diff --git a/.openpublishing.redirection.education.json b/.openpublishing.redirection.education.json
index 7e028ba6b7..e27a545a00 100644
--- a/.openpublishing.redirection.education.json
+++ b/.openpublishing.redirection.education.json
@@ -229,6 +229,11 @@
       "source_path": "education/windows/windows-editions-for-education-customers.md",
       "redirect_url": "/education/windows",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/configure-windows-for-education.md",
+      "redirect_url": "/education/windows",
+      "redirect_document_id": false
     }
   ]
 }
\ No newline at end of file
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
deleted file mode 100644
index d9b96510a0..0000000000
--- a/education/windows/configure-windows-for-education.md
+++ /dev/null
@@ -1,159 +0,0 @@
----
-title: Windows 10 configuration recommendations for education customers
-description: Learn how to configure the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school.
-ms.topic: how-to
-ms.date: 08/10/2022
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
----
-# Windows 10 configuration recommendations for education customers
-
-Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
-
-We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
-
-In Windows 10, version 1703 (Creators Update), it's straightforward to configure Windows to be education ready.
-
-| Area | How to configure | What this area does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | 
-| --- | --- | --- | --- | --- | --- |
-| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](/windows/configuration/configure-windows-telemetry-in-your-organization) | This feature is already set | This feature is already set | The policy must be set |
-| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This feature is already set | This feature is already set | The policy must be set |
-| **Cortana** | **AllowCortana** | Disables Cortana </br></br> * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. |
-| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This feature is already set | This feature is already set | The policy must be set |
-| **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge. See [Ad-free search with Bing](#ad-free-search-with-bing | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) |
-| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready </br></br> * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This feature is already set | This feature is already set | The policy must be set |
-
-
-## Recommended configuration
-It's easy to be education ready when using Microsoft products. We recommend the following configuration:
-
-1. Use an Office 365 Education tenant. 
-
-    With Office 365, you also have Microsoft Entra ID. To learn more about Office 365 Education features and pricing, see [Office 365 Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
-
-2. Activate Intune for Education in your tenant.
-
-    You can [sign up to learn more about Intune for Education](https://info.microsoft.com/US-WNDWS-CNTNT-FY17-01Jan-17-IntuneforEducationlandingpageandnurture292531_01Registration-ForminBody.html).
-
-3. On PCs running Windows 10, version 1703:
-   1. Provision the PC using one of these methods:
-      * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - The usage of this method will automatically set both **SetEduPolicies** to True and **AllowCortana** to False.
-      * [Provision PCs with a custom package created with Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False.
-   2. Join the PC to Microsoft Entra ID.
-      * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Microsoft Entra ID.
-      * Manually Microsoft Entra join the PC during the Windows device setup experience.
-   3. Enroll the PCs in MDM.
-      * If you've activated Intune for Education in your Microsoft Entra tenant, enrollment will happen automatically when the PC is joined to Microsoft Entra ID. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
-   4. Ensure that needed assistive technology apps can be used.
-      * If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
-
-4. Distribute the PCs to students.
-
-    Students sign in with their Azure AD/Office 365 identity, which enables single sign-on to Bing in Microsoft Edge, enabling an ad-free search experience with Bing in Microsoft Edge.
-
-5. Ongoing management through Intune for Education.
-
-    You can set many policies through Intune for Education, including **SetEduPolicies** and **AllowCortana**, for ongoing management of the PCs.
-
-## Configuring Windows
-You can configure Windows through provisioning or management tools including industry standard MDM.
-- Provisioning - A one-time setup process.
-- Management - A one-time and/or ongoing management of a PC by setting policies.
-
-You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready:
-- [Set up School PCs](use-set-up-school-pcs-app.md)
-- [Intune for Education](/intune-education/available-settings)
-
-## AllowCortana
-**AllowCortana** is a policy that enables or disables Cortana. It's a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana). 
-
-> [!NOTE]
-> See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings.
-
-Use one of these methods to set this policy.
-
-### MDM
-- Intune for Education automatically sets this policy in the **All devices** group policy configuration.
-- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
-  - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
-
-      For example, in Intune, create a new configuration policy and add an OMA-URI. 
-    - OMA-URI:  ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
-    - Data type:  Integer
-    - Value:  0
-
-### Group Policy
-Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**.
-
-### Provisioning tools
-- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
-- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) 
-    - Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**.
-
-## SetEduPolicies
-**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It's a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp).
-
-Use one of these methods to set this policy. 
-
-### MDM
-- Intune for Education automatically sets this policy in the **All devices** group policy configuration.
-- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
-  - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
-
-      For example, in Intune, create a new configuration policy and add an OMA-URI.
-    - OMA-URI:  ./Vendor/MSFT/SharedPC/SetEduPolicies
-    - Data type:  Boolean
-    - Value:  true
-
-      ![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png)
-
-### Group Policy
-**SetEduPolicies** isn't natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). 
-
-For example:
-
-- Open PowerShell as an administrator and enter the following:
-
-    ```
-    $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
-
-    $sharedPC.SetEduPolicies = $True
-
-    Set-CimInstance -CimInstance $sharedPC
-
-    Get-CimInstance -Namespace $namespaceName -ClassName $MDM_SharedPCClass
-    ```
-
-### Provisioning tools
-- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
-- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) 
-    - Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**.
-
-        ![Set SetEduPolicies to True in Windows Configuration Designer.](images/wcd/setedupolicies.png)
-
-## Ad-free search with Bing
-Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. 
-
-### Configurations
-
-<a name='azure-ad-and-office-365-education-tenant'></a>
-
-#### Microsoft Entra ID and Office 365 Education tenant
-To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps:
-
-1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-viva-engage-87d1844e-aa47-4dc0-a61b-1b773fd4e590).
-2. Domain join the Windows 10 PCs to your Microsoft Entra tenant (this tenant is the same as your Office 365 tenant).
-3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
-4. Have students sign in with their Microsoft Entra identity, which is the same as your Office 365 identity, to use the PC.
-> [!NOTE]
-> If you are verifying your Office 365 domain to prove education status (step 1 above), you may need to wait up to 7 days for the ad-free experience to take effect. Microsoft recommends not to roll out the browser to your students until that time.
-
-#### Office 365 sign-in to Bing
-To suppress ads only when the student signs into Bing with their Office 365 account in Microsoft Edge, follow these steps:
-
-1. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
-2. Have students sign into Bing with their Office 365 account.
-
-
-## Related topics
-[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
diff --git a/education/windows/images/setedupolicies_omauri.png b/education/windows/images/setedupolicies_omauri.png
deleted file mode 100644
index eb3d9e216c..0000000000
Binary files a/education/windows/images/setedupolicies_omauri.png and /dev/null differ
diff --git a/education/windows/images/wcd/setedupolicies.png b/education/windows/images/wcd/setedupolicies.png
deleted file mode 100644
index e240063f68..0000000000
Binary files a/education/windows/images/wcd/setedupolicies.png and /dev/null differ
diff --git a/education/windows/images/wcd/wcd_settings_assignedaccess.png b/education/windows/images/wcd/wcd_settings_assignedaccess.png
deleted file mode 100644
index 443a5d0688..0000000000
Binary files a/education/windows/images/wcd/wcd_settings_assignedaccess.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/configure.md b/windows/security/identity-protection/hello-for-business/configure.md
index b4d14a1882..008110433e 100644
--- a/windows/security/identity-protection/hello-for-business/configure.md
+++ b/windows/security/identity-protection/hello-for-business/configure.md
@@ -2,7 +2,7 @@
 title: Configure Windows Hello for Business
 description: Learn about the configuration options for Windows Hello for Business and how to implement them in your organization.
 ms.topic: how-to
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ---
 
 # Configure Windows Hello for Business
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 5fe562311d..e1845d9363 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -1,7 +1,7 @@
 ---
 title: Dynamic lock
 description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-ms.date: 02/29/2024
+ms.date: 04/23/2024
 ms.topic: how-to
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 1b1ad680bf..333674ad41 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -5,7 +5,7 @@ ms.date: 08/19/2018
 ms.topic: how-to
 ---
 
-# Using Certificates for AADJ On-premises Single-sign On
+# Using Certificates for Microsoft Entra joined on-premises single-sign on
 
 [!INCLUDE [apply-to-hybrid-cert-trust-entra](deploy/includes/apply-to-hybrid-cert-trust-entra.md)]
 
@@ -16,34 +16,35 @@ If you plan to use certificates for on-premises single-sign on, then follow thes
 
 Steps you'll perform include:
 
-- [Prepare Microsoft Entra Connect](#prepare-microsoft-entra-connect)
-- [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account)
-- [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority)
-- [Install the Network Device Enrollment Services Role](#install-and-configure-the-ndes-role)
-- [Configure Network Device Enrollment Services to work with Microsoft Intune](#configure-network-device-enrollment-services-to-work-with-microsoft-intune)
-- [Download, Install and Configure the Intune Certificate Connector](#download-install-and-configure-the-intune-certificate-connector)
-- [Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile](#create-and-assign-a-simple-certificate-enrollment-protocol-scep-certificate-profile)
+> [!div class="checklist"]
+> - [Prepare Microsoft Entra Connect](#prepare-microsoft-entra-connect)
+> - [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account)
+> - [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority)
+> - [Install the Network Device Enrollment Services Role](#install-and-configure-the-ndes-role)
+> - [Configure Network Device Enrollment Services to work with Microsoft Intune](#configure-network-device-enrollment-services-to-work-with-microsoft-intune)
+> - [Download, Install and Configure the Intune Certificate Connector](#download-install-and-configure-the-intune-certificate-connector)
+> - [Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile](#create-and-assign-a-simple-certificate-enrollment-protocol-scep-certificate-profile)
 
 ## Requirements
 
-You need to install and configure additional infrastructure to provide Microsoft Entra joined devices with on-premises single-sign on.
+You must install and configure additional infrastructure to provide Microsoft Entra joined devices with on-premises single-sign on.
 
