Merge branch 'master' into repo_sync_working_branch

2025-06-25 07:13:37 +00:00 · 2021-01-29 15:18:30 -08:00
parent 8ebfd5e8fe 6f05539220
commit d15312285b
13 changed files with 419 additions and 297 deletions
--- a/windows/security/identity-protection/TOC.md
+++ b/windows/security/identity-protection/TOC.md
@ -18,7 +18,7 @@
 #### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md)
 #### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md)
-## [Windows Hello for Business](hello-for-business/hello-identity-verification.md)
+## [Windows Hello for Business](hello-for-business/index.yml)
 ## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md)
 ### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@ -1,5 +1,5 @@
 ---
-title: Multifactor Unlock
+title: Multi-factor Unlock
 description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals. 
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
 ms.prod: w10
@ -16,7 +16,7 @@ localizationpriority: medium
 ms.date: 03/20/2018
 ms.reviewer: 
 ---
-# Multifactor Unlock
+# Multi-factor Unlock
 **Applies to:**
 -   Windows 10
@ -83,15 +83,17 @@ For example, if you include the PIN and fingerprint credential providers in both
 The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device.
 ### Rule element
-You represent signal rules in XML.  Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value.  The current supported schema version is 1.0.<br>
+You represent signal rules in XML.  Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value.  The current supported schema version is 1.0.
 **Example**
-```
+```xml
 <rule schemaVersion="1.0">
 </rule>
 ```
 ### Signal element
-Each rule element has a **signal** element.  All signal elements have a **type** element and value.  Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.<br>
+Each rule element has a **signal** element.  All signal elements have a **type** element and value.  Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.
 |Attribute|Value|
 |---------|-----|
@ -109,8 +111,8 @@ You define the bluetooth signal with additional attributes in the signal element
 |rssiMin|"*number*"|no|
 |rssiMaxDelta|"*number*"|no|
-Example:
+**Example**
-```
+```xml
 <rule schemaVersion="1.0">
    <signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
 </rule>
@ -142,63 +144,76 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw
 You define IP configuration signals using one or more ipConfiguration elements.  Each element has a string value.  IpConfiguration elements do not have attributes or nested elements.
 ##### IPv4Prefix
-The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string.  A **signal** element may only contain one **ipv4Prefix** element.<br>
+The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string.  A **signal** element may only contain one **ipv4Prefix** element.
 **Example**
-```
+```xml
 <ipv4Prefix>192.168.100.0/24</ipv4Prefix>
 ```
 The assigned IPv4 addresses in the range of 192.168.100.1 to 192.168.100.254 match this signal configuration.
 ##### IPv4Gateway
-The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv4Gateway** element.<br>
+The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv4Gateway** element.
 **Example**
-```
+```xml
 <ipv4Gateway>192.168.100.10</ipv4Gateway>
 ```
 ##### IPv4DhcpServer
-The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv4DhcpServer** element.<br>
+The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv4DhcpServer** element.
 **Example**
-```
+```xml
 <ipv4DhcpServer>192.168.100.10</ipv4DhcpServer>
 ```
 ##### IPv4DnsServer
-The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements.<br>
+The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements.
 **Example:**
-```
+```xml
 <ipv4DnsServer>192.168.100.10</ipv4DnsServer>
 ```
 ##### IPv6Prefix
-The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string.  A **signal** element may only contain one **ipv6Prefix** element.<br>
+The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string.  A **signal** element may only contain one **ipv6Prefix** element.
 **Example** 
-```
+```xml
 <ipv6Prefix>21DA:D3::/48</ipv6Prefix>
 ```
 ##### IPv6Gateway
-The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv6Gateway** element.<br>
+The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv6Gateway** element.
 **Example** 
-```
+```xml
 <ipv6Gateway>21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2</ipv6Gateway>
 ```
 ##### IPv6DhcpServer
-The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv6DhcpServer** element.<br>
+The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv6DhcpServer** element.
 **Example**
-```
+```xml
 <ipv6DhcpServer>21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2</ipv6DhcpServer
 ```
 ##### IPv6DnsServer
-The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. The **signal** element may contain one or more **ipv6DnsServer** elements.<br>
+The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. The **signal** element may contain one or more **ipv6DnsServer** elements.
