct/device3.png)  
+   The above PSH creates the following objects:  
 
-The above PSH creates the following objects:  
+   - RegisteredDevices container under the AD domain partition  
-
+   - Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration  
-- RegisteredDevices container under the AD domain partition  
+   - Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration  
-- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration  
-- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration  
-
-![Device Registration.](images/hybridct/device4.png)  
 
+   ![Device Registration: Tests](images/hybridct/device4.png) <br>
 4. Once this is done, you will see a successful completion message.
 
-![Device Registration.](images/hybridct/device5.png) 
+   ![Device Registration: Completion](images/hybridct/device5.png) 
 
 ### Create Service Connection Point (SCP) in Active Directory  
-If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS  
+If you plan to use Windows domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS  
-1.  Open Windows PowerShell and execute the following:
+
+1. Open Windows PowerShell and execute the following:
 
     `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"` 
 
-> [!NOTE]
+   > [!NOTE]
-> If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server.  This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep
+   > If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server.  This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep
-
-![Device Registration.](images/hybridct/device6.png)   
 
+   ![Device Registration AdPrep](images/hybridct/device6.png)
 2. Provide your Azure AD global administrator credentials  
 
-    `PS C:>$aadAdminCred = Get-Credential`
+   `PS C:>$aadAdminCred = Get-Credential`
-
-![Device Registration.](images/hybridct/device7.png) 
 
+   ![Device Registration: Credential](images/hybridct/device7.png) 
 3. Run the following PowerShell command 
 
    `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred` 
 
-Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory.
+   Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory.
 
-The above commands enable Windows 10 clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS.  
+The above commands enable Windows clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS.  
 
 ### Prepare AD for Device Write Back   
 To ensure AD DS objects and containers are in the correct state for write back of devices from Azure AD, do the following.
 
-1.  Open Windows PowerShell and execute the following:  
+1. Open Windows PowerShell and execute the following:  
 
     `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName <AD DS domain name> -AdConnectorAccount [AD connector account name]` 
 
-Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format  
+   Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format  
 
 The above command creates the following objects for device write back to AD DS, if they do not exist already, and allows access to the specified AD connector account name  
 
 - RegisteredDevices container in the AD domain partition  
 - Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration  
 
-### Enable Device Write Back in Azure AD Connect  
+### Enable Device Write Back in Azure AD Connect
+
 If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets  
 
 ## Configure AD FS to use Azure registered devices
@@ -212,17 +212,17 @@ When you're using AD FS, you need to enable the following WS-Trust endpoints:
 
 The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises.
 
-* `http://schemas.microsoft.com/ws/2012/01/accounttype`
+- `http://schemas.microsoft.com/ws/2012/01/accounttype`
-* `http://schemas.microsoft.com/identity/claims/onpremobjectguid`
+- `http://schemas.microsoft.com/identity/claims/onpremobjectguid`
-* `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`
 
 If you have more than one verified domain name, you need to provide the following claim for computers:
 
-* `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`
 
 If you are already issuing an ImmutableID claim (e.g., alternate login ID) you need to provide one corresponding claim for computers:
 
-* `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`
+- `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`
 
 In the following sections, you find information about:
 
@@ -238,6 +238,8 @@ The definition helps you to verify whether the values are present or if you need
 
 **`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this:
 
+```powershell
+
     @RuleName = "Issue account type for domain-joined computers"
     c:[
         Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
@@ -248,11 +250,14 @@ The definition helps you to verify whether the values are present or if you need
         Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
         Value = "DJ"
     );
+```
 
 #### Issue objectGUID of the computer account on-premises
 
 **`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:
 
+```powershell
+
     @RuleName = "Issue object GUID for domain-joined computers"
     c1:[
         Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
@@ -270,11 +275,14 @@ The definition helps you to verify whether the values are present or if you need
         query = ";objectguid;{0}", 
         param = c2.Value
     );
+```
 