-- An existing Windows Server 2012 R2 or later Enterprise Certificate Authority
-- A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role
+- An existing Windows Server Enterprise Certificate Authority
+- A domain joined Windows Server that hosts the Network Device Enrollment Services (NDES) role
 
 ### High Availability
 
-The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority.  Certificate registration servers enroll certificates on behalf of the user.  Users request certificates from the NDES service rather than directly from the issuing certificate authority.
+The NDES server role acts as a certificate registration authority (CRA). Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority.
 
-The architecture of the NDES server prevents it from being clustered or load balanced for high availability.  To provide high availability, you need to install more than one identically configured NDES servers, and use Microsoft Intune to load balance then (in round-robin fashion).
+The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers, and use Microsoft Intune to load balance then (in round-robin fashion).
 
-The Network Device Enrollment Service (NDES) server role can issue up to three unique certificate templates.  The server role accomplishes this by mapping the purpose of the certificate request to a configured certificate template.  The certificate request purpose has three options:
+The Network Device Enrollment Service (NDES) server role can issue up to three unique certificate templates. The server role accomplishes this by mapping the purpose of the certificate request to a configured certificate template. The certificate request purpose has three options:
 
 - Signature
 - Encryption
 - Signature and Encryption
 
-If you need to deploy more than three types of certificates to the Microsoft Entra joined device, you need additional NDES servers.  Alternatively, consider consolidating certificate templates to reduce the number of certificate templates.
+If you need to deploy more than three types of certificates to the Microsoft Entra joined device, you need additional NDES servers. Alternatively, consider consolidating certificate templates to reduce the number of certificate templates.
 
 ### Network Requirements
 
@@ -51,36 +52,31 @@ All communication occurs securely over port 443.
 
 ## Prepare Microsoft Entra Connect
 
-Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain.  The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name.
+Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name.
 
-Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller.  Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller.
+Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller.
 
-To include the on-premises distinguished name in the certificate's subject, Microsoft Entra Connect must replicate the Active Directory **distinguishedName** attribute to the Microsoft Entra ID **onPremisesDistinguishedName** attribute.  Microsoft Entra Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.
+To include the on-premises distinguished name in the certificate's subject, Microsoft Entra Connect must replicate the Active Directory **distinguishedName** attribute to the Microsoft Entra ID **onPremisesDistinguishedName** attribute. Microsoft Entra Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.
 
 ### Verify Microsoft Entra Connect version
 
-Sign-in to computer running Microsoft Entra Connect with access equivalent to _local administrator_.
+Sign-in to computer running Microsoft Entra Connect with access equivalent to *local administrator*.
 
-1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder.
-
-2. In the **Synchronization Service Manager**, select **Help** and then select **About**.
-
-3. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version.
+1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder
+1. In the **Synchronization Service Manager**, select **Help** and then select **About**
+1. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version.
 
 ### Verify the onPremisesDistinguishedName attribute is synchronized
 
 The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph.
 
-1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
-
-2. Select **Sign in to Graph Explorer** and provide Azure credentials.
+1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer)
+1. Select **Sign in to Graph Explorer** and provide Azure credentials.
 
    > [!NOTE]
-   > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted.
-
-3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent.
-
-4. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID.  Select **Run query**.
+   > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted
+1. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent
+1. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query**.
 
    > [!NOTE]
    > Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios.
@@ -95,7 +91,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
    GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName
    ```
 
-5. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute.  Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**.
+5. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**.
 
    #### Response
    <!-- {
@@ -121,105 +117,82 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
 
 The deployment uses the **NDES Servers** security group to assign the NDES service the proper user right assignments.
 
-Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+Sign-in to a domain controller or management workstation with access equivalent to *domain administrator*.
 
-1. Open **Active Directory Users and Computers**.
-
-2. Expand the domain node from the navigation pane.
-
-3. Right-click the **Users** container. Hover over **New** and select **Group**.
-
-4. Type **NDES Servers** in the **Group Name** text box.
-
-5. Select **OK**.
+1. Open **Active Directory Users and Computers**
+1. Expand the domain node from the navigation pane
+1. Right-click the **Users** container. Hover over **New** and select **Group**
+1. Type **NDES Servers** in the **Group Name** text box
+1. Select **OK**.
 
 ### Add the NDES server to the NDES Servers global security group
 
-Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+Sign-in to a domain controller or management workstation with access equivalent to *domain administrator*.
 
-1. Open **Active Directory Users and Computers**.
-
-2. Expand the domain node from the navigation pane.
-
-3. Select **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role.  Select **Add to a group**.
-
-4. Type **NDES Servers** in **Enter the object names to select**.  Select **OK**.  Select **OK** on the **Active Directory Domain Services** success dialog.
+1. Open **Active Directory Users and Computers**
+1. Expand the domain node from the navigation pane
+1. Select **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Select **Add to a group**
+1. Type **NDES Servers** in **Enter the object names to select**. Select **OK**. Select **OK** on the **Active Directory Domain Services** success dialog.
 
 > [!NOTE]
-> For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests.  You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
+> For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
 
 ### Create the NDES Service Account
 
-The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it's preferential to run services using a Group Managed Service Account (GMSA).  While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector wasn't designed nor tested using a GMSA and is considered an unsupported configuration.  The deployment uses a normal services account.
+The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it's preferential to run services using a Group Managed Service Account (GMSA). While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector wasn't designed nor tested using a GMSA and is considered an unsupported configuration. The deployment uses a normal services account.
 
-Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+Sign-in to a domain controller or management workstation with access equivalent to *domain administrator*.
 
-1. In the navigation pane, expand the node that has your domain name.  Select **Users**.
-
-2. Right-click the **Users** container. Hover over **New** and then select **User**.  Type **NDESSvc** in  **Full Name** and **User logon name**. Select **Next**.
-
-3. Type a secure password in **Password**.  Confirm the secure password in **Confirm Password**.  Clear **User must change password at next logon**.  Select **Next**.
-
-4. Select **Finish**.
+1. In the navigation pane, expand the node that has your domain name. Select **Users**
+1. Right-click the **Users** container. Hover over **New** and then select **User**. Type **NDESSvc** in  **Full Name** and **User logon name**. Select **Next**
+1. Type a secure password in **Password**. Confirm the secure password in **Confirm Password**. Clear **User must change password at next logon**. Select **Next**
+1. Select **Finish**.
 
 > [!IMPORTANT]
-> Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk.  Normal service account passwords should expire in accordance with the organizations user password expiration policy.  Create a reminder to change the service account's password two weeks before it will expire.  Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires.
+> Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires.
 
 ### Create the NDES Service User Rights Group Policy object
 
-The Group Policy object ensures the NDES Service account has the proper user right to assign all the NDES servers in the **NDES Servers** group.  As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through the Group Policy.
+The Group Policy object ensures the NDES Service account has the proper user right to assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through the Group Policy.
 
-Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
+Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials.
 
 1. Start the **Group Policy Management Console** (gpmc.msc)
 
-2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-
-3. Right-click **Group Policy object** and select **New**.
-
-4. Type **NDES Service Rights** in the name box and select **OK**.
-
-5. In the content pane, right-click the **NDES Service Rights** Group Policy object and select **Edit**.
-
-6. In the navigation pane, expand **Policies** under **Computer Configuration**.
-
-7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**.
-
-8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and select **OK**.  Select **Add User or Group...**.  In the **Add User or Group** dialog box, select **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Select **OK** twice.
-
-9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and select **OK**.  Select **Add User or Group...**.  In the **Add User or Group** dialog box, select **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Select **OK** twice.
-
-10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and select **OK**.  Select **Add User or Group...**.  In the **Add User or Group** dialog box, select **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Select **OK** three times.
-
-11. Close the **Group Policy Management Editor**.
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane
+1. Right-click **Group Policy object** and select **New**
+1. Type **NDES Service Rights** in the name box and select **OK**
+1. In the content pane, right-click the **NDES Service Rights** Group Policy object and select **Edit**
+1. In the navigation pane, expand **Policies** under **Computer Configuration**
+1. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**
+1. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and select **OK**. Select **Add User or Group...**. In the **Add User or Group** dialog box, select **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Select **OK** twice
+1. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and select **OK**. Select **Add User or Group...**. In the **Add User or Group** dialog box, select **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Select **OK** twice
+1. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and select **OK**. Select **Add User or Group...**. In the **Add User or Group** dialog box, select **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Select **OK** three times
+1. Close the **Group Policy Management Editor**.
 
 ### Configure security for the NDES Service User Rights Group Policy object
 
 The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group.
 
-Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+Sign-in to a domain controller or management workstation with access equivalent to *domain administrator*.
 
 1. Start the **Group Policy Management Console** (gpmc.msc)
 
-2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-
-3. Double-click the **NDES Service User Rights** Group Policy object.
-
-4. In the **Security Filtering** section of the content pane, select **Add**.  Type **NDES Servers** or the name of the security group you previously created and select **OK**.
-
-5. Select the **Delegation** tab. Select **Authenticated Users** and select **Advanced**.
-
-6. In the **Group or User names** list, select **Authenticated Users**.  In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK**.
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane
+1. Double-click the **NDES Service User Rights** Group Policy object
+1. In the **Security Filtering** section of the content pane, select **Add**. Type **NDES Servers** or the name of the security group you previously created and select **OK**
+1. Select the **Delegation** tab. Select **Authenticated Users** and select **Advanced**
+1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK**.
 
 ### Deploy the NDES Service User Rights Group Policy object
 
-The application of the **NDES Service User Rights** Group Policy object uses security group filtering.  This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all computers. However, the security group filtering ensures only computers included in the **NDES Servers** global security group receive and apply the Group Policy object, which results in providing the **NDESSvc** service account with the proper user rights.
+The application of the **NDES Service User Rights** Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all computers. However, the security group filtering ensures only computers included in the **NDES Servers** global security group receive and apply the Group Policy object, which results in providing the **NDESSvc** service account with the proper user rights.
 
-Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+Sign-in to a domain controller or management workstation with access equivalent to *domain administrator*.
 
 1. Start the **Group Policy Management Console** (gpmc.msc)
 
-2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO**
+1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO**
 
 3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and select **OK**.
 
@@ -228,7 +201,7 @@ Sign-in to a domain controller or management workstation with access equivalent
 
 ## Prepare Active Directory Certificate Authority
 
-You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role.  In this task, you'll
+You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role. In this task, you'll
 
 - Configure the certificate authority to let Intune provide validity periods
 - Create an NDES-Intune Authentication Certificate template
@@ -237,12 +210,12 @@ You must prepare the public key infrastructure and the issuing certificate autho
 
 ### Configure the certificate authority to let Intune provide validity periods
 
-When deploying certificates using Microsoft Intune, you have the option of providing the validity period in the SCEP certificate profile rather than relying on the validity period in the certificate template.  If you need to issue the same certificate with different validity periods, it may be advantageous to use the SCEP profile, given the limited number of certificates a single NDES server can issue.
+When deploying certificates using Microsoft Intune, you have the option of providing the validity period in the SCEP certificate profile rather than relying on the validity period in the certificate template. If you need to issue the same certificate with different validity periods, it may be advantageous to use the SCEP profile, given the limited number of certificates a single NDES server can issue.
 
 > [!NOTE]
-> Skip this step if you do not want to enable Microsoft Intune to specify the validity period of the certificate.  Without this configuration, the certificate request uses the validity period configured in the certificate template.
+> Skip this step if you do not want to enable Microsoft Intune to specify the validity period of the certificate. Without this configuration, the certificate request uses the validity period configured in the certificate template.
 
-Sign-in to the issuing certificate authority with access equivalent to _local administrator_.
+Sign-in to the issuing certificate authority with access equivalent to *local administrator*.
 
 1. Open an elevated command prompt and type the following command:
 
@@ -254,88 +227,62 @@ Sign-in to the issuing certificate authority with access equivalent to _local ad
 
 ### Create an NDES-Intune authentication certificate template
 
-NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client.  The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point.
+NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point.
 
-Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+Sign-in to the issuing certificate authority or management workstations with *Domain Admin* equivalent credentials.
 
-1. Open the **Certificate Authority** management console.
-
-2. Right-click **Certificate Templates** and select **Manage**.
-
-3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and select **Duplicate Template**.
-
-4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise's needs.
+1. Open the **Certificate Authority** management console
+1. Right-click **Certificate Templates** and select **Manage**
+1. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and select **Duplicate Template**
+1. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
 
    > [!NOTE]
-   > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
-
-5. On the **Subject** tab, select **Supply in the request**.
-
-6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
-
-7. On the **Security** tab, select **Add**.
-
-8. Select **Object Types**, then in the window that appears, choose **Computers** and select **OK**.
-
-9. Type **NDES server** in the **Enter the object names to select** text box and select **OK**.
-
-10. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes aren't already cleared. Select **OK**.
-
-11. Select on the **Apply** to save changes and close the console.
+   > If you use different template names, you'll need to remember and substitute these names in different portions of the lab
+1. On the **Subject** tab, select **Supply in the request**
+1. On the **Cryptography** tab, validate the **Minimum key size** is **2048**
+1. On the **Security** tab, select **Add**
+1. Select **Object Types**, then in the window that appears, choose **Computers** and select **OK**
+1. Type **NDES server** in the **Enter the object names to select** text box and select **OK**
+1. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes aren't already cleared. Select **OK**
+1. Select on the **Apply** to save changes and close the console.
 
 ### Create a Microsoft Entra joined Windows Hello for Business authentication certificate template
 
-During Windows Hello for Business provisioning,  Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user.  This task configures the Windows Hello for Business authentication certificate template.  You use the name of the certificate template when configuring the NDES Server.
+During Windows Hello for Business provisioning,  Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server.
 
-Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
+Sign in a certificate authority or management workstations with *Domain Admin equivalent* credentials.
 
-1. Open the **Certificate Authority** management console.
-
-2. Right-click **Certificate Templates** and select **Manage**.
-
-3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
-
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list.
-
-5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise's needs.
+1. Open the **Certificate Authority** management console
+1. Right-click **Certificate Templates** and select **Manage**
+1. Right-click the **Smartcard Logon** template and choose **Duplicate Template**
+1. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list
+1. On the **General** tab, type **ENTRA JOINED WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
 
    > [!NOTE]
-   > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
-
-6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.
-
-7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
-
-8. On the **Subject** tab, select **Supply in the request**.
-
-9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list.  Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**.
-
-10. On the **Security** tab, select **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and select **OK**.
-
-11. Select  **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes aren't already cleared. Select **OK**.
-
-12. Close the console.
+   > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment
+1. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list
+1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**
+1. On the **Subject** tab, select **Supply in the request**
+1. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**
+1. On the **Security** tab, select **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and select **OK**
+1. Select  **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes aren't already cleared. Select **OK**
+1. Close the console.
 
 ### Publish certificate templates
 
-The certificate authority may only issue certificates for certificate templates that are published to that certificate authority.  If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
+The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
 
 > [!Important]
-> Ensure you publish the **AADJ WHFB Authentication** certificate templates to the certificate authority that Microsoft Intune uses by way of the NDES servers. The NDES configuration asks you to choose a certificate authority from which it requests certificates.  You need to publish that certificate templates to that issuing certificate authority.  The **NDES-Intune Authentication** certificate is directly enrolled and can be published to any certificate authority.
+> Ensure you publish the **ENTRA JOINED WHFB Authentication** certificate templates to the certificate authority that Microsoft Intune uses by way of the NDES servers. The NDES configuration asks you to choose a certificate authority from which it requests certificates. You need to publish that certificate templates to that issuing certificate authority. The **NDES-Intune Authentication** certificate is directly enrolled and can be published to any certificate authority.
 
-Sign in to the certificate authority or management workstations with an _enterprise admin_ -equivalent credential.
+Sign in to the certificate authority or management workstations with an *enterprise admin* -equivalent credential.
 
-1. Open the **Certificate Authority** management console.
-
-2. Expand the parent node from the navigation pane.
-
-3. Select **Certificate Templates** in the navigation pane.
-
-4. Right-click the **Certificate Templates** node.  Select **New**, and select **Certificate Template** to issue.
-
-5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps.  Select **OK** to publish the selected certificate templates to the certificate authority.
-
-6. Close the console.
+1. Open the **Certificate Authority** management console
+1. Expand the parent node from the navigation pane
+1. Select **Certificate Templates** in the navigation pane
+1. Right-click the **Certificate Templates** node. Select **New**, and select **Certificate Template** to issue
+1. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **ENTRA JOINED WHFB Authentication** templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certificate authority
+1. Close the console.
 
 ## Install and Configure the NDES Role
 
@@ -353,13 +300,11 @@ This section includes the following articles:
 
 Install the Network Device Enrollment Service role on a computer other than the issuing certificate authority.
 
-Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credential.
+Sign-in to the certificate authority or management workstations with an *Enterprise Admin* equivalent credential.
 
-1. Open **Server Manager** on the NDES server.
-
-2. Select **Manage**.  Select **Add Roles and Features**.
-
-3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, select **Next**.  Select **Role-based or feature-based installation** on the **Select installation type** page.  Select **Next**.  Select **Select a server from the server pool**.  Select the local server from the **Server Pool** list.  Select **Next**.
+1. Open **Server Manager** on the NDES server
+1. Select **Manage**. Select **Add Roles and Features**
+1. In the **Add Roles and Features Wizard**, on the **Before you begin** page, select **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Select **Next**. Select **Select a server from the server pool**. Select the local server from the **Server Pool** list. Select **Next**.
 
    ![Server Manager destination server.](images/aadjCert/servermanager-destination-server-ndes.png)
 
@@ -367,66 +312,61 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
 
    ![Server Manager AD CS Role.](images/aadjCert/servermanager-adcs-role.png)
 
-   Select **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Select **Next**.
+   Select **Add Features** on the **Add Roles and Feature Wizard** dialog box. Select **Next**.
 
    ![Server Manager Add Features.](images/aadjcert/servermanager-adcs-add-features.png)
 
-5. On the **Features** page, expand **.NET Framework 3.5 Features**.  Select **HTTP Activation**.  Select **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Expand **.NET Framework 4.5 Features**.  Expand **WCF Services**.  Select **HTTP Activation**.  Select **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Select **Next**.
+5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Select **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Select **Add Features** on the **Add Roles and Feature Wizard** dialog box. Select **Next**.
 
    ![Server Manager Feature HTTP Activation.](images/aadjcert/servermanager-adcs-http-activation.png)
 
-6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**.  Select **Add Features** on the **Add Roles and Features Wizard** dialog box. Select **Next**.
+6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Select **Add Features** on the **Add Roles and Features Wizard** dialog box. Select **Next**.
 
    ![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png)
 
-7. Select **Next** on the **Web Server Role (IIS)** page.
-
-8. On the **Select role services** page for the Web Serve role, Select the following additional services if they aren't already selected and then select **Next**.
+7. Select **Next** on the **Web Server Role (IIS)** page
+1. On the **Select role services** page for the Web Serve role, Select the following additional services if they aren't already selected and then select **Next**.
 
    - **Web Server > Security > Request Filtering**
    - **Web Server > Application Development > ASP.NET 3.5**.
-   - **Web Server > Application Development > ASP.NET 4.5**.   .
+   - **Web Server > Application Development > ASP.NET 4.5**.  .
    - **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
    - **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
 
    ![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png)
 
-9. Select **Install**. When the installation completes, continue with the next procedure.  **Do not click Close**.
+9. Select **Install**. When the installation completes, continue with the next procedure. **Do not click Close**.
 
    > [!IMPORTANT]
-   > .NET Framework 3.5 is not included in the typical installation.  If the server is connected to the Internet, the installation attempts to get the files using Windows Update.  If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \<driveLetter>:\\Sources\SxS\
+   > .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \<driveLetter>:\\Sources\SxS\
 
    ![.NET Side by Side.](images/aadjcert/dotnet35sidebyside.png)
 
 ### Configure the NDES service account
 
-This task adds the NDES service account to the local IIS_USRS group.  The task also configures the NDES service account for Kerberos authentication and delegation
+This task adds the NDES service account to the local IIS_USRS group. The task also configures the NDES service account for Kerberos authentication and delegation
 
 #### Add the NDES service account to the IIS_USRS group
 
-Sign-in the NDES server with access equivalent to _local administrator_.
+Sign-in the NDES server with access equivalent to *local administrator*.
 
-1. Start the **Local Users and Groups** management console (`lusrmgr.msc`).
-
-2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group.
-
-3. In the **IIS_IUSRS Properties** dialog box, select **Add**.  Type **NDESSvc** or the name of your NDES service account.  Select **Check Names** to verify the name and then select **OK**. Select **OK** to close the properties dialog box.
-
-4. Close the management console.
+1. Start the **Local Users and Groups** management console (`lusrmgr.msc`)
+1. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group
+1. In the **IIS_IUSRS Properties** dialog box, select **Add**. Type **NDESSvc** or the name of your NDES service account. Select **Check Names** to verify the name and then select **OK**. Select **OK** to close the properties dialog box
+1. Close the management console.
 
 #### Register a Service Principal Name on the NDES Service account
 
-Sign-in the NDES server with access equivalent to _Domain Admins_.
+Sign-in the NDES server with access equivalent to *Domain Admins*.
 
-1. Open an elevated command prompt.
-
-2. Type the following command to register the service principal name
+1. Open an elevated command prompt
+1. Type the following command to register the service principal name
 
    ```cmd
    setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]
    ```
 
-   where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\).  An example of the command looks like the following:
+   where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following:
 
    ```cmd
    setspn -s http/ndes.corp.contoso.com contoso\ndessvc
@@ -439,35 +379,30 @@ Sign-in the NDES server with access equivalent to _Domain Admins_.
 
 #### Configure the NDES Service account for delegation
 
-The NDES service enrolls certificates on behalf of users.  Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation.
+The NDES service enrolls certificates on behalf of users. Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation.
 
-Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
+Sign-in a domain controller with a minimum access equivalent to *Domain Admins*.
 
 1. Open **Active Directory Users and Computers**
 
-2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Select the **Delegation** tab.
+1. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Select the **Delegation** tab.
 
    ![NDES Delegation Tab.](images/aadjcert/ndessvcdelegationtab.png)
 
-3. Select **Trust this user for delegation to specified services only**.
-
-4. Select **Use any authentication protocol**.
-
-5. Select **Add**.
-
-6. Select **Users or Computers...**  Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Microsoft Entra joined devices.  From the **Available services** list, select **HOST**.  Select **OK**.
+1. Select **Trust this user for delegation to specified services only**
+1. Select **Use any authentication protocol**
+1. Select **Add**
+1. Select **Users or Computers...**  Type the name of the *NDES Server* you use to issue Windows Hello for Business authentication certificates to Microsoft Entra joined devices. From the **Available services** list, select **HOST**. Select **OK**.
 
    ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
 
-7. Repeat steps 5 and 6 for each NDES server using this service account. Select **Add**.
-
-8. Select **Users or computers...**  Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Microsoft Entra joined devices.  From the **Available services** list, select **dcom**.  Hold the **CTRL** key and select **HOST**. Select **OK**.
-
-9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
+1. Repeat steps 5 and 6 for each NDES server using this service account. Select **Add**
+1. Select **Users or computers...**  Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Microsoft Entra joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Select **OK**
+1. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
 
    ![NDES Service delegation complete.](images/aadjcert/ndessvcdelegation-host-ca-spn.png)
 
-10. Select **OK**.  Close **Active Directory Users and Computers**.
+1. Select **OK**. Close **Active Directory Users and Computers**.
 
 ### Configure the NDES Role and Certificate Templates
 
@@ -475,50 +410,47 @@ This task configures the NDES role and the certificate templates the NDES server
 
 #### Configure the NDES Role
 
-Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credential.
+Sign-in to the certificate authority or management workstations with an *Enterprise Admin* equivalent credential.
 
 > [!NOTE]
 > If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point.
 
 :::image type="content" alt-text="Server Manager Post-Install Yellow flag." source="images/aadjcert/servermanager-post-ndes-yellowactionflag.png" lightbox="images/aadjcert/servermanager-post-ndes-yellowactionflag.png":::
 
-1. Select the **Configure Active Directory Certificate Services on the destination server** link.
-
-2. On the **Credentials** page, select **Next**.
+1. Select the **Configure Active Directory Certificate Services on the destination server** link
+1. On the **Credentials** page, select **Next**.
 
    ![NDES Installation Credentials.](images/aadjcert/ndesconfig01.png)
 
-3. On the **Role Services** page, select **Network Device Enrollment Service** and then select **Next**
+1. On the **Role Services** page, select **Network Device Enrollment Service** and then select **Next**
 
    ![NDES Role Services.](images/aadjcert/ndesconfig02.png)
 
-4. On the **Service Account for NDES** page, select **Specify service account (recommended)**.  Select **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box.  Select **Next**.
+1. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Select **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Select **Next**.
 
    ![NDES Service Account for NDES.](images/aadjcert/ndesconfig03b.png)
 
-5. On the **CA for NDES** page, select **CA name**. Select **Select...**.  Select the issuing certificate authority from which the NDES server requests certificates.  Select **Next**.
+1. On the **CA for NDES** page, select **CA name**. Select **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Select **Next**.
 
    ![NDES CA selection.](images/aadjcert/ndesconfig04.png)
 
-6. On the **RA Information**, select **Next**.
-
-7. On the **Cryptography for NDES** page, select **Next**.
-
-8. Review the **Confirmation** page.  Select **Configure**.
+1. On the **RA Information**, select **Next**
+1. On the **Cryptography for NDES** page, select **Next**
+1. Review the **Confirmation** page. Select **Configure**.
 
    ![NDES Confirmation.](images/aadjcert/ndesconfig05.png)
 
-9. Select **Close** after the configuration completes.
+1. Select **Close** after the configuration completes.
 
 #### Configure Certificate Templates on NDES
 
-A single NDES server can request a maximum of three certificate templates.  The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile.  The Microsoft Intune SCEP certificate profile has three values.
+A single NDES server can request a maximum of three certificate templates. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values.
 
 - Digital Signature
 - Key Encipherment
 - Key Encipherment, Digital Signature
 
-Each value maps to a registry value name in the NDES server.  The NDES server translates an incoming SCEP provided value into the corresponding certificate template.  The table below shows the SCEP profile values of the NDES certificate template registry value names.
+Each value maps to a registry value name in the NDES server. The NDES server translates an incoming SCEP provided value into the corresponding certificate template. The table below shows the SCEP profile values of the NDES certificate template registry value names.
 
 | SCEP Profile Key usage| NDES Registry Value Name |
 | :-------------------: | :----------------------: |
@@ -526,160 +458,131 @@ Each value maps to a registry value name in the NDES server.  The NDES server tr
 | Key Encipherment | EncryptionTemplate |
 | Key Encipherment<br>Digital Signature | GeneralPurposeTemplate |
 
-Ideally, you should match the certificate request with the registry value name to keep the configuration intuitive (encryption certificates use the encryption template, signature certificates use the signature template, etc.).  A result of this intuitive design is the potential exponential growth in the NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise.
+Ideally, you should match the certificate request with the registry value name to keep the configuration intuitive (encryption certificates use the encryption template, signature certificates use the signature template, etc.). A result of this intuitive design is the potential exponential growth in the NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise.
 
-If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure.  This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance ease of configuration and administration with additional NDES infrastructure and the management overhead that comes with it.
+If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure. This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance ease of configuration and administration with additional NDES infrastructure and the management overhead that comes with it.
 
-Sign-in to the NDES Server with _local administrator_ equivalent credentials.
+Sign-in to the NDES Server with *local administrator* equivalent credentials.
 
-1. Open an elevated command prompt.
-
-2. Using the table above, decide which registry value name you'll use to request Windows Hello for Business authentication certificates for Microsoft Entra joined devices.
-
-3. Type the following command:
+1. Open an elevated command prompt
+1. Using the table above, decide which registry value name you'll use to request Windows Hello for Business authentication certificates for Microsoft Entra joined devices
+1. Type the following command:
 
    ```cmd
    reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]
    ```
 
-   where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Microsoft Entra joined devices.  Example:
+   where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Microsoft Entra joined devices. Example:
 
    ```cmd
-   reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication
+   reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d ENTRAJOINEDWHFBAuthentication
    ```
 
-4. Type **Y** when the command asks for permission to overwrite the existing value.
-
-5. Close the command prompt.
+1. Type **Y** when the command asks for permission to overwrite the existing value
+1. Close the command prompt.
 
 > [!IMPORTANT]
-> Use the **name** of the certificate template; not the **display name**.  The certificate template name does not include spaces.  You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (`certtmpl.msc`).
+> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (`certtmpl.msc`).
 
 ### Create a Web Application Proxy for the internal NDES URL.
 
-Certificate enrollment for Microsoft Entra joined devices occurs over the Internet.  As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Microsoft Entra application proxy.  Microsoft Entra application proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
+Certificate enrollment for Microsoft Entra joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Microsoft Entra application proxy. Microsoft Entra application proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
 
-Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs.  This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests).  Microsoft Intune sends these requests to Microsoft Entra Application Proxies.
+Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Microsoft Entra Application Proxies.
 
 Microsoft Entra Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Microsoft Entra Application Proxies. You can create connector groups in Microsoft Entra ID to assign specific connectors to service specific applications.
 
-Connector group automatically round-robin, load balance the Microsoft Entra application proxy requests to the connectors within the assigned connector group.  This ensures Windows Hello for Business certificate requests have multiple dedicated Microsoft Entra application proxy connectors exclusively available to satisfy enrollment requests.  Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.
+Connector group automatically round-robin, load balance the Microsoft Entra application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Microsoft Entra application proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.
 
 #### Download and Install the Application Proxy Connector Agent
 
-Sign-in a workstation with access equivalent to a _domain user_.
+Sign-in a workstation with access equivalent to a *domain user*.
 
-1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
-
-2. Select **All Services**.  Type **Microsoft Entra ID** to filter the list of services.  Under **SERVICES**, select **Microsoft Entra ID**.
-
-3. Under **MANAGE**, select **Application proxy**.
-
-4. Select **Download connector service**.  Select **Accept terms & Download**.  Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
+1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**
+1. Select **All Services**. Type **Microsoft Entra ID** to filter the list of services. Under **SERVICES**, select **Microsoft Entra ID**
+1. Under **MANAGE**, select **Application proxy**
+1. Select **Download connector service**. Select **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
 
    :::image type="content" alt-text="Azure Application Proxy Connectors." source="images/aadjcert/azureconsole-applicationproxy-connectors-empty.png" lightbox="images/aadjcert/azureconsole-applicationproxy-connectors-empty.png":::
 
-5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
+1. Sign-in the computer that will run the connector with access equivalent to a *domain user*.
 
    > [!IMPORTANT]
-   > Install a minimum of two Microsoft Entra ID Proxy connectors for each NDES Application Proxy.  Strategically locate Microsoft Entra application proxy connectors throughout your organization to ensure maximum availability.  Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
-
-6. Start **AADApplicationProxyConnectorInstaller.exe**.
-
-7. Read the license terms and then select **I agree to the license terms and conditions**.  Select **Install**.
+   > Install a minimum of two Microsoft Entra ID Proxy connectors for each NDES Application Proxy. Strategically locate Microsoft Entra application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers
+1. Start **AADApplicationProxyConnectorInstaller.exe**
+1. Read the license terms and then select **I agree to the license terms and conditions**. Select **Install**.
 
    ![Azure Application Proxy Connector: license terms](images/aadjcert/azureappproxyconnectorinstall-01.png)
 
-8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
+1. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
 
    ![Azure Application Proxy Connector: sign-in](images/aadjcert/azureappproxyconnectorinstall-02.png)
 
-9. When the installation completes. Read the information regarding outbound proxy servers.  Select **Close**.
+1. When the installation completes. Read the information regarding outbound proxy servers. Select **Close**.
 
    ![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png)
 
-10. Repeat steps 5 - 10 for each device that will run the Microsoft Entra application proxy connector for Windows Hello for Business certificate deployments.
+1. Repeat steps 5 - 10 for each device that will run the Microsoft Entra application proxy connector for Windows Hello for Business certificate deployments.
 
 #### Create a Connector Group
 
-Sign-in a workstation with access equivalent to a _domain user_.
+Sign-in a workstation with access equivalent to a *domain user*.
 
-1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
-
-2. Select **All Services**.  Type **Microsoft Entra ID** to filter the list of services.  Under **SERVICES**, select **Microsoft Entra ID**.
-
-3. Under **MANAGE**, select **Application proxy**.
+1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**
+1. Select **All Services**. Type **Microsoft Entra ID** to filter the list of services. Under **SERVICES**, select **Microsoft Entra ID**
+1. Under **MANAGE**, select **Application proxy**.
 
    :::image type="content" alt-text="Azure Application Proxy Connector groups." source="images/aadjcert/azureconsole-applicationproxy-connectors-default.png" lightbox="images/aadjcert/azureconsole-applicationproxy-connectors-default.png":::
 
-4. Select **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
+1. Select **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
 
    :::image type="content" alt-text="Azure Application New Connector Group." source="images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png" lightbox="images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png":::
 
-5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
-
-6. Select **Save**.
+1. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests
+1. Select **Save**.
 
 #### Create the Azure Application Proxy
 
-Sign-in a workstation with access equivalent to a _domain user_.
+Sign-in a workstation with access equivalent to a *domain user*.
 
-1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
-
-2. Select **All Services**.  Type **Microsoft Entra ID** to filter the list of services.  Under **SERVICES**, select **Microsoft Entra ID**.
-
-3. Under **MANAGE**, select **Application proxy**.
-
-4. Select **Configure an app**.
-
-5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Microsoft Entra application proxy setting with the on-premises NDES server.  Each NDES server must have its own Microsoft Entra application proxy as two NDES servers can't share the same internal URL.
-
-6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Microsoft Entra application proxy.  For example, ```https://ndes.corp.mstepdemo.net```.  You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
-
-7. Under **Internal URL**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Microsoft Entra application proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Microsoft Entra application proxy.  It's recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Microsoft Entra tenant name (-mstephendemo.msappproxy.net).
+1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**
+1. Select **All Services**. Type **Microsoft Entra ID** to filter the list of services. Under **SERVICES**, select **Microsoft Entra ID**
+1. Under **MANAGE**, select **Application proxy**
+1. Select **Configure an app**
+1. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Microsoft Entra application proxy setting with the on-premises NDES server. Each NDES server must have its own Microsoft Entra application proxy as two NDES servers can't share the same internal URL
+1. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Microsoft Entra application proxy. For example, ```https://ndes.corp.mstepdemo.net```. You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**
+1. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Microsoft Entra application proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Microsoft Entra application proxy. It's recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Microsoft Entra tenant name (-mstephendemo.msappproxy.net).
 
    :::image type="content" alt-text="Azure NDES Application Proxy Configuration." source="images/aadjcert/azureconsole-appproxyconfig.png" lightbox="images/aadjcert/azureconsole-appproxyconfig.png":::
 
-8. Select **Passthrough** from the **Pre Authentication** list.
-
-9. Select **NDES WHFB Connectors** from the **Connector Group** list.
-
-10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**.  Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
-
-11. Select **Add**.
-
-12. Sign-out of the Azure portal.
+1. Select **Passthrough** from the **Pre Authentication** list
+1. Select **NDES WHFB Connectors** from the **Connector Group** list
+1. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**
+1. Select **Add**
+1. Sign-out of the Azure portal.
 
     > [!IMPORTANT]
-    > Write down the internal and external URLs.  You will need this information when you enroll the NDES-Intune Authentication certificate.
+    > Write down the internal and external URLs. You will need this information when you enroll the NDES-Intune Authentication certificate.
 
 ### Enroll the NDES-Intune Authentication certificate
 
 This task enrolls a client and server authentication certificate used by the Intune connector and the NDES server.
 
-Sign-in the NDES server with access equivalent to _local administrators_.
+Sign-in the NDES server with access equivalent to *local administrators*.
 
-1. Start the Local Computer **Certificate Manager** (certlm.msc).
-
-2. Expand the **Personal** node in the navigation pane.
-
-3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
-
-4. Select **Next** on the **Before You Begin** page.
-
-5. Select **Next** on the **Select Certificate Enrollment Policy** page.
-
-6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box.
-
-7. Select the **More information is required to enroll for this certificate. Click here to configure settings** link
+1. Start the Local Computer **Certificate Manager** (certlm.msc)
+1. Expand the **Personal** node in the navigation pane
+1. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**
+1. Select **Next** on the **Before You Begin** page
+1. Select **Next** on the **Select Certificate Enrollment Policy** page
+1. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box
+1. Select the **More information is required to enroll for this certificate. Click here to configure settings** link
 
    ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png)
 
-8. Under **Subject name**, select **Common Name** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then select **Add**.
-
-9. Under **Alternative name**, select **DNS** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**).  Select **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Select **Add**. Select **OK** when finished.
-
-10. Select **Enroll**
+1. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then select **Add**
+1. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Select **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Select **Add**. Select **OK** when finished
+1. Select **Enroll**
 
 11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Microsoft Entra joined devices.
 
@@ -687,51 +590,43 @@ Sign-in the NDES server with access equivalent to _local administrators_.
 
 This task configures the Web Server role on the NDES server to use the server authentication certificate.
 
-Sign-in the NDES server with access equivalent to _local administrator_.
+Sign-in the NDES server with access equivalent to *local administrator*.
 
-1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
-
-2. Expand the node that has the name of the NDES server.  Expand **Sites** and select **Default Web Site**.
+1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**
+1. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
 
    :::image type="content" alt-text="NDES IIS Console" source="images/aadjcert/ndes-iis-console.png" lightbox="images/aadjcert/ndes-iis-console.png":::
 
-3. Select **Bindings...** under **Actions**.  Select **Add**.
+1. Select **Bindings...** under **Actions**. Select **Add**.
 
    ![NDES IIS Console: Add](images/aadjcert/ndes-iis-bindings.png)
 
-4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
-
-5. Select the certificate you previously enrolled from the **SSL certificate** list.  Select **OK**.
+1. Select **https** from **Type**. Confirm the value for **Port** is **443**
+1. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**.
 
    ![NDES IIS Console: Certificate List](images/aadjcert/ndes-iis-bindings-add-443.png)
 
-6. Select **http** from the **Site Bindings** list.  Select **Remove**.
-
-7. Select **Close** on the **Site Bindings** dialog box.
-
-8. Close **Internet Information Services (IIS) Manager**.
+1. Select **http** from the **Site Bindings** list. Select **Remove**
+1. Select **Close** on the **Site Bindings** dialog box
+1. Close **Internet Information Services (IIS) Manager**.
 
 ### Verify the configuration
 
 This task confirms the TLS configuration for the NDES server.
 
-Sign-in the NDES server with access equivalent to _local administrator_.
+Sign-in the NDES server with access equivalent to *local administrator*.
 
 #### Disable Internet Explorer Enhanced Security Configuration
 
-1. Open **Server Manager**. Select **Local Server** from the navigation pane.
-
-2. Select **On** next to **IE Enhanced Security Configuration** in the **Properties** section.
-
-3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**.  Select **OK**.
-
-4. Close **Server Manager**.
+1. Open **Server Manager**. Select **Local Server** from the navigation pane
+1. Select **On** next to **IE Enhanced Security Configuration** in the **Properties** section
+1. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Select **OK**
+1. Close **Server Manager**.
 
 #### Test the NDES web server
 
-1. Open **Internet Explorer**.
-
-2. In the navigation bar, type
+1. Open **Internet Explorer**
+1. In the navigation bar, type
 
    ```https
    https://[fqdnHostName]/certsrv/mscep/mscep.dll
@@ -739,7 +634,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 
    where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
 
-A web page similar to the following should appear in your web browser.  If you don't see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights.  You can also review the Application event log for events with the **NetworkDeviceEnrollmentService** source.
+A web page similar to the following should appear in your web browser. If you don't see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the Application event log for events with the **NetworkDeviceEnrollmentService** source.
 
 ![NDES IIS Console: Source](images/aadjcert/ndes-https-website-test-01.png)
 
@@ -749,50 +644,41 @@ Confirm the web site uses the server authentication certificate.
 
 ## Configure Network Device Enrollment Services to work with Microsoft Intune
 
-You have successfully configured the Network Device Enrollment Services.  You must now modify the configuration to work with the Intune Certificate Connector.  In this task, you'll enable the NDES server and http.sys to handle long URLs.
+You have successfully configured the Network Device Enrollment Services. You must now modify the configuration to work with the Intune Certificate Connector. In this task, you'll enable the NDES server and http.sys to handle long URLs.
 
 - Configure NDES to support long URLs
 
 ### Configure NDES and HTTP to support long URLs
 
-Sign-in the NDES server with access equivalent to _local administrator_.
+Sign-in the NDES server with access equivalent to *local administrator*.
 
 #### Configure the Default Web Site
 
-1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
-
-2. Expand the node that has the name of the NDES server.  Expand **Sites** and select **Default Web Site**.
-
-3. In the content pane, double-click **Request Filtering**.  Select **Edit Feature Settings...** in the action pane.
+1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**
+1. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**
+1. In the content pane, double-click **Request Filtering**. Select **Edit Feature Settings...** in the action pane
 
    :::image type="content" alt-text="Intune NDES Request filtering." source="images/aadjcert/NDES-IIS-RequestFiltering.png" lightbox="images/aadjcert/NDES-IIS-RequestFiltering.png":::
 
-4. Select **Allow unlisted file name extensions**.
-
-5. Select **Allow unlisted verbs**.
-
-6. Select **Allow high-bit characters**.
-
-7. Type **30000000** in **Maximum allowed content length (Bytes)**.
-
-8. Type **65534** in **Maximum URL length (Bytes)**.
-
-9. Type **65534** in **Maximum query string (Bytes)**.
-
-10. Select **OK**.  Close **Internet Information Services (IIS) Manager**.
+1. Select **Allow unlisted file name extensions**
+1. Select **Allow unlisted verbs**
+1. Select **Allow high-bit characters**
+1. Type **30000000** in **Maximum allowed content length (Bytes)**
+1. Type **65534** in **Maximum URL length (Bytes)**
+1. Type **65534** in **Maximum query string (Bytes)**
+1. Select **OK**. Close **Internet Information Services (IIS) Manager**
 
 #### Configure Parameters for HTTP.SYS
 
-1. Open an elevated command prompt.
-
-2. Run the following commands:
+1. Open an elevated command prompt
+1. Run the following commands:
 
    ```cmd
    reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534
    reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534
    ```
 
-3. Restart the NDES server.
+1. Restart the NDES server
 
 ## Download, Install and Configure the Intune Certificate Connector
 
@@ -804,119 +690,80 @@ To learn how to download, install, and configure the Intune Certificate Connecto
 
 Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users are removed, deleted, or the profile is deleted). You need to select the **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation.
 
-1. Sign in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
-
-2. Start the **Certification Authority** management console.
-
-3. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
-
-4. Select the **Security** tab, then select **Add**. In the **Enter the object names to select** box, enter **NDESSvc** (or the name you gave the NDES Service account). Select *Check Names*, then select **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Select **OK**.
+1. Sign in the certificate authority used by the NDES Connector with access equivalent to *domain administrator*
+1. Start the **Certification Authority** management console
+1. In the navigation pane, right-click the name of the certificate authority and select **Properties**
+1. Select the **Security** tab, then select **Add**. In the **Enter the object names to select** box, enter **NDESSvc** (or the name you gave the NDES Service account). Select **Check Names**, then select **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Select **OK**
 
    ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png)
 
-5. Close the **Certification Authority**.
+1. Close the **Certification Authority**
 
 ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
 
-### Create an AADJ WHFB Certificate Users Group
+### Create an ENTRA JOINED WHFB Certificate Users Group
 
-Sign-in a workstation with access equivalent to a _domain user_.
+Sign-in a workstation with access equivalent to a *domain user*.
 
-1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
-
-2. Select **All Services**.  Type **Microsoft Entra ID** to filter the list of services.  Under **SERVICES**, select **Microsoft Entra ID**.
-
-3. Select **Groups**.  Select **New group**.
-
-4. Select **Security** from the **Group type** list.
-
-5. Under **Group Name**, type the name of the group.  For example, **AADJ WHFB Certificate Users**.
-
-6. Provide a **Group description**, if applicable.
-
-7. Select **Assigned** from the **Membership type** list.
+1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**
+1. Select **All Services**. Type **Microsoft Entra ID** to filter the list of services. Under **SERVICES**, select **Microsoft Entra ID**
+1. Select **Groups**. Select **New group**
+1. Select **Security** from the **Group type** list
+1. Under **Group Name**, type the name of the group. For example, **ENTRA JOINED WHFB Certificate Users**
+1. Provide a **Group description**, if applicable
+1. Select **Assigned** from the **Membership type** list.
 
    :::image type="content" alt-text="Microsoft Entra new group creation." source="images/aadjcert/azureadcreatewhfbcertgroup.png" lightbox="images/aadjcert/azureadcreatewhfbcertgroup.png":::
 
-8. Select **Members**.  Use the  **Select members** pane to add members to this group. When finished, select **Select**.
-
-9. Select **Create**.
+1. Select **Members**. Use the  **Select members** pane to add members to this group. When finished, select **Select**
+1. Select **Create**.
 
 ### Create a SCEP Certificate Profile
 
-Sign-in a workstation with access equivalent to a _domain user_.
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-2. Select **Devices**, and then select **Configuration Profiles**.
-
-3. Select **Create Profile**.
+Sign-in a workstation with access equivalent to a *domain user*.
 
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. Select **Devices**, and then select **Configuration Profiles**
+1. Select **Create Profile**.
    ![Intune Device Configuration Create Profile.](images/aadjcert/profile02.png)
-
-4. Select **Windows 10 and later** from the **Platform** list.
-
-5. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
-
-6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
-
-7. Next to **Description**, provide a description meaningful for your environment, then select **Next**.
-
-8. Select **User** as a certificate type.
-
-9. Configure **Certificate validity period** to match your organization.
-
+1. Select **Windows 10 and later** from the **Platform** list
+1. Choose **SCEP certificate** from the **Profile** list, and select **Create**
+1. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**
+1. Next to **Description**, provide a description meaningful for your environment, then select **Next**
+1. Select **User** as a certificate type
+1. Configure **Certificate validity period** to match your organization.
    > [!IMPORTANT]
-   > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
-
-10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
-
-11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
-
+   > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity
+1. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list
+1. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate
     > [!NOTE]
     > If the distinguished name contains special characters like a plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: `CN="{{OnPrem_Distinguished_Name}}"`.
     >
     > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement).
-
-12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
-
-13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
-
-14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.
-
-15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Select **Add**.
-
-16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
-
+1. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}
+1. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **ENTRA JOINED WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **ENTRA JOINED WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**
+1. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile
+1. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Select **Add**
+1. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**
     :::image type="content" alt-text="WHFB SCEP certificate Profile EKUs." source="images/aadjcert/profile03.png" lightbox="images/aadjcert/profile03.png":::
-
-17. Under **SCEP Server URLs**, type the fully qualified external name of the Microsoft Entra application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, ```https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll```. Select **Add**. Repeat this step for each additional NDES Microsoft Entra application proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
-
-18. Select **Next**.
-
-19. Select **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and select **Create**.
+1. Under **SCEP Server URLs**, type the fully qualified external name of the Microsoft Entra application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, ```https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll```. Select **Add**. Repeat this step for each additional NDES Microsoft Entra application proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile
+1. Select **Next**
+1. Select **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and select **Create**
 
 ### Assign Group to the WHFB Certificate Enrollment Certificate Profile
 
-Sign-in a workstation with access equivalent to a _domain user_.
-
-1. Sign-in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-2. Select **Devices**, and then select **Configuration Profiles**.
-
-3. Select **WHFB Certificate Enrollment**.
-
-4. Select **Properties**, and then select **Edit** next to the **Assignments** section.
-
-5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list.  Select **Select groups to include**.
+Sign-in a workstation with access equivalent to a *domain user*.
 
+1. Sign-in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. Select **Devices**, and then select **Configuration Profiles**
+1. Select **WHFB Certificate Enrollment**
+1. Select **Properties**, and then select **Edit** next to the **Assignments** section
+1. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Select **Select groups to include**.
    :::image type="content" alt-text="WHFB SCEP Profile Assignment." source="images/aadjcert/profile04.png" lightbox="images/aadjcert/profile04.png":::
+1. Select the **ENTRA JOINED WHFB Certificate Users** group. Select **Select**
+1. Select **Review + Save**, and then **Save**
 
-6. Select the **AADJ WHFB Certificate Users** group. Select **Select**.
-
-7. Select **Review + Save**, and then **Save**.
-
-You have successfully completed the configuration.  Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group.  This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources.
+You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **ENTRA JOINED WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources.
 
 > [!NOTE]
 > The Passport for Work configuration service provider (CSP) which is used to manage Windows Hello for Business with Mobile Device Management (MDM) contains a policy called UseCertificateForOnPremAuth. This policy is not needed when deploying certificates to Windows Hello for Business users through the instructions outlined in this document and should not be configured. Devices managed with MDM where UseCertificateForOnPremAuth is enabled will fail a prerequisite check for Windows Hello for Business provisioning. This failure will block users from setting up Windows Hello for Business if they don't already have it configured.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index f1666e6453..8db996de37 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -1,7 +1,7 @@
 ---
 title: Configure single sign-on (SSO) for Microsoft Entra joined devices
 description: Learn how to configure single sign-on to on-premises resources for Microsoft Entra joined devices, using Windows Hello for Business.
-ms.date: 12/30/2022
+ms.date: 04/23/2024
 ms.topic: how-to
 ---
 
@@ -9,7 +9,7 @@ ms.topic: how-to
 
 [!INCLUDE [apply-to-hybrid-key-and-cert-trust](deploy/includes/apply-to-hybrid-key-and-cert-trust.md)]
 
-Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Microsoft Entra joined devices may need to access these resources. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
+Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. As organizations transition resources to the cloud, some resources might remain on-premises, and Microsoft Entra joined devices might need to access them. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
 
 > [!NOTE]
 > These steps are not needed when using the cloud Kerberos trust model.
@@ -25,12 +25,12 @@ Unlike Microsoft Entra hybrid joined devices, Microsoft Entra joined devices don
 
 ### CRL Distribution Point (CDP)
 
-Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a *certificate revocation list* (CRL).\
+Certificates issued by a certificate authority can be revoked. When a certificate authority revokes a certificate, it writes information about the certificate into a *certificate revocation list* (CRL).\
 During certificate validation, Windows compares the current certificate with information in the CRL to determine if the certificate is valid.
 
-![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png)
+:::image type="content" source="images/aadj/Certificate-CDP.png" alt-text="Screenshot of a certificate's CDP property.":::
 
-The preceding domain controller certificate shows a *CRL distribution point* (CDP) in Active Directory. The value in the URL begins with *ldap*. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Microsoft Entra joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the CRL. The authentication becomes a circular problem: the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated.
+In the screenshot, the CDP property of the domain controller certificate shows an LDAP path. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Microsoft Entra joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the CRL. The authentication becomes a circular problem: the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated.
 
 To resolve this issue, the CRL distribution point must be a location accessible by Microsoft Entra joined devices that doesn't require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
 
@@ -45,17 +45,18 @@ Certificate authorities write CDP information in certificates as they're issued.
 
 #### Why does Windows need to validate the domain controller certificate?
 
-Windows Hello for Business enforces the strict KDC validation security feature when authenticating from a Microsoft Entra joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on a Microsoft Entra joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met:
+Windows Hello for Business enforces the *strict KDC validation* security feature when authenticating from a Microsoft Entra joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on a Microsoft Entra joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met:
 
 - The domain controller has the private key for the certificate provided
 - The root CA that issued the domain controller's certificate is in the device's *Trusted Root Certificate Authorities*
 - Use the *Kerberos Authentication certificate template* instead of any other older template
 - The domain controller's certificate has the *KDC Authentication* extended key usage (EKU)
 - The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain
-- The domain controller's certificate's signature hash algorithm is **sha256**
-- The domain controller's certificate's public key is **RSA (2048 Bits)**
+- The domain controller's certificate's signature hash algorithm is *sha256*
+- The domain controller's certificate's public key is *RSA (2048 Bits)*
 
-Authenticating from a Microsoft Entra hybrid joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the *KDC Authentication* EKU. If you're adding Microsoft Entra joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the *KDC Authentication* EKU.
+> [!IMPORTANT]
+> Authenticating from a Microsoft Entra hybrid joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the *KDC Authentication* EKU. If you're adding Microsoft Entra joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the *KDC Authentication* EKU.
 