 **Example**
-```
+```xml
 <ipv6DnsServer>21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2</ipv6DnsServer>
 ```
 ##### dnsSuffix
-The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix.  The **signal** element may contain one or more **dnsSuffix** elements.<br>
+The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix.  The **signal** element may contain one or more **dnsSuffix** elements.
 **Example**
-```
+```xml
 <dnsSuffix>corp.contoso.com</dnsSuffix>
 ```
@ -210,15 +225,17 @@ The fully qualified domain name of your organization's internal DNS suffix where
 You define Wi-Fi signals using one or more wifi elements.  Each element has a string value.  Wifi elements do not have attributes or nested elements.
 #### SSID
-Contains the service set identifier (SSID) of a wireless network.  The SSID is the name of the wireless network.  The SSID element is required.<br>
+Contains the service set identifier (SSID) of a wireless network.  The SSID is the name of the wireless network.  The SSID element is required.
-```
+
 ```xml
 <ssid>corpnetwifi</ssid>
 ```
 #### BSSID
-Contains the basic service set identifier (BSSID) of a wireless access point.  the BSSID is the mac address of the wireless access point.  The BSSID element is optional.<br>
+Contains the basic service set identifier (BSSID) of a wireless access point.  the BSSID is the mac address of the wireless access point.  The BSSID element is optional.
 **Example**
-```
+```xml
 <bssid>12-ab-34-ff-e5-46</bssid>
 ```
@ -235,19 +252,22 @@ Contains the type of security the client uses when connecting to the wireless ne
 |WPA2-Enterprise| The wireless network is protected using Wi-Fi Protected Access 2-Enterprise.|
 **Example**
-```
+```xml
 <security>WPA2-Enterprise</security> 
 ```
 #### TrustedRootCA
-Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space.  This element is optional.<br>
+Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space.  This element is optional.
 **Example**
-```
+```xml
 <trustedRootCA>a2 91 34 aa 22 3a a2 3a 4a 78 a2 aa 75 a2 34 2a 3a 11 4a aa</trustedRootCA>
 ```
 #### Sig_quality
-Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal.<br>
+Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal.
 **Example**
-```
+```xml
 <sig_quality>80</sig_quality>
 ```
@ -257,7 +277,8 @@ These examples are wrapped for readability.  Once properly formatted, the entire
 #### Example 1
 This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer, and DnsSuffix elements.
-```
+
 ```xml
 <rule schemaVersion="1.0"> 
    <signal type="ipConfig"> 
        <ipv4Prefix>10.10.10.0/24</ipv4Prefix>
@ -271,10 +292,11 @@ This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer,
 #### Example 2
 This example configures an IpConfig signal type using a dnsSuffix element and a bluetooth signal for phones.  This configuration is wrapped for reading.  Once properly formatted, the entire XML contents must be a single line.  This example implies that either the ipconfig **or** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
 >[!NOTE]
 >Separate each rule element using a comma.
-```
+```xml
 <rule schemaVersion="1.0"> 
 	<signal type="ipConfig"> 
 	    <dnsSuffix>corp.contoso.com</dnsSuffix> 
@ -284,9 +306,11 @@ This example configures an IpConfig signal type using a dnsSuffix element and a
 	<signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
 </rule>
 ```
 #### Example 3
 This example configures the same as example 2 using compounding And elements.  This example implies that the ipconfig **and** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
-```
+
 ```xml
 <rule schemaVersion="1.0">
 <and>
  <signal type="ipConfig">
@ -296,9 +320,11 @@ This example configures the same as example 2 using compounding And elements.  T
 </and>
 </rule>
 ```
 #### Example 4 
 This example configures Wi-Fi as a trusted signal (Windows 10, version 1803)
-```
+
 ```xml
 <rule schemaVersion="1.0"> 
  <signal type="wifi"> 
    <ssid>contoso</ssid> 
@ -332,22 +358,34 @@ The Group Policy object contains the policy settings needed to trigger Windows H
 > * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can satisfy either category, but not both.
