From eb305abc4fb5839491be690429c9c729fc5329c9 Mon Sep 17 00:00:00 2001
From: Mike Stephens <mstephen@microsoft.com>
Date: Mon, 6 Nov 2017 23:33:36 +0000
Subject: [PATCH 1/2] Merged PR 4338: Merge ms-whfb-staging to whfb-staging

Corrections for Hybrid Cert trust deployment guide
---
 .../hello-for-business/hello-deployment-guide.md                | 2 +-
 .../hello-for-business/hello-hybrid-cert-trust-prereqs.md       | 2 +-
 .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md   | 2 +-
 .../hello-hybrid-cert-whfb-settings-policy.md                   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md
index c202596cd4..35ca37be84 100644
--- a/windows/access-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md
@@ -28,7 +28,7 @@ This deployment guide is to guide you through deploying Windows Hello for Busine
 This guide assumes a baseline infrastructure exists that meets the requirements for your deployment.  For either hybrid or on-premises deployments, it is expected that you have: 
 * A well-connected, working network
 * Internet access
-   * Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning
+* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning
 * Proper name resolution, both internal and external names
 * Active Directory and an adequate number of domain controllers per site to support authentication
 * Active Directory Certificate Services 2012 or later
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 7c56e7ded8..0aafbf488a 100644
--- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -23,7 +23,7 @@ Hybrid environments are distributed systems that enable organizations to use on-
 
 The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure.  High-level pieces of the infrastructure include:
 * [Directories](#directories)
-* [Public Key Infrastucture](#public-key-infastructure)
+* [Public Key Infrastucture](#public-key-infrastructure)
 * [Directory Synchronization](#directory-synchronization)
 * [Federation](#federation)
 * [MultiFactor Authetication](#multifactor-authentication)
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index d7f825257f..6c59f37b66 100644
--- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -133,7 +133,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
 9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
 10.	On the **Request Handling** tab, select the **Renew with same key** check box.
 11.	On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
-12.	Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 
+12.	Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 
 13.	If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template.
 14.	Click on the **Apply** to save changes and close the console.
 
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index 342e42b0d0..5b1f2a3188 100644
--- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -108,7 +108,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
 3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
 4. In the navigation pane, expand **Policies** under **User Configuration**.
 5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**.
-6. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**.
+6. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**.
 7. Select **Enabled** from the **Configuration Model** list.
 8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
 9. Select the **Update certificates that use certificate templates** check box.

From 9dc799cdab92c2a9364a3bdee644b0aa27f82463 Mon Sep 17 00:00:00 2001
From: Mike Stephens <mstephen@microsoft.com>
Date: Fri, 17 Nov 2017 23:24:26 +0000
Subject: [PATCH 2/2] Merged PR 4397: Merge ms-whfb-staging to whfb-staging

Updates and then please push to master
---
 .../access-protection/hello-for-business/hello-features.md  | 6 +++---
 .../hello-for-business/hello-hybrid-key-trust-prereqs.md    | 4 ++--
 windows/access-protection/hello-for-business/toc.md         | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/windows/access-protection/hello-for-business/hello-features.md b/windows/access-protection/hello-for-business/hello-features.md
index 2e4ae4c446..af73b147d6 100644
--- a/windows/access-protection/hello-for-business/hello-features.md
+++ b/windows/access-protection/hello-for-business/hello-features.md
@@ -19,7 +19,7 @@ Consider these additional features you can use after your organization deploys W
 * [Conditional access](#conditional-access)
 * [Dynamic lock](#dynamic-lock)
 * [PIN reset](#PIN-reset)
-* [Privileged workstation](#Priveleged-workstation)
+* [Privileged credentials](#Priveleged-crednetials)
 * [Mulitfactor Unlock](#Multifactor-unlock)
 
 
@@ -142,14 +142,14 @@ On-premises deployments provide users with the ability to reset forgotton PINs e
 >[!NOTE]
 > Visit the [Frequently Asked Questions](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification#frequently-asked-questions) section of the Windows Hello for Business page and watch the **What happens when the user forgets their PIN?** video.
 
-## Privileged Workstation
+## Privileged Credentials
 
 **Requirements**
 * Hybrid and On-premises Windows Hello for Business deployments
 * Domain Joined or Hybird Azure joined devices
 * Windows 10, version 1709
 
-The privileged workstation scenario enables administrators to perform elevated, admistrative funcions by enrolling both their non-privileged and privileged credentials on their device.
+The privileged credentials scenario enables administrators to perform elevated, admistrative funcions by enrolling both their non-privileged and privileged credentials on their device.
 
 By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session.  Using the computer Group Policy setting, Allow enumeration of emulated smartd card for all users, you can configure a device to all this enumeration on selected devices.  
 
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 0bd7c0a3b1..552c519832 100644
--- a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -81,7 +81,7 @@ Organizations using older directory synchronization technology, such as DirSync
 <br>
 
 ## Federation with Azure ##
-You can deploy Windows Hello for Business key trust in non-federated and federated environments.  For non-federated envionments, key trust deployments work in environments that have deployed [Password Syncrhonization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication).  For federated envirnonments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. 
+You can deploy Windows Hello for Business key trust in non-federated and federated environments.  For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication).  For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. 
 
 ### Section Review ###
 > [!div class="checklist"]
@@ -91,7 +91,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat
 <br>
 
 ## Multifactor Authentication ##
-Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords.  The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication.
+Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords.  The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor, but needs a second factor of authentication.
 
 Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS.
 
diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md
index 5a8d5dd5c3..81267549c1 100644
--- a/windows/access-protection/hello-for-business/toc.md
+++ b/windows/access-protection/hello-for-business/toc.md
@@ -43,4 +43,4 @@
 ##### [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md)
 #### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
 
-## [Windows Hello for Businesss Feature](hello-features.md)
\ No newline at end of file
+## [Windows Hello for Business Features](hello-features.md)
\ No newline at end of file