 ## Configure a CRL distribution point for an issuing CA
 
@@ -118,7 +119,7 @@ These procedures configure NTFS and share permissions on the web server to allow
 1. In the **Advanced Sharing** dialog box, select **OK**
 
 > [!Tip]
-> Make sure that users can access **\\\Server FQDN\sharename**.
+> Make sure that users can access `\\Server FQDN\sharename`.
 
 ### Disable Caching
 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server)
diff --git a/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
index 5bd47775ff..5b77df8dfd 100644
--- a/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
@@ -1,7 +1,7 @@
 ---
 title: How Windows Hello for Business authentication works
 description: Learn about the Windows Hello for Business authentication flows.
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ms.topic: reference
 ---
 # Windows Hello for Business authentication
@@ -19,7 +19,7 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.| 
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
 |B | The Cloud AP provider requests a nonce from Microsoft Entra ID.  Microsoft Entra ID returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.|
 |C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature.  Microsoft Entra ID then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
 |D | The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
@@ -58,7 +58,7 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
 
 > [!NOTE]
-> You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.  
+> You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
 
 ## Microsoft Entra hybrid join authentication using cloud Kerberos trust
 
diff --git a/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
index ad4a07825a..b066524e2f 100644
--- a/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
@@ -1,7 +1,7 @@
 ---
 title: How Windows Hello for Business provisioning works
 description: Learn about the provisioning flows for Windows Hello for Business.
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ms.topic: reference
 appliesto:
 ---
diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md
index fb493c8800..60dc604c09 100644
--- a/windows/security/identity-protection/hello-for-business/how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@@ -1,7 +1,7 @@
 ---
 title: How Windows Hello for Business works
 description: Learn how Windows Hello for Business works, and how it can help you protect your organization.
-ms.date: 01/09/2024
+ms.date: 04/23/2024
 ms.topic: concept-article
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md
index 7c03078ac9..c9827058be 100644
--- a/windows/security/identity-protection/hello-for-business/index.md
+++ b/windows/security/identity-protection/hello-for-business/index.md
@@ -2,7 +2,7 @@
 title: Windows Hello for Business overview
 description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.
 ms.topic: overview
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ---
 
 # Windows Hello for Business
diff --git a/windows/security/identity-protection/hello-for-business/multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/multifactor-unlock.md
index 3980ef906c..b11627e5b7 100644
--- a/windows/security/identity-protection/hello-for-business/multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/multifactor-unlock.md
@@ -1,7 +1,7 @@
 ---
 title: Multi-factor unlock
 description: Learn how to configure Windows Hello for Business multi-factor unlock by extending Windows Hello with trusted signals.
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ms.topic: how-to
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/pin-reset.md b/windows/security/identity-protection/hello-for-business/pin-reset.md
index 7fd61f161a..f9d4487a61 100644
--- a/windows/security/identity-protection/hello-for-business/pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/pin-reset.md
@@ -1,7 +1,7 @@
 ---
 title: PIN reset
 description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN, and how to configure it.
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ms.topic: how-to
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/policy-settings.md b/windows/security/identity-protection/hello-for-business/policy-settings.md
index 050b2a862d..300d58e123 100644
--- a/windows/security/identity-protection/hello-for-business/policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/policy-settings.md
@@ -2,7 +2,7 @@
 title: Windows Hello for Business policy settings
 description: Learn about the policy settings to configure Configure Windows Hello for Business.
 ms.topic: reference
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ---
 
 # Windows Hello for Business policy settings
diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
index 725c2d715d..72c3fffd3f 100644
--- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
+++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
@@ -1,7 +1,7 @@
 ---
 title: Remote Desktop sign-in with Windows Hello for Business
 description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
-ms.date: 12/11/2023
+ms.date: 04/23/2024
 ms.topic: how-to
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
index 1eb2da9944..f047719f37 100644
--- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md
+++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
@@ -1,7 +1,7 @@
 ---
 title: WebAuthn APIs
 description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
-ms.date: 07/27/2023
+ms.date: 04/23/2024
 ms.topic: how-to
 ---
 # WebAuthn APIs for passwordless authentication on Windows
@@ -20,7 +20,7 @@ Users of these apps or sites can use any browser that supports WebAuthn APIs for
 
 Developers should use the WebAuthn APIs to support FIDO2 authentication keys in a consistent way for users. Additionally, developers can use all the transports that are available per FIDO2 specifications (USB, NFC, and BLE) while avoiding the interaction and management overhead.
 
-> [!NOTE]  
+> [!NOTE]
 > When these APIs are in use, Windows 10 browsers or applications don't have direct access to the FIDO2 transports for FIDO-related messaging.
 
 ## The big picture
@@ -29,7 +29,7 @@ The Client to Authenticator Protocol 2 (CTAP2) and WebAuthn define an abstractio
 
 The authentication process starts when the user makes a specific user gesture that indicates consent for the operation. At the request of the client, the authenticator securely creates strong cryptographic keys and stores them locally.
 
-After these client-specific keys are created, clients can request attestations for registration and authentication. The type of signature that the private key uses reflects the user gesture that was made.  
+After these client-specific keys are created, clients can request attestations for registration and authentication. The type of signature that the private key uses reflects the user gesture that was made.
 
 The following diagram shows how CTAP and WebAuthn interact. The light blue dotted arrows represent interactions that depend on the specific implementation of the platform APIs.
 
@@ -39,15 +39,15 @@ The following diagram shows how CTAP and WebAuthn interact. The light blue dotte
 
 A combined WebAuthn/CTAP2 dance includes the following cast of characters:
 
-- **Client device**. The *client device* is the hardware that hosts a given strong authentication. Laptops and phones are examples of client devices.  
+- **Client device**. The *client device* is the hardware that hosts a given strong authentication. Laptops and phones are examples of client devices.
 
-- **Relying parties and clients**. *Relying parties* are web or native applications that consume strong credentials. The relying parties run on client devices.  
+- **Relying parties and clients**. *Relying parties* are web or native applications that consume strong credentials. The relying parties run on client devices.
 
   - As a relying party, a native application can also act as a WebAuthn client to make direct WebAuthn calls.
-  
-  - As a relying party, a web application can't directly interact with the WebAuthn API. The relying party must broker the deal through the browser.  
-  
-  > [!NOTE]  
+
+  - As a relying party, a web application can't directly interact with the WebAuthn API. The relying party must broker the deal through the browser.
+
+  > [!NOTE]
   > The preceding diagram doesn't depict Single Sign-On (SSO) authentication. Be careful not to confuse FIDO relying parties with federated relying parties.
 
 - **WebAuthn API**. The *WebAuthn API* enables clients to make requests to authenticators. The client can request the authenticator to create a key, provide an assertion about a key, report capabilities, manage a PIN, and so on.
@@ -82,7 +82,7 @@ The following options might be useful in the future, but haven't been observed i
 
 The Microsoft FIDO2 implementation has been years in the making. Software and services are implemented independently as standards-compliant entities. As of the Windows 10, version 1809 (October 2018) release, all Microsoft components use the latest WebAuthn Candidate Release. It's a stable release that's not expected to normatively change before the specification is finally ratified. Because Microsoft is among the first in the world to deploy FIDO2, some combinations of popular non-Microsoft components won't be interoperable yet.
 
-Here's an approximate layout of where the Microsoft bits go:  
+Here's an approximate layout of where the Microsoft bits go:
 
 :::image type="content" source="images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png" alt-text="The diagram shows how the WebAuthn API interacts with the Microsoft relying parties and the CTAPI2 API.":::
 
@@ -94,12 +94,12 @@ Here's an approximate layout of where the Microsoft bits go:
   - Offline scenarios work (enabled by using HMAC)
   - Users can put keys for multiple user accounts on the same authenticator
   - If it's necessary, authenticators can use a client PIN to unlock a TPM
-  > [!IMPORTANT]  
+  > [!IMPORTANT]
   > Because Microsoft Account requires features and extensions that are unique to FIDO2 CTAP2 authenticators, it doesn't accept CTAP1 (U2F) credentials.
 
 - **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This scope for interaction means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn.
 
-  > [!NOTE]  
+  > [!NOTE]
   > For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation](/microsoft-edge/dev-guide/windows-integration/web-authentication).
 
 - **Platform: Windows 10, Windows 11**. Windows 10 and Windows 11 host the Win32 Platform WebAuthn APIs.