 > * The multifactor unlock feature is also supported via the Passport for Work CSP. See [Passport For Work CSP](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) for more information.
-1. Start the **Group Policy Management Console** (gpmc.msc)
+1. Start the **Group Policy Management Console** (gpmc.msc).
 2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
 3. Right-click **Group Policy object** and select **New**.
 4. Type *Multifactor Unlock* in the name box and click **OK**.
 5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**.
 6. In the navigation pane, expand **Policies** under **Computer Configuration**.
 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.<br>
   ![Group Policy Editor](images/multifactorUnlock/gpme.png)
 8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**.  The **Options** section populates the policy setting with default values.<br>
   ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png)
 9. Configure first and second unlock factors using the information in the [Configure Unlock Factors](#configuring-unlock-factors) section.
 10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in the [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) section.
 11. Click **Ok** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
-    ## Troubleshooting
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-    Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
+
 3. Right-click **Group Policy object** and select **New**.
 4. Type *Multifactor Unlock* in the name box and click **OK**.
 5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**.
 6. In the navigation pane, expand **Policies** under **Computer Configuration**.
 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
   ![Group Policy Editor](images/multifactorUnlock/gpme.png)
 8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**.  The **Options** section populates the policy setting with default values.
   ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png)
 9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors).
 10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider).
 11. Click **OK** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
 ## Troubleshooting
 Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
 ### Events
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@ -1,5 +1,5 @@
 ---
-title: Windows Hello for Business Deployment Guide
+title: Windows Hello for Business Deployment Overview
 description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment. 
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
@ -13,28 +13,35 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
-ms.date: 08/29/2018
+ms.date: 01/21/2021
 ms.reviewer: 
 ---
-# Windows Hello for Business Deployment Guide
+# Windows Hello for Business Deployment Overview
 **Applies to**
 - Windows 10, version 1703 or later
 Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
-This deployment guide is to guide you through deploying Windows Hello for Business, based on the planning decisions made using the Planning a Windows Hello for Business Deployment Guide. It provides you with the information needed to successfully deploy Windows Hello for Business in an existing environment.
+This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.
 Once you've chosen a deployment model, the deployment guide for the that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment.
 > [!NOTE]
 > Read the [Windows Hello for Business Deployment Prerequisite Overview](hello-identity-verification.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
 ## Assumptions
 This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
-* A well-connected, working network
+
-* Internet access
+- A well-connected, working network
-* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning
+- Internet access
-* Proper name resolution, both internal and external names
+- Multi-factor Authentication Server to support MFA during Windows Hello for Business provisioning
-* Active Directory and an adequate number of domain controllers per site to support authentication
+- Proper name resolution, both internal and external names
-* Active Directory Certificate Services 2012 or later
+- Active Directory and an adequate number of domain controllers per site to support authentication
-* One or more workstation computers running Windows 10, version 1703
+- Active Directory Certificate Services 2012 or later
 - One or more workstation computers running Windows 10, version 1703
 If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.  
@ -47,14 +54,16 @@ Windows Hello for Business has three deployment models: Cloud, hybrid, and on-pr
 Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
 The trust model determines how you want users to authenticate to the on-premises Active Directory:
-* The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. 
+
-* The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. 
+- The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication.
-* The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
+- The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
 - The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
 > [!NOTE]
 > RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
 Following are the various deployment guides and models included in this topic:
 - [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
 - [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
 - [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ b/windows/security/identity-protection/hello-for-business/hello-features.md
@ -1,57 +0,0 @@
 ---
 title: Windows Hello for Business Features
 description: Consider additional features you can use after your organization deploys Windows Hello for Business. 
 ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
 ms.reviewer: 
 keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock, Forgot PIN, Privileged credentials
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
 audience: ITPro
 author: mapalko
 ms.author: mapalko
 manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
 ms.date: 11/27/2019
 ---
 # Windows Hello for Business Features
 **Applies to:**
 - Windows 10
 Consider these additional features you can use after your organization deploys Windows Hello for Business.