 #### Issue objectSID of the computer account on-premises
 
 **`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:
 
+```powershell
+
     @RuleName = "Issue objectSID for domain-joined computers"
     c1:[
         Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
@@ -287,11 +295,14 @@ The definition helps you to verify whether the values are present or if you need
         Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
     ]
     => issue(claim = c2);
+```
 
 #### Issue issuerID for computer when multiple verified domain names in Azure AD
 
 **`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.
 
+```powershell
+
     @RuleName = "Issue account type with the value User when it is not a computer"
 
     NOT EXISTS(
@@ -333,7 +344,7 @@ The definition helps you to verify whether the values are present or if you need
         Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
         Value = "http://<verified-domain-name>/adfs/services/trust/"
     );
-
+```
 
 In the claim above,
 
@@ -341,12 +352,14 @@ In the claim above,
 - `<verified-domain-name>` is a placeholder you need to replace with one of your verified domain names in Azure AD
 
 For more details about verified domain names, see [Add a custom domain name to Azure Active Directory](/azure/active-directory/active-directory-add-domain).  
-To get a list of your verified company domains, you can use the [Get-MsolDomain](/powershell/module/msonline/get-msoldomain?view=azureadps-1.0) cmdlet. 
+To get a list of your verified company domains, you can use the [Get-MsolDomain](/powershell/module/msonline/get-msoldomain?view=azureadps-1.0&preserve-view=true) cmdlet.
 
 #### Issue ImmutableID for computer when one for users exist (e.g. alternate login ID is set)
 
 **`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows:
 
+```powershell
+
     @RuleName = "Issue ImmutableID for computers"
     c1:[
         Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
@@ -364,11 +377,14 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain]
         query = ";objectguid;{0}", 
         param = c2.Value
     );
+```
 
 #### Helper script to create the AD FS issuance transform rules
 
 The following script helps you with the creation of the issuance transform rules described above.
 
+```powershell
+
     $multipleVerifiedDomainNames = $false
     $immutableIDAlreadyIssuedforUsers = $false
     $oneOfVerifiedDomainNames = 'example.com'   # Replace example.com with one of your verified domains
@@ -487,28 +503,29 @@ The following script helps you with the creation of the issuance transform rules
     $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules 
 
     Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString 
+```
 
-
+#### Remarks
-#### Remarks 
 
 - This script appends the rules to the existing rules. Do not run the script twice because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again.
 
 - If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule:
 
-
+  ```Claims Rule Language
-~~~
     c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
     => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?<domain>.+)",  "http://${domain}/adfs/services/trust/")); 
-~~~
+  ```
 
 - If you have already issued an **ImmutableID** claim  for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**.
 
-#### Configure Device Authentication in AD FS  
+#### Configure Device Authentication in AD FS 
+
 Using an elevated PowerShell command window, configure AD FS policy by executing the following command  
 
 `PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod SignedToken` 
 
-#### Check your configuration  
+#### Check your configuration
+
 For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work
 
 - object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=&lt;domain&gt;        
@@ -517,7 +534,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
 - Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;
 - Container Device Registration Service DKM under the above container
 
-![Device Registration.](images/hybridct/device8.png) 
+   ![Device Registration: Container](images/hybridct/device8.png) 
 
 - object of type serviceConnectionpoint at CN=&lt;guid&gt;, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;  
   - read/write access to the specified AD connector account name on the new object 
@@ -531,9 +548,10 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
 <hr>
 
 ## Follow the Windows Hello for Business hybrid certificate trust deployment guide
+
 1. [Overview](hello-hybrid-cert-trust.md)
 2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. Configure Azure Device Registration (*You are here*)
 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
-6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
+6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md

@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -   Windows 10, version 1703 or later
+-   Windows 11
 -   Hybrid deployment
 -   Certificate trust
 
@@ -56,7 +57,7 @@ Review these requirements and those from the Windows Hello for Business planning
 <br>
 
 ## Public Key Infrastructure ##
-The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller.
+The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows devices to trust the domain controller.
  
 Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users.  When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AD FS) as a certificate registration authority.
 

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md

@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -   Windows 10, version 1703 or later
+-   Windows 11
 -   Hybrid deployment
 -   Certificate trust
 

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md

@@ -1,6 +1,6 @@
 ---
 title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business)
-description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Businesss.
+description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business.
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -   Windows 10, version 1703 or later
+-   Windows 11
 -   Hybrid deployment
 -   Certificate trust
 

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md

@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -   Windows 10, version 1703 or later
+-   Windows 11
 -   Hybrid deployment
 -   Certificate trust
 

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md

@@ -21,6 +21,7 @@ ms.reviewer:
 **Applies to**
 
 - Windows 10, version 1703 or later
+- Windows 11
 - Hybrid deployment
 - Certificate trust
 

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md

@@ -17,10 +17,11 @@ ms.date: 4/30/2021
 ms.reviewer: 
 ---
 
-# Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization
+# Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization
 
 **Applies to**
 - Windows 10, version 1703 or later
+- Windows 11
 - Hybrid deployment
 - Certificate Trust
 

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md

@@ -17,11 +17,12 @@ ms.date: 4/30/2021
 ms.reviewer: 
 ---
 
-# Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure
+# Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure
 
 **Applies to**
 
 - Windows 10, version 1703 or later
+- Windows 11
 - Hybrid Deployment
 - Certificate Trust
 
@@ -164,7 +165,7 @@ Sign-in to a certificate authority or management workstation with *Domain Admin*
 
 ### Creating Windows Hello for Business authentication certificate template
 
-During Windows Hello for Business provisioning, a Windows 10 client requests an authentication certificate from the Active Directory Federation Service, which requests an authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You set the name of the certificate template when configuring it.
+During Windows Hello for Business provisioning, a Windows client requests an authentication certificate from the Active Directory Federation Service, which requests an authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You set the name of the certificate template when configuring it.
 
 Sign-in to a certificate authority or management workstation with _Domain Admin equivalent_ credentials.
 

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md

@@ -16,18 +16,19 @@ localizationpriority: medium
 ms.date: 4/30/2021
 ms.reviewer: 
 ---
-# Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy
+# Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
 
 **Applies to**
 -   Windows 10, version 1703 or later
+-   Windows 11
 -   Hybrid deployment
 -   Certificate trust
 
 
 ## Policy Configuration
 
-You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings.  To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+You need at least a  Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings.  To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
-Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
+Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
 
 Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
 
@@ -161,9 +162,9 @@ The default Windows Hello for Business enables users to enroll and use biometric
 
 ### PIN Complexity
 
-PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. 
+PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. 
 
-Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use.  If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations.  The policy settings included are:
+Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use.  If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations.  The policy settings included are:
 * Require digits
 * Require lowercase letters
 * Maximum PIN length

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md

@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -   Windows 10, version 1703 or later
+-   Windows 11
 -   Hybrid deployment
 -   Certificate trust
 

windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md

@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -   Windows 10, version 1703 or later
+-   Windows 11
 -   Hybrid deployment
 -   Key trust
 

windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md

@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -  Windows 10, version 1703 or later
+-  Windows 11
 -  Hybrid deployment
 -  Key trust
 

windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md

@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -  Windows 10, version 1703 or later
+-  Windows 11
 -  Hybrid deployment
 -  Key trust
 

windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md

@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -   Windows 10, version 1703 or later
+-   Windows 11
 -   Hybrid deployment
 -   Key trust
 
@@ -31,7 +32,7 @@ The distributed systems on which these technologies were built involved several
 * [Public Key Infrastructure](#public-key-infrastructure)
 * [Directory Synchronization](#directory-synchronization)
 * [Federation](#federation-with-azure)
-* [MultiFactor Authentication](#multifactor-authentication)
+* [Multifactor authentication](#multifactor-authentication)
 * [Device Registration](#device-registration)
   
 ## Directories
@@ -61,7 +62,7 @@ Review these requirements and those from the Windows Hello for Business planning
 <br>
 
 ## Public Key Infrastructure
-The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller.
+The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows devices to trust the domain controller.
 
