Update Windows Hello for Business configuration instructions

windows/security/identity-protection/hello-for-business/deploy/cloud-only.md

@@ -32,7 +32,7 @@ When you Microsoft Entra join a device, the system attempts to automatically enr
 
 Cloud-only deployments use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
 
-Policy settings can be configured to control the behavior of Windows Hello for Business, via configuration service provider (CSP) or group policy (GPO). Cloud-only deployments typically configure devices via an MDM solution like Microsoft Intune, using the [PassportForWork CSP][WIN-1].
+Policy settings can be configured to control the behavior of Windows Hello for Business, via configuration service provider (CSP) or group policy (GPO). In cloud-only deployments, devices are typically configured via an MDM solution like Microsoft Intune, using the [PassportForWork CSP][WIN-1].
 
 > [!TIP]
 > If you're using Microsoft Intune, and you're not using the [tenant-wide policy](../configure.md#verify-the-tenant-wide-policy), enable the Enrollment Status Page (ESP) to ensure that the devices receive the Windows Hello for Business policy settings before users can access their desktop. For more information about ESP, see [Set up the Enrollment Status Page][MEM-1].
@@ -41,14 +41,12 @@ For a list of settings to configure Windows Hello for Business, see [Windows Hel
 
 ## Enroll in Windows Hello for Business
 
-The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed.
+The Windows Hello for Business provisioning process begins immediately after a user signs in, if certain prerequisite checks are passed.
 
 ### User experience
 
 [!INCLUDE [user-experience](includes/user-experience.md)]
 
-> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
-
 ## Disable automatic enrollment
 
 If you want to disable the automatic Windows Hello for Business enrollment prompt, you can configure your devices with a policy setting or registry key. For more information, see [Disable Windows Hello for Business enrollment](../configure.md#disable-windows-hello-for-business-enrollment).

windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md

@@ -1,11 +1,11 @@
 ---
-title: Configure and provision Windows Hello for Business in a hybrid certificate trust model
+title: Configure and enroll in Windows Hello for Business in hybrid certificate trust model
 description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario.
 ms.date: 01/03/2024
 ms.topic: tutorial
 ---
 
-# Configure and provision Windows Hello for Business in hybrid certificate trust model
+# Configure and enroll in Windows Hello for Business in hybrid certificate trust model
 
 [!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
 
@@ -18,8 +18,6 @@ After the prerequisites are met and the PKI and AD FS configurations are validat
 > [!TIP]
 > Use the same *Windows Hello for Business Users* security group to assign **Certificate template permissions** to ensure the same members can enroll in the Windows Hello for Business authentication certificate.
 
-### Enable automatic enrollment of certificates group policy setting
-
 Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business *authentication certificate* template.
 
 The process requires no user interaction, provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires.
@@ -49,26 +47,25 @@ The process requires no user interaction, provided the user signs-in using Windo
 > - [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md)
 > - [Using Certificates for AADJ On-premises Single-sign On](../hello-hybrid-aadj-sso-cert.md)
 
-Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
+> [!NOTE]
+> Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
 
-If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to enable Windows Hello for Business a policy using an *settings catalog* policy.
+If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business).
-
-[!INCLUDE [intune-settings-catalog-enable-whfb](includes/intune-settings-catalog-enable-whfb.md)]
-
-### Configure the certificate trust policy
 
 [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
 
 | Category | Setting name | Value |
 |--|--|--|
+| **Windows Hello for Business** | Use Passport For Work | true |
 | **Windows Hello for Business** | Use Certificate For On Prem Auth | Enabled |
 
 [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
 
-Alternatively, you can configure devices using a [custom policy][MEM-3] with the [PassportForWork CSP][CSP-1].
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [PassportForWork CSP][CSP-1].
 
 | Setting |
 |--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`<br>- **Data type:** `bool`<br>- **Value:** `True`|
 | - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCertificateForOnPremAuth`<br>- **Data type:** `bool`<br>- **Value:** `True`|
 
 For more information about the certificate trust policy, see [Windows Hello for Business policy settings](../policy-settings.md#use-certificate-for-on-premises-authentication).
@@ -103,5 +100,5 @@ The certificate authority validates the certificate was signed by the registrati
 <!--links-->
 
 [AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
-
+[CSP-1]: /windows/client-management/mdm/passportforwork-csp
-[MEM-3]: /mem/intune/configuration/custom-settings-configure
+[MEM-1]: /mem/intune/configuration/custom-settings-configure

windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md

@@ -19,7 +19,8 @@ ms.topic: tutorial
 > - [Windows Server requirements](index.md#windows-server-requirements)
 > - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello)
 
-When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
+> [!IMPORTANT]
+> When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
 
 ## Deployment steps
 
@@ -57,30 +58,29 @@ For more information about how Microsoft Entra Kerberos works with Windows Hello
 
 ## Configure Windows Hello for Business policy settings
 
-After setting up the Microsoft Entra Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
+After setting up the Microsoft Entra Kerberos object, Windows Hello for business must be enabled and configured to use the cloud Kerberos trust. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
 
 # [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune)
 
-Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
+> [!NOTE]
+> Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
 
-If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Configure cloud Kerberos trust policy](#configure-the-cloud-kerberos-trust-policy). Otherwise, follow the instructions below to enable Windows Hello for Business a policy using an *settings catalog* policy.
+If the Intune tenant-wide policy is enabled and configured to your needs, you only need to enable the policy setting **Use Cloud Trust For On Prem Auth**. Otherwise, both settings must be configured.
-
-[!INCLUDE [intune-settings-catalog-enable-whfb](includes/intune-settings-catalog-enable-whfb.md)]
-
-### Configure the cloud Kerberos trust policy
 
 [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
 
 | Category | Setting name | Value |
 |--|--|--|
+| **Windows Hello for Business** | Use Passport For Work | true |
 | **Windows Hello for Business** | Use Cloud Trust For On Prem Auth | Enabled |
 
 [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
 
-Alternatively, you can configure devices using a [custom policy][MEM-3] with the [PassportForWork CSP][CSP-1].
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [PassportForWork CSP][CSP-1].
 
 | Setting |
 |--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`<br>- **Data type:** `bool`<br>- **Value:** `True`|
 | - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCloudTrustForOnPremAuth`<br>- **Data type:** `bool`<br>- **Value:** `True`|
 
 For more information about the cloud Kerberos trust policy, see [Windows Hello for Business policy settings](../policy-settings.md#use-cloud-trust-for-on-premises-authentication).
@@ -90,15 +90,11 @@ For more information about the cloud Kerberos trust policy, see [Windows Hello f
 [!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)]
 
 > [!NOTE]
-> Cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
+> Cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy setting is only available as a computer configuration.
-
+>
-### Update administrative templates
+>You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files.
-
+>
-You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files.
+>You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1].
-
-You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1].
-
-### Configure the Windows Hello for Business with group policy
 
 [!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
 
@@ -118,8 +114,7 @@ You can also create a Group Policy Central Store and copy them their respective
 
 ---
 
-> [!NOTE]
+If you deploy Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources).
-> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources).
 
 Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
 
@@ -190,6 +185,7 @@ The following scenarios aren't supported using Windows Hello for Business cloud
 [AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
 [CSP-1]: /windows/client-management/mdm/passportforwork-csp
 [ENTRA-1]: /entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module
-[MEM-3]: /mem/intune/configuration/custom-settings-configure
+[MEM-1]: /mem/intune/configuration/custom-settings-configure
 [SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services
 [TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store
+

windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md

@@ -1,5 +1,5 @@
 ---
-title: Windows Hello for Business hybrid key trust clients configuration and enrollment
+title: Configure and enroll in Windows Hello for Business in a hybrid key trust model
 description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario.
 ms.date: 12/29/2023
 ms.topic: tutorial
@@ -13,11 +13,24 @@ After the prerequisites are met and the PKI configuration is validated, Windows
 
 # [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune)
 
-Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
+> [!NOTE]
+> Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
 
-If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to enable Windows Hello for Business a policy using an *settings catalog* policy.
+If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business).
 
-[!INCLUDE [intune-settings-catalog-enable-whfb](includes/intune-settings-catalog-enable-whfb.md)]
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Windows Hello for Business** | Use Passport For Work | true |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [PassportForWork CSP][CSP-1].
+
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`<br>- **Data type:** `bool`<br>- **Value:** `True`|
 
 # [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
 
@@ -71,3 +84,6 @@ While the user has completed provisioning, Microsoft Entra Connect synchronizes
 <!--links-->
 [AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
 [AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler
+[CSP-1]: /windows/client-management/mdm/passportforwork-csp
+[MEM-1]: /mem/intune/configuration/custom-settings-configure
+

windows/security/identity-protection/hello-for-business/deploy/includes/gpo-enable-whfb.md

@@ -5,9 +5,6 @@ ms.topic: include
 
 For Microsoft Entra hybrid joined devices, you can use group policies to configure Windows Hello for Business.
 
-> [!TIP]
-> Create a security group (for example, *Windows Hello for Business users* or *Windows Hello for Business devices*) to make it easy to deploy Windows Hello for Business in phases. You assign **Group Policy permissions** to this group to simplify the deployment by adding the users or devices to the groups.
-
 The *Enable Windows Hello for Business* policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is **enabled**.\
 You can configure the *Enable Windows Hello for Business* setting for computer or users:
 

windows/security/identity-protection/hello-for-business/deploy/includes/intune-settings-catalog-enable-whfb.md

@@ -1,20 +0,0 @@
----
-ms.date: 01/03/2024
-ms.topic: include
----
-
-### Enable Windows Hello for Business
-
-[!INCLUDE [intune-settings-catalog-1](../../../../../../includes/configure/intune-settings-catalog-1.md)]
-
-| Category | Setting name | Value |
-|--|--|--|
-| **Windows Hello for Business** | Use Passport For Work | true |
-
-[!INCLUDE [intune-settings-catalog-2](../../../../../../includes/configure/intune-settings-catalog-2.md)]
-
-Alternatively, you can configure devices using a [custom policy](/mem/intune/configuration/custom-settings-configure) with the [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp).
-
-| Setting |
-|--------|
-| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`<br>- **Data type:** `bool`<br>- **Value:** `True`|

windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md

@@ -11,3 +11,4 @@ After a user signs in, the Windows Hello for Business enrollment process begins:
 1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
 1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and access their desktop.
 
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]

windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md

@@ -9,7 +9,7 @@ ms.topic: tutorial
 
 [!INCLUDE [apply-to-on-premises-cert-trust](includes/apply-to-on-premises-cert-trust.md)]
 
-After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
+After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using group policy (GPO).
 
 [!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)]
 

windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md

@@ -9,7 +9,7 @@ ms.topic: tutorial
 
 [!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
 
-After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
+After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using group policy (GPO).
 
 [!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)]