 ## Conditional access
 Azure Active Directory provides a wide set of options for protecting access to corporate resources. Conditional access provides more fine grained control over who can access certain resources and under what conditions. For more information see [Conditional Access](hello-feature-conditional-access.md).
 ## Dynamic lock
 Dynamic lock uses a paired Bluetooth device to determine user presence and locks the device if a user is not present. For more information and configuration steps see [Dynamic Lock](hello-feature-dynamic-lock.md). 
 ## PIN reset
 Windows Hello for Business supports user self-management of their PIN. If a user forgets their PIN, they have the ability to reset it from Settings or the lock screen. The Microsoft PIN reset service can be used for completing this reset without the user needing to enroll a new Windows Hello for Business credential. For more information and configuration steps see [Pin Reset](hello-feature-pin-reset.md).
 ## Dual Enrollment
 This feature enables provisioning of administrator Windows Hello for Business credentials that can be used by non-privileged accounts to perform administrative actions. These credentials can be used from the non-privileged accounts using **Run as different user** or **Run as administrator**. For more information and configuration steps see [Dual Enrollment](hello-feature-dual-enrollment.md).
 ## Remote Desktop
 Users with Windows Hello for Business certificate trust can use their credential to authenticate to remote desktop sessions over RDP. When authenticating to the session, biometric gestures can be used if they are enrolled. For more information and configuration steps see [Remote Desktop](hello-feature-remote-desktop.md).
 ## Related topics
 - [Windows Hello for Business](hello-identity-verification.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
 - [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
@ -1,49 +0,0 @@
 ---
 title: How Windows Hello for Business works - Technical Deep Dive
 description: Deeply explore how Windows Hello for Business works, and how it can help your users authenticate to services.
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, works 
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 audience: ITPro
 author: mapalko
 ms.author: mapalko
 manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
 ms.date: 08/19/2018
 ms.reviewer: 
 ---
 # Technical Deep Dive
 **Applies to:**
 -   Windows 10
 Windows Hello for Business authentication works through collection of components and infrastructure working together.  You can group the infrastructure and components in three categories:
 - [Registration](#registration)
 - [Provisioning](#provisioning)
 - [Authentication](#authentication)
 ## Registration
 Registration is a fundamental prerequisite for Windows Hello for Business.  Without registration, Windows Hello for Business provisioning cannot start.  Registration is where the device **registers** its identity with the identity provider.  For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS).  For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS). 
 [How Device Registration Works](hello-how-it-works-device-registration.md)
 ## Provisioning
 Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential.  Typically the user signs in to Windows using user name and password.  The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.<br>
 After successfully completing the second factor of authentication, the user is asked to enroll biometrics (if available on the device) and create PIN as a backup gesture.  Windows then registers the public version of the Windows Hello for Business credential with the identity provider.<br>
 For cloud and hybrid deployments, the identity provider is Azure Active Directory and the user registers their key with the Azure Device Registration Service (ADRS).  For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the user registers their key with the enterprise device registration service hosted on the federation servers.<br>
 Provision can occur automatically through the out-of-box-experience (OOBE) on Azure Active Directory joined devices, or on hybrid Azure Active Directory joined devices where the user or device is influenced by Windows Hello for Business policy settings.  Users can start provisioning through **Add PIN** from Windows Settings.  Watch the [Windows Hello for Business enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) from our [Videos](hello-videos.md) page.
 [How Windows Hello for Business provisioning works](hello-how-it-works-provisioning.md)
 ## Authentication
 Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment.  With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN.  PIN is the most common gesture and is available on most computers and devices.  Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential.  The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device.  It is user provided entropy when performing operations that use the private portion of the credential.
 [How Windows Hello for Business authentication works](hello-how-it-works-authentication.md)
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@ -28,20 +28,37 @@ Watch this quick video where Pieter Wigleven gives a simple explanation of how W
 ## Technical Deep Dive
-Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business.
+Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business.
-Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning and authentication work.
+### Device Registration
 Registration is a fundamental prerequisite for Windows Hello for Business.  Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
 For more information read [how device registration works](hello-how-it-works-device-registration.md).
 ### Provisioning
 Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
 Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works.
 > [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
 For more information read [how provisioning works](hello-how-it-works-provisioning.md).
 ### Authentication
 With the device registered and provisioning complete, users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
 Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
 > [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
- [Technology and Terminology](hello-how-it-works-technology.md)
+For more information read [how authentication works](hello-how-it-works-authentication.md).
 - [Device Registration](hello-how-it-works-device-registration.md)
 - [Provisioning](hello-how-it-works-provisioning.md)
 - [Authentication](hello-how-it-works-authentication.md)
 ## Related topics
 - [Technology and Terminology](hello-how-it-works-technology.md)
 - [Windows Hello for Business](hello-identity-verification.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@ -1,6 +1,6 @@
 ---
-title: Windows Hello for Business (Windows 10)
+title: Windows Hello for Business Deployment Prerequisite Overview
-description: Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. 
+description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
 ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
 ms.reviewer: 
 keywords: identity, PIN, biometric, Hello, passport
@ -15,29 +15,14 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
-ms.date: 05/05/2018
+ms.date: 1/22/2021
 ---
-# Windows Hello for Business
+# Windows Hello for Business Deployment Prerequisite Overview
-In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.</br>
+This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business.
 Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account.
-Windows Hello addresses the following problems with passwords:
+## Cloud Only Deployment
 - Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
 - Server breaches can expose symmetric network credentials (passwords).
 - Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
 - Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing).
 > | | | |
 > | :---: | :---: | :---: |
 > | [![Overview Icon](images/hello_filter.png)](hello-overview.md)</br>[Overview](hello-overview.md) | [![Why a PIN is better than a password Icon](images/hello_lock.png)](hello-why-pin-is-better-than-password.md)</br>[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [![Manage Hello Icon](images/hello_gear.png)](hello-manage-in-organization.md)</br>[Manage Windows Hello in your Organization](hello-manage-in-organization.md) |
 ## Prerequisites
 ### Cloud Only Deployment
 * Windows 10, version 1511 or later
 * Microsoft Azure Account
@ -46,7 +31,7 @@ Windows Hello addresses the following problems with passwords:
 * Modern Management (Intune or supported third-party MDM), *optional*
 * Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
-### Hybrid Deployments
+## Hybrid Deployments
 The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
@ -76,7 +61,7 @@ The table shows the minimum requirements for each deployment. For key trust in a
 > Reset above lock screen - Windows 10, version 1709, Professional</br>
 > Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
-### On-premises Deployments
+## On-premises Deployments
 The table shows the minimum requirements for each deployment.
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@ -19,13 +19,15 @@ ms.reviewer:
 # Planning a Windows Hello for Business Deployment
 **Applies to**
 - Windows 10
 Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
 This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs.
-If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
+> [!Note]
 >If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
 ## Using this guide
@ -38,12 +40,13 @@ This guide removes the appearance of complexity by helping you make decisions on
 Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment.
 There are six major categories you need to consider for a Windows Hello for Business deployment.  Those categories are:
-*   Deployment Options
+
-*   Client
+- Deployment Options
-*   Management
+- Client
-*   Active Directory
+- Management
-*   Public Key Infrastructure
+- Active Directory
-*   Cloud
+- Public Key Infrastructure
 - Cloud
 ### Baseline Prerequisites
@ -58,13 +61,16 @@ The goal of Windows Hello for Business is to enable deployments for all organiza
 There are three deployment models from which you can choose: cloud only, hybrid, and on-premises.
 ##### Cloud only
 The cloud only deployment model is for organizations who only have cloud identities and do not access on-premises resources.  These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others.  Also, because these users do not use on-premises resources, they do not need certificates for things like VPN because everything they need is hosted in Azure.
 ##### Hybrid
 The hybrid deployment model is for organizations that: 
-* Are federated with Azure Active Directory
+
-* Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
+- Are federated with Azure Active Directory
-* Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
+- Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
 - Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
 > [!Important]
 > Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.</br>
@ -154,7 +160,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in
 ### Cloud
-Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities.  These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional.
+Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities.  These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from those that are optional.
 ## Planning a Deployment
--- a/windows/security/identity-protection/hello-for-business/index.yml
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@ -0,0 +1,110 @@
 ### YamlMime:Landing
 title: Windows Hello for Business documentation
 summary: Learn how to manage and deploy Windows Hello for Business.
 metadata:
  title: Windows Hello for Business documentation
  description: Learn how to manage and deploy Windows Hello for Business.
  ms.prod: w10
  ms.topic: landing-page
  author: mapalko
  manager: dansimp
  ms.author: mapalko
  ms.date: 01/22/2021
  ms.collection: M365-identity-device-management
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
 landingContent:
 # Cards and links should be based on top customer tasks or top subjects
 # Start card title with a verb
  # Card
  - title: About Windows Hello For Business
    linkLists:
      - linkListType: overview
        links:
          - text: Windows Hello for Business Overview
            url: hello-overview.md
      - linkListType: concept
        links:
          - text: Passwordless Strategy
            url: passwordless-strategy.md
          - text: Why a PIN is better than a password
            url: hello-why-pin-is-better-than-password.md
          - text: Windows Hello biometrics in the enterprise
            url: hello-biometrics-in-enterprise.md
          - text: How Windows Hello for Business works
            url: hello-how-it-works.md
      - linkListType: learn
        links: 
          - text: Technical Deep Dive - Device Registration
            url: hello-how-it-works-device-registration.md 
          - text: Technical Deep Dive - Provisioning
            url: hello-how-it-works-provisioning.md
          - text: Technical Deep Dive - Authentication
            url: hello-how-it-works-authentication.md
          - text: Technology and Terminology
            url: hello-how-it-works-technology.md
          - text: Frequently Asked Questions (FAQ)
            url: hello-faq.yml
  # Card
  - title: Configure and manage Windows Hello for Business
    linkLists:
      - linkListType: concept
        links:
          - text: Windows Hello for Business Deployment Overview
            url: hello-deployment-guide.md
          - text: Planning a Windows Hello for Business Deployment
            url: hello-planning-guide.md
          - text: Deployment Prerequisite Overview
            url: hello-identity-verification.md
      - linkListType: how-to-guide
        links:
          - text: Hybrid Azure AD Joined Key Trust Deployment
            url: hello-hybrid-key-trust.md
          - text: Hybrid Azure AD Joined Certificate Trust Deployment
            url: hello-hybrid-cert-trust.md
          - text: On-premises SSO for Azure AD Joined Devices
            url: hello-hybrid-aadj-sso.md
          - text: On-premises Key Trust Deployment
            url: hello-deployment-key-trust.md
          - text: On-premises Certificate Trust Deployment
            url: hello-deployment-cert-trust.md
      - linkListType: learn
        links:
          - text: Manage Windows Hello for Business in your organization
            url: hello-manage-in-organization.md
          - text: Windows Hello and password changes
            url: hello-and-password-changes.md
          - text: Prepare people to use Windows Hello
            url: hello-prepare-people-to-use.md
  # Card
  - title: Windows Hello for Business Features
    linkLists:
      - linkListType: how-to-guide
        links:
          - text: Conditional Access 
            url: hello-feature-conditional-access.md
          - text: PIN Reset
            url: hello-feature-pin-reset.md
          - text: Dual Enrollment
            url: hello-feature-dual-enrollment.md
          - text: Dynamic Lock
            url: hello-feature-dynamic-lock.md
          - text: Multi-factor Unlock
            url: feature-multifactor-unlock.md
          - text: Remote Desktop
            url: hello-feature-remote-desktop.md
  # Card
  - title: Windows Hello for Business Troubleshooting
    linkLists:
      - linkListType: how-to-guide
        links:
          - text: Known Deployment Issues
            url: hello-deployment-issues.md
          - text: Errors During PIN Creation
            url: hello-errors-during-pin-creation.md
--- a/windows/security/identity-protection/hello-for-business/toc.md
+++ b/windows/security/identity-protection/hello-for-business/toc.md
@ -1,72 +0,0 @@
 # [Windows Hello for Business](hello-identity-verification.md)
 ## [Password-less Strategy](passwordless-strategy.md)
 ## [Windows Hello for Business Overview](hello-overview.md)
 ## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 ## [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
 ## [Windows Hello for Business Features](hello-features.md)
 ### [Conditional Access](hello-feature-conditional-access.md)
 ### [Dual Enrollment](hello-feature-dual-enrollment.md)
 ### [Dynamic Lock](hello-feature-dynamic-lock.md)
 ### [Multifactor Unlock](feature-multifactor-unlock.md)
 ### [PIN Reset](hello-feature-pin-reset.md)
 ### [Remote Desktop](hello-feature-remote-desktop.md)
 ## [How Windows Hello for Business works](hello-how-it-works.md)
 ### [Technical Deep Dive](hello-how-it-works.md#technical-deep-dive)
 #### [Device Registration](hello-how-it-works-device-registration.md)
 #### [Provisioning](hello-how-it-works-provisioning.md)
 #### [Authentication](hello-how-it-works-authentication.md)
 #### [Technology and Terminology](hello-how-it-works-technology.md)
 ## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md)
 ## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 ## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md)
 ### [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
 #### [Prerequisites](hello-hybrid-key-trust-prereqs.md)
 #### [New Installation Baseline](hello-hybrid-key-new-install.md)
 #### [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 #### [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
 #### [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
 #### [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
 ### [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
 #### [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 #### [New Installation Baseline](hello-hybrid-cert-new-install.md)
 #### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
 #### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md)
 #### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
 ### [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
 #### [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md)
 #### [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md)
 ### [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
 #### [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
 #### [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
 #### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
 ##### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
 #### [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
 ### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
 #### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
 #### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
 #### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
 #### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
 #### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
 ## [Windows Hello and password changes](hello-and-password-changes.md)
 ## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 ## [Windows Hello for Business Frequently Asked Questions (FAQ)](hello-faq.yml)
 ### [Windows Hello for Business Videos](hello-videos.md)
 ## Windows Hello for Business Troubleshooting
 ### [Known Deployment Issues](hello-deployment-issues.md)
 ### [Errors during PIN creation](hello-errors-during-pin-creation.md)
 ### [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@ -0,0 +1,137 @@
 - name: Windows Hello for Business documentation
  href: index.yml
 - name: Overview
  items:
  - name: Windows Hello for Business Overview
    href: hello-overview.md
 - name: Concepts
  expanded: true
  items:
  - name: Passwordless Strategy
    href: passwordless-strategy.md
  - name: Why a PIN is better than a password
    href: hello-why-pin-is-better-than-password.md
  - name: Windows Hello biometrics in the enterprise
    href: hello-biometrics-in-enterprise.md
  - name: How Windows Hello for Business works
    href: hello-how-it-works.md
  - name: Technical Deep Dive
    items:
    - name: Device Registration
      href: hello-how-it-works-device-registration.md 
    - name: Provisioning
      href: hello-how-it-works-provisioning.md
    - name: Authentication
      href: hello-how-it-works-authentication.md
 - name: How-to Guides
  items:
  - name: Windows Hello for Business Deployment Overview
    href: hello-deployment-guide.md
  - name: Planning a Windows Hello for Business Deployment
    href: hello-planning-guide.md
  - name: Deployment Prerequisite Overview
    href: hello-identity-verification.md
  - name: Prepare people to use Windows Hello
    href: hello-prepare-people-to-use.md
  - name: Deployment Guides
    items:
    - name: Hybrid Azure AD Joined Key Trust
      items: 
      - name: Hybrid Azure AD Joined Key Trust Deployment
        href: hello-hybrid-key-trust.md
      - name: Prerequisites
        href: hello-hybrid-key-trust-prereqs.md
      - name: New Installation Baseline
        href: hello-hybrid-key-new-install.md
      - name: Configure Directory Synchronization
        href: hello-hybrid-key-trust-dirsync.md
      - name: Configure Azure Device Registration
        href: hello-hybrid-key-trust-devreg.md
      - name: Configure Windows Hello for Business settings
        href: hello-hybrid-key-whfb-settings.md
      - name: Sign-in and Provisioning
        href: hello-hybrid-key-whfb-provision.md
    - name: Hybrid Azure AD Joined Certificate Trust
      items: 
      - name: Hybrid Azure AD Joined Certificate Trust Deployment
        href: hello-hybrid-cert-trust.md
      - name: Prerequisites
        href: hello-hybrid-cert-trust-prereqs.md
      - name: New Installation Baseline
        href: hello-hybrid-cert-new-install.md
      - name: Configure Azure Device Registration
        href: hello-hybrid-cert-trust-devreg.md
      - name: Configure Windows Hello for Business settings
        href: hello-hybrid-cert-whfb-settings.md
      - name: Sign-in and Provisioning
        href: hello-hybrid-cert-whfb-provision.md
    - name: On-premises SSO for Azure AD Joined Devices
      items: 
      - name: On-premises SSO for Azure AD Joined Devices Deployment 
        href: hello-hybrid-aadj-sso.md
      - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
        href: hello-hybrid-aadj-sso-base.md
      - name: Using Certificates for AADJ On-premises Single-sign On
        href: hello-hybrid-aadj-sso-cert.md
    - name: On-premises Key Trust
      items: 
      - name: On-premises Key Trust Deployment
        href: hello-deployment-key-trust.md
      - name: Validate Active Directory Prerequisites
        href: hello-key-trust-validate-ad-prereq.md
      - name: Validate and Configure Public Key Infrastructure
        href: hello-key-trust-validate-pki.md
      - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
        href: hello-key-trust-adfs.md
      - name: Validate and Deploy Multi-factor Authentication (MFA) Services
        href: hello-key-trust-validate-deploy-mfa.md
      - name: Configure Windows Hello for Business policy settings
        href: hello-key-trust-policy-settings.md
    - name: On-premises Certificate Trust
      items: 
      - name: On-premises Certificate Trust Deployment
        href: hello-deployment-cert-trust.md
      - name: Validate Active Directory Prerequisites
        href: hello-cert-trust-validate-ad-prereq.md
      - name: Validate and Configure Public Key Infrastructure
        href: hello-cert-trust-validate-pki.md
      - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
        href: hello-cert-trust-adfs.md
      - name: Validate and Deploy Multi-factor Authentication (MFA) Services
        href: hello-cert-trust-validate-deploy-mfa.md
      - name: Configure Windows Hello for Business policy settings
        href: hello-cert-trust-policy-settings.md
    - name: Managing Windows Hello for Business in your organization
      href: hello-manage-in-organization.md
  - name: Windows Hello for Business Features
    items:
    - name: Conditional Access 
      href: hello-feature-conditional-access.md
    - name: PIN Reset
      href: hello-feature-pin-reset.md
    - name: Dual Enrollment
      href: hello-feature-dual-enrollment.md  
    - name: Dynamic Lock
      href: hello-feature-dynamic-lock.md
    - name: Multi-factor Unlock
      href: feature-multifactor-unlock.md
    - name: Remote Desktop
      href: hello-feature-remote-desktop.md
  - name: Troubleshooting
    items:
    - name: Known Deployment Issues
      href: hello-deployment-issues.md
    - name: Errors During PIN Creation
      href: hello-errors-during-pin-creation.md
    - name: Event ID 300 - Windows Hello successfully created
      href: hello-event-300.md
    - name: Windows Hello and password changes
      href: hello-and-password-changes.md
 - name: Reference
  items:
  - name: Technology and Terminology
    href: hello-how-it-works-technology.md
  - name: Frequently Asked Questions (FAQ)
    href: hello-faq.yml
  - name: Windows Hello for Business videos
    href: hello-videos.md
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@ -31,5 +31,5 @@ Learn more about identity and access management technologies in Windows 10 and
 | [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
 | [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
 | [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
-| [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
+| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
 | [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@ -199,14 +199,12 @@ When Microsoft Defender Antivirus is not the active antimalware in your organiza
 If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy.
-If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md).
+If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, Microsoft Defender Antivirus will either need to be configured to go on passive mode or uninstalled. The configuration is dependent on the server version. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
 > [!NOTE]
 > Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on.
 For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
 ## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
 If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Defender for Endpoint agent will successfully onboard.