 Key trust deployments do not need client issued certificates for on-premises authentication.  Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
 

windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md

@@ -21,6 +21,7 @@ ms.reviewer:
 **Applies to**
 
 - Windows 10, version 1703 or later
+- Windows 11
 - Hybrid deployment
 - Key trust
 

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md

@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -   Windows 10, version 1703 or later
+-   Windows 11
 -   Hybrid deployment
 -   Key trust
 

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md

@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -   Windows 10, version 1703 or later
+-   Windows 11
 -   Hybrid deployment
 -   Key trust
 

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md

@@ -20,6 +20,7 @@ ms.reviewer:
 
 **Applies to**
 -   Windows 10, version 1703 or later
+-   Windows 11
 -   Hybrid deployment
 -   Key trust
 

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md

@@ -22,6 +22,7 @@ ms.reviewer:
 **Applies to**
 
 - Windows 10, version 1703 or later
+- Windows 11
 - Hybrid Deployment
 - Key trust
 

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md

@@ -20,20 +20,21 @@ ms.reviewer:
 
 **Applies to**
 -   Windows 10, version 1703 or later
+-   Windows 11
 -   Hybrid deployment
 -   Key trust
 
 
 ## Policy Configuration
 
-You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings.  To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings.  To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
-Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
+Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
 
 Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
 
 Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate.  
 
-Hybrid Azure AD joined devices needs one Group Policy settings:
+Hybrid Azure AD joined devices needs one Group Policy setting:
 * Enable Windows Hello for Business
 
 ### Configure Domain Controllers for Automatic Certificate Enrollment
@@ -75,7 +76,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
 The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
 
 > [!NOTE]
-> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows 10 device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](./hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
+> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](./hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
 
 #### Enable Windows Hello for Business
 
@@ -139,12 +140,12 @@ The default Windows Hello for Business enables users to enroll and use biometric
 
 ### PIN Complexity
 
-PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
+PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
 
 >[!IMPORTANT]
-> Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity**  of the Group Policy editor.
+> Starting from Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity**  of the Group Policy editor.
 
-Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use.  If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations.  The policy settings included are:
+Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use.  If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations.  The policy settings included are:
 * Require digits
 * Require lowercase letters
 * Maximum PIN length

windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md

@@ -1,5 +1,5 @@
 ---
-title: How Windows Hello for Business works (Windows 10)
+title: How Windows Hello for Business works (Windows)
 description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business.
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -13,11 +13,13 @@ ms.reviewer:
 manager: dansimp
 ms.topic: article
 ---
-# How Windows Hello for Business works
+# How Windows Hello for Business works in Windows devices
 
 **Applies to**
--   Windows 10
+
--   Windows 10 Mobile
+- Windows 10
+- Windows 11
+- Windows 10 Mobile
 
 Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
 
@@ -30,15 +32,15 @@ A goal of device registration is to allow a user to open a brand-new device, sec
 
  The registration process works like this: 
  
-1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it. 
+1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 or Windows 11 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it. 
 2. To sign in using that account, the user has to enter the existing credentials for it. The identity provider (IDP) that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends. 
 3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately 
 
 The PIN chosen is associated with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are:
 
 - A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers a second authentication factor from the IDP side (if required); after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
-- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
+- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 or Windows 11 device the user has not previously signed in to.
-- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
+- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 and Windows 11 device the user has not previously signed in to.
 
 When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and protects this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. Each unique gesture generates a unique protector key. The protector key securely wraps the authentication key. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
 
@@ -46,7 +48,7 @@ At this point, the user has a PIN gesture defined on the device and an associate
 
 ## What’s a container?
 
-You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
+You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 or Windows 11 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
 
 The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD.