From 5c201c955e83cba073dc554fdbeaf3a98a488e27 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 15 Dec 2023 15:56:54 -0500
Subject: [PATCH 01/13] Restructure of deployment guides

---
 .../cloud.md}                                 |  4 +--
 .../deploy/hybrid-cert-trust-pki.md           | 16 ++++-----
 .../deploy/hybrid-cert-trust.md               |  2 +-
 .../hybrid-cloud-kerberos-trust-enroll.md}    |  2 +-
 .../hybrid-cloud-kerberos-trust.md}           |  4 +--
 .../hybrid-key-trust-enroll.md}               |  2 +-
 .../hybrid-key-trust-pki.md}                  |  4 +--
 .../hybrid-key-trust.md}                      |  6 ++--
 .../deploy/includes/apply-to-cloud.md         |  9 +++++
 .../apply-to-hybrid-cert-trust-entra.md       |  6 ++--
 .../includes/apply-to-hybrid-cert-trust.md    |  8 ++---
 .../apply-to-hybrid-cloud-kerberos-trust.md   | 10 ++++++
 .../apply-to-hybrid-key-and-cert-trust.md     | 10 ++++++
 .../includes/apply-to-hybrid-key-trust.md     | 10 ++++++
 .../apply-to-on-premises-cert-trust-entra.md  |  6 ++--
 .../apply-to-on-premises-key-trust.md         | 10 ++++++
 .../includes/auth-certificate-template.md     |  0
 .../includes/dc-certificate-deployment.md     |  0
 .../includes/dc-certificate-supersede.md      |  0
 .../includes/dc-certificate-template.md       |  0
 .../includes/dc-certificate-validate.md       |  0
 .../enrollment-agent-certificate-template.md  |  0
 .../deploy/includes/information.svg           |  3 ++
 .../includes/intro.md}                        |  0
 .../includes/lab-based-pki-deploy.md          |  0
 .../includes/tooltip-deployment-cloud.md      |  6 ++++
 .../includes/tooltip-deployment-hybrid.md     |  6 ++++
 .../includes/tooltip-deployment-onpremises.md |  6 ++++
 .../deploy/includes/tooltip-join-domain.md    |  6 ++++
 .../deploy/includes/tooltip-join-entra.md     |  6 ++++
 .../deploy/includes/tooltip-join-hybrid.md    |  6 ++++
 ...ip-cert-trust.md => tooltip-trust-cert.md} |  0
 .../includes/tooltip-trust-cloud-kerberos.md  |  6 ++++
 .../deploy/includes/tooltip-trust-key.md      |  6 ++++
 .../unpublish-superseded-templates.md         |  0
 .../web-server-certificate-template.md        | 12 +++----
 .../index.md}                                 | 16 ++++-----
 .../deploy/on-premises-cert-trust-pki.md      | 18 +++++-----
 .../on-premises-key-trust-adfs.md}            |  4 +--
 .../on-premises-key-trust-enroll.md}          |  2 +-
 .../on-premises-key-trust-mfa.md}             |  4 +--
 .../on-premises-key-trust-pki.md}             |  4 +--
 .../deploy/on-premises-key-trust.md           | 35 +++++++++++++++++++
 .../requirements.md}                          |  0
 .../hello-for-business/deploy/toc.yml         | 28 +++++++--------
 .../hello-deployment-key-trust.md             | 17 ---------
 .../hello-how-it-works-technology.md          |  2 +-
 .../hello-hybrid-aadj-sso.md                  |  2 +-
 .../hello-key-trust-validate-ad-prereq.md     | 35 -------------------
 .../hello-planning-guide.md                   |  2 +-
 .../includes/hello-cloud.md                   |  9 -----
 .../includes/hello-deployment-cloud.md        |  6 ----
 .../includes/hello-deployment-hybrid.md       |  6 ----
 .../includes/hello-deployment-onpremises.md   |  6 ----
 .../includes/hello-hybrid-cloudkerb-trust.md  | 10 ------
 .../includes/hello-hybrid-key-trust.md        | 10 ------
 .../hello-hybrid-keycert-trust-aad.md         | 10 ------
 .../includes/hello-join-aad.md                |  6 ----
 .../includes/hello-join-domain.md             |  6 ----
 .../includes/hello-join-hybrid.md             |  6 ----
 .../includes/hello-on-premises-key-trust.md   | 10 ------
 .../includes/hello-trust-cloud-kerberos.md    |  6 ----
 .../includes/hello-trust-key.md               |  6 ----
 .../hello-for-business/toc.yml                |  2 ++
 64 files changed, 213 insertions(+), 227 deletions(-)
 rename windows/security/identity-protection/hello-for-business/{hello-aad-join-cloud-only-deploy.md => deploy/cloud.md} (97%)
 rename windows/security/identity-protection/hello-for-business/{hello-hybrid-cloud-kerberos-trust-provision.md => deploy/hybrid-cloud-kerberos-trust-enroll.md} (99%)
 rename windows/security/identity-protection/hello-for-business/{hello-hybrid-cloud-kerberos-trust.md => deploy/hybrid-cloud-kerberos-trust.md} (98%)
 rename windows/security/identity-protection/hello-for-business/{hello-hybrid-key-trust-provision.md => deploy/hybrid-key-trust-enroll.md} (99%)
 rename windows/security/identity-protection/hello-for-business/{hello-hybrid-key-trust-validate-pki.md => deploy/hybrid-key-trust-pki.md} (98%)
 rename windows/security/identity-protection/hello-for-business/{hello-hybrid-key-trust.md => deploy/hybrid-key-trust.md} (96%)
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-cloud.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cloud-kerberos-trust.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-trust.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-key-trust.md
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/auth-certificate-template.md (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/dc-certificate-deployment.md (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/dc-certificate-supersede.md (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/dc-certificate-template.md (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/dc-certificate-validate.md (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/enrollment-agent-certificate-template.md (100%)
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/information.svg
 rename windows/security/identity-protection/hello-for-business/{includes/hello-intro.md => deploy/includes/intro.md} (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/lab-based-pki-deploy.md (100%)
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
 rename windows/security/identity-protection/hello-for-business/deploy/includes/{tooltip-cert-trust.md => tooltip-trust-cert.md} (100%)
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/unpublish-superseded-templates.md (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/includes/web-server-certificate-template.md (79%)
 rename windows/security/identity-protection/hello-for-business/{hello-deployment-guide.md => deploy/index.md} (89%)
 rename windows/security/identity-protection/hello-for-business/{hello-key-trust-adfs.md => deploy/on-premises-key-trust-adfs.md} (99%)
 rename windows/security/identity-protection/hello-for-business/{hello-key-trust-policy-settings.md => deploy/on-premises-key-trust-enroll.md} (99%)
 rename windows/security/identity-protection/hello-for-business/{hello-key-trust-validate-deploy-mfa.md => deploy/on-premises-key-trust-mfa.md} (93%)
 rename windows/security/identity-protection/hello-for-business/{hello-key-trust-validate-pki.md => deploy/on-premises-key-trust-pki.md} (95%)
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
 rename windows/security/identity-protection/hello-for-business/{hello-identity-verification.md => deploy/requirements.md} (100%)
 delete mode 100644 windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-cloud.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md

diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/deploy/cloud.md
similarity index 97%
rename from windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
rename to windows/security/identity-protection/hello-for-business/deploy/cloud.md
index 58eac4892c..d2695cb7eb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/cloud.md
@@ -6,7 +6,7 @@ ms.topic: how-to
 ---
 # Cloud-only deployment
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-cloud.md)]
+[!INCLUDE [apply-to-cloud](includes/apply-to-cloud.md)]
 
 ## Introduction
 
@@ -21,7 +21,7 @@ You may wish to disable the automatic Windows Hello for Business enrollment prom
 
 Cloud only deployments will use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
 
-The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment).
+The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](requirements.md#azure-ad-cloud-only-deployment).
 
 It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command:
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
index 38b871bba1..b20e3a55c4 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
@@ -18,11 +18,11 @@ Windows Hello for Business must have a Public Key Infrastructure (PKI) when usin
 
 Hybrid certificate trust deployments issue users a sign-in certificate, enabling them to authenticate to Active Directory using Windows Hello for Business credentials. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
 
-[!INCLUDE [lab-based-pki-deploy](../includes/lab-based-pki-deploy.md)]
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
 
 ## Configure the enterprise PKI
 
-[!INCLUDE [dc-certificate-template](../includes/dc-certificate-template.md)]
+[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
 
 > [!NOTE]
 > Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
@@ -33,13 +33,13 @@ Hybrid certificate trust deployments issue users a sign-in certificate, enabling
 > - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
 > - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
 
-[!INCLUDE [dc-certificate-template-supersede](../includes/dc-certificate-supersede.md)]
+[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
 
-[!INCLUDE [enrollment-agent-certificate-template](../includes/enrollment-agent-certificate-template.md)]
+[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
 
-[!INCLUDE [auth-certificate-template](../includes/auth-certificate-template.md)]
+[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
 
-[!INCLUDE [unpublish-superseded-templates](../includes/unpublish-superseded-templates.md)]
+[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
 
 ### Publish the certificate templates to the CA
 
@@ -59,11 +59,11 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 
 ## Configure and deploy certificates to domain controllers
 
-[!INCLUDE [dc-certificate-deployment](../includes/dc-certificate-deployment.md)]
+[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
 
 ## Validate the configuration
 
-[!INCLUDE [dc-certificate-validate](../includes/dc-certificate-validate.md)]
+[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
 
 ## Section review and next steps
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
index 44cb5bf3a4..1e1abbb130 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
@@ -20,7 +20,7 @@ Hybrid environments are distributed systems that enable organizations to use on-
 This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
 
 > [!IMPORTANT]
-> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](../hello-hybrid-cloud-kerberos-trust.md).
+> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](../hybrid-clud-kerberos-trust.md).
 
 It's recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
similarity index 99%
rename from windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
rename to windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
index 7b4394d51f..918d86d832 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
@@ -8,7 +8,7 @@ ms.topic: tutorial
 ---
 # Configure and provision Windows Hello for Business - cloud Kerberos trust
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cloudkerb-trust.md)]
+[!INCLUDE [hello-hybrid-key-trust](includes/hello-hybrid-cloudkerb-trust.md)]
 
 ## Deployment steps
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
similarity index 98%
rename from windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
rename to windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
index 464e918a1e..fb61f15acf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
@@ -8,7 +8,7 @@ ms.topic: tutorial
 ---
 # Cloud Kerberos trust deployment
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cloudkerb-trust.md)]
+[!INCLUDE [apply-to-hybrid-cloud-kerberos-trust](includes/apply-to-hybrid-cloud-kerberos-trust.md)]
 
 Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in a *cloud Kerberos trust* scenario.
 
@@ -84,7 +84,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a clou
 > * Provision Windows Hello for Business on Windows clients
 
 > [!div class="nextstepaction"]
-> [Next: configure and provision Windows Hello for Business >](hello-hybrid-cloud-kerberos-trust-provision.md)
+> [Next: configure and provision Windows Hello for Business >](hybrid-clud-kerberos-trust-enroll.md)
 
 <!--Links-->
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
similarity index 99%
rename from windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
rename to windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
index dc8d3d3a24..c36e2167e1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
@@ -7,7 +7,7 @@ ms.topic: tutorial
 
 # Configure and enroll in Windows Hello for Business - hybrid key trust
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-key-trust.md)]
+[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
 
 After the prerequisites are met and the PKI configuration is validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
similarity index 98%
rename from windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
rename to windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
index f39545b8e8..299039ae2e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
 ---
 # Configure and validate the Public Key Infrastructure - hybrid key trust
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-key-trust.md)]
+[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
 
 Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
 
@@ -97,7 +97,7 @@ Before moving to the next section, ensure the following steps are complete:
 > - Validate the domain controllers configuration
 
 > [!div class="nextstepaction"]
-> [Next: configure and provision Windows Hello for Business >](hello-hybrid-key-trust-provision.md)
+> [Next: configure and provision Windows Hello for Business >](hybrid-key-trust-enroll.md)
 
 <!--links-->
 [SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
similarity index 96%
rename from windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
rename to windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
index a0a36f2cc0..ac811a8a9d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
@@ -12,14 +12,14 @@ ms.topic: how-to
 ---
 # Hybrid key trust deployment
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-key-trust.md)]
+[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
 
 Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
 
 This deployment guide describes how to deploy Windows Hello for Business in a hybrid key trust scenario.
 
 > [!IMPORTANT]
-> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md).
+> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-clud-kerberos-trust.md).
 
 It is recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
 
@@ -94,7 +94,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a hybr
 > * Configure single sign-on (SSO) for Microsoft Entra joined devices
 
 > [!div class="nextstepaction"]
-> [Next: configure and validate the Public Key Infrastructure >](hello-hybrid-key-trust-validate-pki.md)
+> [Next: configure and validate the Public Key Infrastructure >](hybrid-key-trust-pki.md)
 
 <!--links-->
 [AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-cloud.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-cloud.md
new file mode 100644
index 0000000000..69c159b0a2
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-cloud.md
@@ -0,0 +1,9 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-cloud](tooltip-deployment-cloud.md)]
+- **Join type:** [!INCLUDE [tootip-join-entra](tooltip-join-entra.md)]
+---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md
index 97bfdbe297..ce40bf460b 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md
@@ -3,8 +3,8 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[!INCLUDE [hello-intro](../../includes/hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](../../includes/hello-deployment-hybrid.md)]
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
 - **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](../../includes/hello-join-aad.md)]
+- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)]
 ---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust.md
index 0b5a246fbe..4f8eb7e613 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust.md
@@ -3,8 +3,8 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[!INCLUDE [hello-intro](../../includes/hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](../../includes/hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](../../includes/hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](../../includes/hello-join-hybrid.md)]
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-trust-cert.md)]
+- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)], [!INCLUDE [tooltip-join-hybrid](tooltip-join-hybrid.md)]
 ---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cloud-kerberos-trust.md
new file mode 100644
index 0000000000..9fd4c16a63
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cloud-kerberos-trust.md
@@ -0,0 +1,10 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [tooltip-trust-cloud-kerberos](tooltip-trust-cloud-kerberos.md)]
+- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)], [!INCLUDE [tooltip-join-hybrid](tooltip-join-hybrid.md)]
+---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md
new file mode 100644
index 0000000000..7b367e4025
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md
@@ -0,0 +1,10 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)],[!INCLUDE [tooltip-cert-trust](../deploy/includes/tooltip-cert-trust.md)]
+- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)]
+---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-trust.md
new file mode 100644
index 0000000000..a74e9ead78
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-trust.md
@@ -0,0 +1,10 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)]
+- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)], [!INCLUDE [tooltip-join-hybrid](tooltip-join-hybrid.md)]
+---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md
index 5f64fba40f..d7a1ab9c2f 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md
@@ -3,8 +3,8 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[!INCLUDE [hello-intro](../../includes/hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-onpremises](../../includes/hello-deployment-onpremises.md)]
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](tooltip-deployment-onpremises.md)]
 - **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
-- **Join type:** [!INCLUDE [hello-join-domain](../../includes/hello-join-domain.md)]
+- **Join type:** [!INCLUDE [tooltip-join-domain](tooltip-join-domain.md)]
 ---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-key-trust.md
new file mode 100644
index 0000000000..1966807ca5
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-key-trust.md
@@ -0,0 +1,10 @@
+---
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[!INCLUDE [intro](intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](tooltip-deployment-onpremises.md)]
+- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)]
+- **Join type:** [!INCLUDE [tooltip-join-domain](tooltip-join-domain.md)]
+---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/auth-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/auth-certificate-template.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/auth-certificate-template.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/auth-certificate-template.md
diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md
diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md
diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-template.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-template.md
diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-validate.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/dc-certificate-validate.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md
diff --git a/windows/security/identity-protection/hello-for-business/includes/enrollment-agent-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/enrollment-agent-certificate-template.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/information.svg b/windows/security/identity-protection/hello-for-business/deploy/includes/information.svg
new file mode 100644
index 0000000000..bc692eabb9
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/information.svg
@@ -0,0 +1,3 @@
+<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <path d="M8 7C8.27614 7 8.5 7.22386 8.5 7.5V10.5C8.5 10.7761 8.27614 11 8 11C7.72386 11 7.5 10.7761 7.5 10.5V7.5C7.5 7.22386 7.72386 7 8 7ZM8.00001 6.24907C8.41369 6.24907 8.74905 5.91371 8.74905 5.50003C8.74905 5.08635 8.41369 4.751 8.00001 4.751C7.58633 4.751 7.25098 5.08635 7.25098 5.50003C7.25098 5.91371 7.58633 6.24907 8.00001 6.24907ZM2 8C2 4.68629 4.68629 2 8 2C11.3137 2 14 4.68629 14 8C14 11.3137 11.3137 14 8 14C4.68629 14 2 11.3137 2 8ZM8 3C5.23858 3 3 5.23858 3 8C3 10.7614 5.23858 13 8 13C10.7614 13 13 10.7614 13 8C13 5.23858 10.7614 3 8 3Z" fill="#0078D4" />
+</svg>
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-intro.md b/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/hello-intro.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/intro.md
diff --git a/windows/security/identity-protection/hello-for-business/includes/lab-based-pki-deploy.md b/windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/lab-based-pki-deploy.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
new file mode 100644
index 0000000000..dc0a2c315a
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[cloud :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
new file mode 100644
index 0000000000..5df4ec742e
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[hybrid :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
new file mode 100644
index 0000000000..12dfec5f8a
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[on-premises :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
new file mode 100644
index 0000000000..bb7302821e
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[domain join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
new file mode 100644
index 0000000000..8c5916ead4
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[Microsoft Entra join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
new file mode 100644
index 0000000000..e825d14f2d
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/15/2023
+ms.topic: include
+---
+
+[Microsoft Entra hybrid join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-cert-trust.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
new file mode 100644
index 0000000000..4f19945d64
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[cloud Kerberos trust :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
new file mode 100644
index 0000000000..2f901dc761
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
@@ -0,0 +1,6 @@
+---
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[key trust :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/unpublish-superseded-templates.md b/windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/includes/unpublish-superseded-templates.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md
diff --git a/windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md
similarity index 79%
rename from windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md
index 8ba241a5c8..1bde4860fe 100644
--- a/windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md
@@ -15,13 +15,13 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
 1. Use the following table to configure the template:
 
     | Tab Name | Configurations |
-    | --- | --- |
-    | *Compatibility* | <ul><li>Clear the **Show resulting changes** check box</li><li>Select **Windows Server 2016** from the *Certification Authority list*</li><li>Select **Windows 10 / Windows Server 2016** from the *Certification Recipient list*</li></ul>|
-    | *General* | <ul><li>Specify a **Template display name**, for example *Internal Web Server*</li><li>Set the validity period to the desired value</li><li>Take note of the template name for later, which should be the same as the Template display name minus spaces</li></ul>|
+    |--|--|
+    | *Compatibility* | <ul><li>Clear the **Show resulting changes** check box</li><li>Select **Windows Server 2016** from the *Certification Authority list*</li><li>Select **Windows 10 / Windows Server 2016** from the *Certification Recipient list*</li></ul> |
+    | *General* | <ul><li>Specify a **Template display name**, for example *Internal Web Server*</li><li>Set the validity period to the desired value</li><li>Take note of the template name for later, which should be the same as the Template display name minus spaces</li></ul> |
     | *Request Handling* | Select **Allow private key to be exported** |
-    | *Subject Name* | Select **Supply in the request**|
-    |*Security*|Add **Domain Computers** with **Enroll** access|
-    |*Cryptography*|<ul><li>Set the *Provider Category* to **Key Storage Provider**</li><li>Set the *Algorithm name* to **RSA**</li><li>Set the *minimum key size* to **2048**</li><li>Set the *Request hash* to **SHA256**</li>|
+    | *Subject Name* | Select **Supply in the request** |
+    | *Security* | Add **Domain Computers** with **Enroll** access |
+    | *Cryptography* | <ul><li>Set the *Provider Category* to **Key Storage Provider**</li><li>Set the *Algorithm name* to **RSA**</li><li>Set the *minimum key size* to **2048**</li><li>Set the *Request hash* to **SHA256**</li> |
 
 1. Select **OK** to finalize your changes and create the new template
 1. Close the console
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/deploy/index.md
similarity index 89%
rename from windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
rename to windows/security/identity-protection/hello-for-business/deploy/index.md
index 97658da366..4f8b485100 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/index.md
@@ -12,7 +12,7 @@ Windows Hello for Business is the springboard to a world without passwords. It r
 
 This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.
 
-Once you've chosen a deployment model, the deployment guide for that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. Read the [Windows Hello for Business Deployment Prerequisite Overview](hello-identity-verification.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
+Once you've chosen a deployment model, the deployment guide for that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. Read the [Windows Hello for Business Deployment Prerequisite Overview](requirements.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
 
 ## Requirements
 
@@ -44,18 +44,18 @@ The trust model determines how you want users to authenticate to the on-premises
 - The certificate trust model also supports enterprises, which aren't ready to deploy Windows Server 2016 Domain Controllers.
 
 > [!NOTE]
-> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Remote Credential Guard](../remote-credential-guard.md).
+> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Remote Credential Guard](../../remote-credential-guard.md).
 
 Following are the various deployment guides and models included in this topic:
 
-- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hello-hybrid-cloud-kerberos-trust.md)
-- [Microsoft Entra hybrid joined Key Trust Deployment](hello-hybrid-key-trust.md)
-- [Microsoft Entra hybrid joined Certificate Trust Deployment](deploy/hybrid-cert-trust.md)
+- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hybrid-clud-kerberos-trust.md)
+- [Microsoft Entra hybrid joined Key Trust Deployment](hybrid-key-trust.md)
+- [Microsoft Entra hybrid joined Certificate Trust Deployment](hybrid-cert-trust.md)
 - [Microsoft Entra join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
-- [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
-- [On Premises Certificate Trust Deployment](deploy/on-premises-cert-trust.md)
+- [On Premises Key Trust Deployment](hybrid-clud-kerberos-trust.md)
+- [On Premises Certificate Trust Deployment](on-premises-cert-trust.md)
 
-For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](deploy/on-premises-cert-trust-mfa.md) deployments.
+For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](on-premises-key-trust-mfa.md) and [for certificate trust](deploy/on-premises-cert-trust-mfa.md) deployments.
 
 ## Provisioning
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md
index 98f3054069..2c8db04a8f 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md
@@ -17,21 +17,21 @@ ms.topic: tutorial
 
 Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
 
-[!INCLUDE [lab-based-pki-deploy](../includes/lab-based-pki-deploy.md)]
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
 
 ## Configure the enterprise PKI
 
-[!INCLUDE [dc-certificate-template](../includes/dc-certificate-template.md)]
+[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
 
-[!INCLUDE [dc-certificate-template-supersede](../includes/dc-certificate-supersede.md)]
+[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
 
-[!INCLUDE [web-server-certificate-template](../includes/web-server-certificate-template.md)]
+[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)]
 
-[!INCLUDE [enrollment-agent-certificate-template](../includes/enrollment-agent-certificate-template.md)]
+[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
 
-[!INCLUDE [auth-certificate-template](../includes/auth-certificate-template.md)]
+[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
 
-[!INCLUDE [unpublish-superseded-templates](../includes/unpublish-superseded-templates.md)]
+[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
 
 ### Publish certificate templates to the CA
 
@@ -50,11 +50,11 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 
 ## Configure and deploy certificates to domain controllers
 
-[!INCLUDE [dc-certificate-deployment](../includes/dc-certificate-deployment.md)]
+[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
 
 ## Validate the configuration
 
-[!INCLUDE [dc-certificate-validate](../includes/dc-certificate-validate.md)]
+[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
 
 > [!div class="nextstepaction"]
 > [Next: prepare and deploy AD FS >](on-premises-cert-trust-adfs.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
similarity index 99%
rename from windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
rename to windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
index cf93d23831..4446ced825 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
 ---
 # Prepare and deploy Active Directory Federation Services - on-premises key trust
 
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
+[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
 
 Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises key trust deployment model uses AD FS for *key registration* and *device registration*.
 
@@ -261,4 +261,4 @@ Before you continue with the deployment, validate your deployment progress by re
 > * Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server
 
 > [!div class="nextstepaction"]
-> [Next: validate and deploy multi-factor authentication (MFA)](hello-key-trust-validate-deploy-mfa.md)
+> [Next: validate and deploy multi-factor authentication (MFA)](on-premises-key-trust-mfa.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
similarity index 99%
rename from windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
rename to windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
index ed52f1c594..eca8d12e30 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
@@ -9,7 +9,7 @@ ms.topic: tutorial
 ---
 # Configure Windows Hello for Business group policy settings - on-premises key trust
 
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
+[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
 
 On-premises key trust deployments of Windows Hello for Business need one Group Policy setting: *Enable Windows Hello for Business*.
 The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-mfa.md
similarity index 93%
rename from windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
rename to windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-mfa.md
index 52c64523e9..bcc3c3b497 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-mfa.md
@@ -13,7 +13,7 @@ ms.topic: tutorial
 
 # Validate and deploy multifactor authentication - on-premises key trust
 
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
+[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
 
 Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
 
@@ -29,4 +29,4 @@ For information on available third-party authentication methods see [Configure A
 Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
 
 > [!div class="nextstepaction"]
-> [Next: configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
+> [Next: configure Windows Hello for Business Policy settings](on-premises-key-trust-enroll.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md
similarity index 95%
rename from windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
rename to windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md
index ab932d9a99..6d7aef36c5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md
@@ -12,7 +12,7 @@ ms.topic: tutorial
 ---
 # Configure and validate the Public Key Infrastructure - on-premises key trust
 
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
+[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
 
 Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
 
@@ -52,4 +52,4 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 [!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
 
 > [!div class="nextstepaction"]
-> [Next: prepare and deploy AD FS >](hello-key-trust-adfs.md)
\ No newline at end of file
+> [Next: prepare and deploy AD FS >](on-premises-key-trust-adfs.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
new file mode 100644
index 0000000000..5b0dbd90fa
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
@@ -0,0 +1,35 @@
+---
+title: Windows Hello for Business deployment guide for the on-premises key trust model
+description: Learn how to deploy Windows Hello for Business in an on-premises, key trust model.
+ms.date: 12/12/2022
+ms.topic: tutorial
+---
+
+# Deployment guide overview - on-premises key trust
+
+[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
+
+Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment:
+
+1. [Validate and configure a PKI](on-premises-key-trust-pki.md)
+1. [Prepare and deploy AD FS](on-premises-key-trust-adfs.md)
+1. [Validate and deploy multi-factor authentication (MFA)](on-premises-key-trust-mfa.md)
+1. [Configure Windows Hello for Business Policy settings](on-premises-key-trust-enroll.md)
+
+## Create the Windows Hello for Business Users security group
+
+While this is not a required step, it is recommended to create a security group to simplify the deployment.
+
+The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
+
+Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
+
+1. Open **Active Directory Users and Computers**
+1. Select **View > Advanced Features**
+1. Expand the domain node from the navigation pane
+1. Right-click the **Users** container. Select **New > Group**
+1. Type *Windows Hello for Business Users* in the **Group Name**
+1. Select **OK**
+
+> [!div class="nextstepaction"]
+> [Next: validate and configure PKI >](on-premises-key-trust-pki.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/deploy/requirements.md
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/hello-identity-verification.md
rename to windows/security/identity-protection/hello-for-business/deploy/requirements.md
diff --git a/windows/security/identity-protection/hello-for-business/deploy/toc.yml b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
index 9c556b0e5c..dfeb68e1f8 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
@@ -1,32 +1,30 @@
 items:
 - name: Windows Hello for Business deployment overview
-  href: ../hello-deployment-guide.md
-- name: Planning a Windows Hello for Business deployment
-  href: ../hello-planning-guide.md
+  href: index.md
 - name: Deployment prerequisite overview
-  href: ../hello-identity-verification.md
+  href: requirements.md
 - name: Cloud-only deployment
-  href: ../hello-aad-join-cloud-only-deploy.md
+  href: cloud.md
 - name: Hybrid deployments
   items:
   - name: Cloud Kerberos trust deployment
     items:
       - name: Overview
-        href: ../hello-hybrid-cloud-kerberos-trust.md
+        href: hybrid-clud-kerberos-trust.md
         displayName: cloud Kerberos trust
       - name: Configure and provision Windows Hello for Business
-        href: ../hello-hybrid-cloud-kerberos-trust-provision.md
+        href: hybrid-clud-kerberos-trust-enroll.md
         displayName: cloud Kerberos trust
   - name: Key trust deployment
     items: 
     - name: Overview
-      href: ../hello-hybrid-key-trust.md
+      href: hybrid-key-trust.md
       displayName: key trust
     - name: Configure and validate the PKI
-      href: ../hello-hybrid-key-trust-validate-pki.md
+      href: hybrid-key-trust-pki.md
       displayName: key trust
     - name: Configure and provision Windows Hello for Business
-      href: ../hello-hybrid-key-trust-provision.md
+      href: hybrid-key-trust-enroll.md
       displayName: key trust
     - name: Configure SSO for Microsoft Entra joined devices
       href: ../hello-hybrid-aadj-sso.md
@@ -56,15 +54,15 @@ items:
   - name: Key trust deployment
     items: 
     - name: Overview
-      href: ../hello-deployment-key-trust.md
+      href: hybrid-clud-kerberos-trust.md
     - name: Configure and validate the PKI
-      href: ../hello-key-trust-validate-pki.md
+      href: on-premises-key-trust-pki.md
     - name: Prepare and deploy Active Directory Federation Services (AD FS)
-      href: ../hello-key-trust-adfs.md
+      href: on-premises-key-trust-adfs.md
     - name: Validate and deploy multi-factor authentication (MFA) services
-      href: ../hello-key-trust-validate-deploy-mfa.md
+      href: on-premises-key-trust-mfa.md
     - name: Configure Windows Hello for Business policy settings
-      href: ../hello-key-trust-policy-settings.md
+      href: on-premises-key-trust-enroll.md
   - name: Certificate trust deployment
     items: 
     - name: Overview
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
deleted file mode 100644
index 56d613052d..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
+++ /dev/null
@@ -1,17 +0,0 @@
----
-title: Windows Hello for Business deployment guide for the on-premises key trust model
-description: Learn how to deploy Windows Hello for Business in an on-premises, key trust model.
-ms.date: 12/12/2022
-ms.topic: tutorial
----
-# Deployment guide overview - on-premises key trust
-
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
-
-Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment::
-
-1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
-1. [Validate and configure a PKI](hello-key-trust-validate-pki.md)
-1. [Prepare and deploy AD FS](hello-key-trust-adfs.md)
-1. [Validate and deploy multi-factor authentication (MFA)](hello-key-trust-validate-deploy-mfa.md)
-1. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index be3cce3029..b848b6347e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -131,7 +131,7 @@ Giving the simplicity offered by this model, cloud Kerberos trust is the recomme
 
 ### More information about cloud Kerberos trust
 
-[Cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md)
+[Cloud Kerberos trust deployment](hybrid-clud-kerberos-trust.md)
 
 ## Deployment type
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index e4c13dae5d..b9a871f8a9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -6,7 +6,7 @@ ms.topic: how-to
 ---
 # Configure single sign-on for Microsoft Entra joined devices
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-keycert-trust-aad.md)]
+[!INCLUDE [hello-hybrid-key-trust](includes/hello-hybrid-keycert-trust-aad.md)]
 
 Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Microsoft Entra joined devices may need to access these resources. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
deleted file mode 100644
index 2537513f37..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-title: Validate Active Directory prerequisites in an on-premises key trust
-description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a key trust model.
-ms.date: 09/07/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
-ms.topic: tutorial
----
-# Validate Active Directory prerequisites - on-premises key trust
-
-[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
-
-Key trust deployments need an adequate number of domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md) and the [Planning an adequate number of Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
-
-The key registration process for the on-premises deployment of Windows Hello for Business requires the Windows Server 2016 Active Directory or later schema.
-
-## Create the Windows Hello for Business Users security group
-
-The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
-
-Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
-
-1. Open **Active Directory Users and Computers**
-1. Select **View > Advanced Features**
-1. Expand the domain node from the navigation pane
-1. Right-click the **Users** container. Select **New > Group**
-1. Type *Windows Hello for Business Users* in the **Group Name**
-1. Select **OK**
-
-> [!div class="nextstepaction"]
-> [Next: validate and configure PKI >](hello-key-trust-validate-pki.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 459d5a8f44..6dfedc9c3e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -82,7 +82,7 @@ It's fundamentally important to understand which deployment model to use for a s
 A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trust types: key trust and certificate trust.
 
 > [!NOTE]
-> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hello-hybrid-cloud-kerberos-trust.md).
+> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hybrid-clud-kerberos-trust.md).
 
 The key trust type doesn't require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-cloud.md b/windows/security/identity-protection/hello-for-business/includes/hello-cloud.md
deleted file mode 100644
index 59fb36a4d6..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-cloud.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-cloud](hello-deployment-cloud.md)]
-- **Join type:** [!INCLUDE [hello-join-aad](hello-join-aad.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md
deleted file mode 100644
index dce66d7d01..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[cloud :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md
deleted file mode 100644
index 1c5a745e8c..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[hybrid :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md
deleted file mode 100644
index 1cc478a8b9..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[on-premises :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md
deleted file mode 100644
index d67281a719..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [hello-trust-cloud-kerberos](hello-trust-cloud-kerberos.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust.md
deleted file mode 100644
index 6a011daa04..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md
deleted file mode 100644
index 1ffe6b9343..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)],[!INCLUDE [tooltip-cert-trust](../deploy/includes/tooltip-cert-trust.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md
deleted file mode 100644
index e0d8d9d793..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[Microsoft Entra join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md
deleted file mode 100644
index 618568cbb7..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[domain join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md)
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md
deleted file mode 100644
index 9f10afb700..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-[Microsoft Entra hybrid join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md
deleted file mode 100644
index ef66939cb2..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.date: 12/08/2022
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-onpremises](hello-deployment-onpremises.md)]
-- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)]
-- **Join type:** [!INCLUDE [hello-join-domain](hello-join-domain.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md
deleted file mode 100644
index fa465e241c..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/08/2022
-ms.topic: include
----
-
-[cloud Kerberos trust :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md b/windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md
deleted file mode 100644
index 3e4bdecccc..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 12/08/2022
-ms.topic: include
----
-
-[key trust :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 40b101f937..61aa6291c3 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -10,6 +10,8 @@ items:
     href: hello-biometrics-in-enterprise.md
   - name: How Windows Hello for Business works
     href: hello-how-it-works.md
+- name: Plan a Windows Hello for Business deployment
+  href: hello-planning-guide.md
 - name: Deployment guides
   href: deploy/toc.yml
 - name: How-to Guides

From 02b5c136961b45749854fcc6000b678164b0b862 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 15 Dec 2023 18:16:19 -0500
Subject: [PATCH 02/13] updates

---
 .../hello-for-business/deploy/cloud.md        |   2 +-
 .../deploy/hybrid-cert-trust-enroll.md        |  10 ++++----
 .../deploy/hybrid-cert-trust.md               |   2 +-
 .../hybrid-cloud-kerberos-trust-enroll.md     |  12 ++++-----
 .../deploy/hybrid-cloud-kerberos-trust.md     |   2 +-
 .../deploy/hybrid-key-trust-enroll.md         |  10 ++++----
 .../deploy/hybrid-key-trust.md                |   4 +--
 .../images/adfs-device-registration.png       | Bin
 .../{ => deploy}/images/adfs-scp.png          | Bin
 .../images/azuread-kerberos-object.png        | Bin
 .../images/cloud-trust-prereq-check.png       | Bin
 .../deploy/images/group-policy.svg            |   3 +++
 .../images/haadj-whfb-pin-provisioning.gif    | Bin
 .../images/hello-cloud-trust-intune-large.png | Bin
 .../images/hello-cloud-trust-intune.png       | Bin
 .../images/hello-internal-web-server-cert.png | Bin
 .../{includes => images}/information.svg      |   0
 .../deploy/images/intune.svg                  |  24 ++++++++++++++++++
 ...-intune-account-protection-cert-enable.png | Bin
 .../whfb-intune-account-protection-enable.png | Bin
 .../images/whfb-intune-disable.png            | Bin
 .../apply-to-hybrid-cert-trust-entra.md       |   2 +-
 .../apply-to-hybrid-key-and-cert-trust.md     |   2 +-
 .../apply-to-on-premises-cert-trust-entra.md  |   2 +-
 .../includes/tooltip-deployment-cloud.md      |   2 +-
 .../includes/tooltip-deployment-hybrid.md     |   2 +-
 .../includes/tooltip-deployment-onpremises.md |   2 +-
 .../deploy/includes/tooltip-join-domain.md    |   2 +-
 .../deploy/includes/tooltip-join-entra.md     |   2 +-
 .../deploy/includes/tooltip-join-hybrid.md    |   2 +-
 .../deploy/includes/tooltip-trust-cert.md     |   2 +-
 .../includes/tooltip-trust-cloud-kerberos.md  |   2 +-
 .../deploy/includes/tooltip-trust-key.md      |   2 +-
 .../hello-for-business/deploy/index.md        |   6 ++---
 .../deploy/on-premises-cert-trust-adfs.md     |   6 ++---
 .../hello-for-business/deploy/toc.yml         |   6 ++---
 .../hello-biometrics-in-enterprise.md         |   2 +-
 .../hello-how-it-works-technology.md          |   4 +--
 .../hello-for-business/hello-how-it-works.md  |   2 +-
 .../hello-hybrid-aadj-sso.md                  |   4 +--
 .../hello-planning-guide.md                   |   2 +-
 .../hello-prepare-people-to-use.md            |   2 +-
 .../passwordless-strategy.md                  |   2 +-
 43 files changed, 78 insertions(+), 51 deletions(-)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/adfs-device-registration.png (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/adfs-scp.png (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/azuread-kerberos-object.png (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/cloud-trust-prereq-check.png (100%)
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/haadj-whfb-pin-provisioning.gif (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/hello-cloud-trust-intune-large.png (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/hello-cloud-trust-intune.png (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/hello-internal-web-server-cert.png (100%)
 rename windows/security/identity-protection/hello-for-business/deploy/{includes => images}/information.svg (100%)
 create mode 100644 windows/security/identity-protection/hello-for-business/deploy/images/intune.svg
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/whfb-intune-account-protection-cert-enable.png (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/whfb-intune-account-protection-enable.png (100%)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/whfb-intune-disable.png (100%)

diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud.md b/windows/security/identity-protection/hello-for-business/deploy/cloud.md
index d2695cb7eb..dfbd20da90 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/cloud.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/cloud.md
@@ -54,7 +54,7 @@ The following method explains how to disable Windows Hello for Business enrollme
     When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.
 
 > [!NOTE]
-> This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md).
+> This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](../hello-manage-in-organization.md).
 
 ## Disable Windows Hello for Business enrollment without Intune
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
index 1cf3d29281..da2bb39379 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
@@ -19,7 +19,7 @@ ms.topic: tutorial
 
 After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
 
-# [:::image type="icon" source="../../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
+# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
 
 > [!IMPORTANT]
 > The information in this section applies to Microsoft Entra hybrid joined devices only.
@@ -96,7 +96,7 @@ The application of Group Policy object uses security group filtering. This solut
 
 Users (or devices) must receive the Windows Hello for Business group policy settings and have the proper permission to provision  Windows Hello for Business. You can provide users with these settings and permissions by adding members to the *Windows Hello for Business Users* group. Users and groups who aren't members of this group won't attempt to enroll for Windows Hello for Business.
 
-# [:::image type="icon" source="../../../images/icons/intune.svg"::: **Intune**](#tab/intune)
+# [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
 
 ## Configure Windows Hello for Business using Microsoft Intune
 
@@ -129,7 +129,7 @@ To check the Windows Hello for Business policy applied at enrollment time:
 1. Select **Windows Hello for Business**
 1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
 
-:::image type="content" source="../images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="../images/whfb-intune-disable.png":::
+:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
 
 If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
 
@@ -152,7 +152,7 @@ To configure Windows Hello for Business using an *account protection* policy:
 1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
 1. Review the policy configuration and select **Create**
 
-:::image type="content" source="../images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="../images/whfb-intune-account-protection-cert-enable.png":::
+:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-cert-enable.png":::
 
 ---
 
@@ -172,7 +172,7 @@ This is the process that occurs after a user signs in, to enroll in Windows Hell
 1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
 1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key to Active Directory
 
-:::image type="content" source="../images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
+:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
 
 > [!IMPORTANT]
 > The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
index 1e1abbb130..36eb5fa683 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
@@ -20,7 +20,7 @@ Hybrid environments are distributed systems that enable organizations to use on-
 This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
 
 > [!IMPORTANT]
-> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](../hybrid-clud-kerberos-trust.md).
+> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](../hybrid-cloud-kerberos-trust.md).
 
 It's recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
index 918d86d832..da843f036d 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
@@ -8,7 +8,7 @@ ms.topic: tutorial
 ---
 # Configure and provision Windows Hello for Business - cloud Kerberos trust
 
-[!INCLUDE [hello-hybrid-key-trust](includes/hello-hybrid-cloudkerb-trust.md)]
+[!INCLUDE [apply-to-hybrid-cloud-kerberos-trust](includes/apply-to-hybrid-cloud-kerberos-trust.md)]
 
 ## Deployment steps
 
@@ -29,7 +29,7 @@ If you haven't deployed Microsoft Entra Kerberos, follow the instructions in the
 
 After setting up the Microsoft Entra Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
 
-#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
+#### [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
 
 For devices managed by Intune, you can use Intune policies to configure Windows Hello for Business.
 
@@ -68,7 +68,7 @@ To configure Windows Hello for Business using an account protection policy:
 1. Specify a **Name** and, optionally, a **Description** > **Next**.
 1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available.
     - These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**.
-    - For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business).
+    - For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business).
 1. Under **Enable to certificate for on-premises resources**, select **Not configured**
 1. Select **Next**.
 1. Optionally, add **scope tags** and select **Next**.
@@ -107,7 +107,7 @@ To configure the cloud Kerberos trust policy:
 
 1. Assign the policy to a security group that contains as members the devices or users that you want to configure.
 
-#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
+#### [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
 
 Microsoft Entra hybrid joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
 
@@ -118,7 +118,7 @@ You can configure the Enable Windows Hello for Business Group Policy setting for
 Cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
 
 > [!NOTE]
-> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources).
+> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources).
 
 #### Update administrative templates
 
@@ -199,7 +199,7 @@ If you deployed Windows Hello for Business using the certificate trust model, an
 
 ## Frequently Asked Questions
 
-For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](hello-faq.yml#cloud-kerberos-trust).
+For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](../hello-faq.yml#cloud-kerberos-trust).
 
 <!--Links-->
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
index fb61f15acf..f6e7a28d29 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
@@ -84,7 +84,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a clou
 > * Provision Windows Hello for Business on Windows clients
 
 > [!div class="nextstepaction"]
-> [Next: configure and provision Windows Hello for Business >](hybrid-clud-kerberos-trust-enroll.md)
+> [Next: configure and provision Windows Hello for Business >](hybrid-cloud-kerberos-trust-enroll.md)
 
 <!--Links-->
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
index c36e2167e1..f334ccb78a 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
@@ -11,7 +11,7 @@ ms.topic: tutorial
 
 After the prerequisites are met and the PKI configuration is validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
 
-#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
+#### [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
 
 ## Configure Windows Hello for Business using Microsoft Intune
 
@@ -54,7 +54,7 @@ To configure Windows Hello for Business using an *account protection* policy:
 1. Specify a **Name** and, optionally, a **Description** > **Next**
 1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available
     - These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes**
-    - For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
+    - For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
 1. Select **Next**
 1. Optionally, add *scope tags* > **Next**
 1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
@@ -62,7 +62,7 @@ To configure Windows Hello for Business using an *account protection* policy:
 
 :::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png":::
 
-#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
+#### [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
 
 ## Configure Windows Hello for Business using group policies
 
@@ -72,7 +72,7 @@ It's suggested to create a security group (for example, *Windows Hello for Busin
 The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
 
 > [!NOTE]
-> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
+> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
 
 ### Enable Windows Hello for Business group policy setting
 
@@ -101,7 +101,7 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv
 > [!NOTE]
 > Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*.
 > 
-> For more information about these policies, see [Group Policy settings for Windows Hello for Business](hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business).
+> For more information about these policies, see [Group Policy settings for Windows Hello for Business](../hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business).
 
 ### Configure security for GPO
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
index ac811a8a9d..2b0ec7021d 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
@@ -19,9 +19,9 @@ Hybrid environments are distributed systems that enable organizations to use on-
 This deployment guide describes how to deploy Windows Hello for Business in a hybrid key trust scenario.
 
 > [!IMPORTANT]
-> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-clud-kerberos-trust.md).
+> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md).
 
-It is recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
+It is recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
 
 ## Prerequisites
 
diff --git a/windows/security/identity-protection/hello-for-business/images/adfs-device-registration.png b/windows/security/identity-protection/hello-for-business/deploy/images/adfs-device-registration.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/adfs-device-registration.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/adfs-device-registration.png
diff --git a/windows/security/identity-protection/hello-for-business/images/adfs-scp.png b/windows/security/identity-protection/hello-for-business/deploy/images/adfs-scp.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/adfs-scp.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/adfs-scp.png
diff --git a/windows/security/identity-protection/hello-for-business/images/azuread-kerberos-object.png b/windows/security/identity-protection/hello-for-business/deploy/images/azuread-kerberos-object.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/azuread-kerberos-object.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/azuread-kerberos-object.png
diff --git a/windows/security/identity-protection/hello-for-business/images/cloud-trust-prereq-check.png b/windows/security/identity-protection/hello-for-business/deploy/images/cloud-trust-prereq-check.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/cloud-trust-prereq-check.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/cloud-trust-prereq-check.png
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg b/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg
new file mode 100644
index 0000000000..ace95add6b
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
+  <path d="M1792 0q53 0 99 20t82 55 55 81 20 100q0 53-20 99t-55 82-81 55-100 20h-128v1280q0 53-20 99t-55 82-81 55-100 20H256q-53 0-99-20t-82-55-55-81-20-100q0-53 20-99t55-82 81-55 100-20V256q0-53 20-99t55-82 81-55T512 0h1280zM128 1792q0 27 10 50t27 40 41 28 50 10h930q-34-60-34-128t34-128H256q-27 0-50 10t-40 27-28 41-10 50zm1280 128q27 0 50-10t40-27 28-41 10-50V256q0-68 34-128H512q-27 0-50 10t-40 27-28 41-10 50v1280h1024q26 0 45 19t19 45q0 26-19 45t-45 19q-25 0-49 9t-42 28q-18 18-27 42t-10 49q0 27 10 50t27 40 41 28 50 10zm384-1536q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10q-27 0-50 10t-40 27-28 41-10 50v128h128zm-1280 0h896v128H512V384zm0 256h256v128H512V640zm0 256h256v128H512V896zm0 256h256v128H512v-128zm640-512q53 0 99 20t82 55 55 81 20 100q0 17-4 33t-4 31v539l-248-124-248 124V960q0-14-4-30t-4-34q0-53 20-99t55-82 81-55 100-20zm0 128q-27 0-50 10t-40 27-28 41-10 50q0 27 10 50t27 40 41 28 50 10q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10zm136 549v-204q-30 20-65 29t-71 10q-36 0-71-9t-65-30v204l136-68 136 68z" fill="#0078D4" />
+</svg>
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/images/haadj-whfb-pin-provisioning.gif b/windows/security/identity-protection/hello-for-business/deploy/images/haadj-whfb-pin-provisioning.gif
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/haadj-whfb-pin-provisioning.gif
rename to windows/security/identity-protection/hello-for-business/deploy/images/haadj-whfb-pin-provisioning.gif
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-cloud-trust-intune-large.png b/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune-large.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/hello-cloud-trust-intune-large.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune-large.png
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-cloud-trust-intune.png b/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/hello-cloud-trust-intune.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune.png
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-internal-web-server-cert.png b/windows/security/identity-protection/hello-for-business/deploy/images/hello-internal-web-server-cert.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/hello-internal-web-server-cert.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/hello-internal-web-server-cert.png
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/information.svg b/windows/security/identity-protection/hello-for-business/deploy/images/information.svg
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/deploy/includes/information.svg
rename to windows/security/identity-protection/hello-for-business/deploy/images/information.svg
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/intune.svg b/windows/security/identity-protection/hello-for-business/deploy/images/intune.svg
new file mode 100644
index 0000000000..6e0d938aed
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/images/intune.svg
@@ -0,0 +1,24 @@
+<svg id="a9ed4d43-c916-4b9a-b9ca-be76fbdc694c" xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
+  <defs>
+    <linearGradient id="aaede26b-698f-4a65-b6db-859d207e2da6" x1="8.05" y1="11.32" x2="8.05" y2="1.26" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#0078d4" />
+      <stop offset="0.82" stop-color="#5ea0ef" />
+    </linearGradient>
+    <linearGradient id="bc54987f-34ba-4701-8ce4-6eca10aff9e9" x1="8.05" y1="15.21" x2="8.05" y2="11.32" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#1490df" />
+      <stop offset="0.98" stop-color="#1f56a3" />
+    </linearGradient>
+    <linearGradient id="a5434fd8-c18c-472c-be91-f2aa070858b7" x1="8.05" y1="7.87" x2="8.05" y2="4.94" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#d2ebff" />
+      <stop offset="1" stop-color="#f0fffd" />
+    </linearGradient>
+  </defs>
+  <title>Icon-intune-329</title>
+  <rect x="0.5" y="1.26" width="15.1" height="10.06" rx="0.5" fill="url(#aaede26b-698f-4a65-b6db-859d207e2da6)" />
+  <rect x="1.34" y="2.1" width="13.42" height="8.39" rx="0.28" fill="#fff" />
+  <path d="M11.08,14.37c-1.5-.23-1.56-1.31-1.55-3h-3c0,1.74-.06,2.82-1.55,3a.87.87,0,0,0-.74.84h7.54A.88.88,0,0,0,11.08,14.37Z" fill="url(#bc54987f-34ba-4701-8ce4-6eca10aff9e9)" />
+  <path d="M17.17,5.91H10.29a2.31,2.31,0,1,0,0,.92H11v9.58a.33.33,0,0,0,.33.33h5.83a.33.33,0,0,0,.33-.33V6.24A.33.33,0,0,0,17.17,5.91Z" fill="#32bedd" />
+  <rect x="11.62" y="6.82" width="5.27" height="8.7" rx="0.12" fill="#fff" />
+  <circle cx="8.05" cy="6.41" r="1.46" opacity="0.9" fill="url(#a5434fd8-c18c-472c-be91-f2aa070858b7)" />
+  <path d="M14.88,10.82,13.76,9.7a.06.06,0,0,0-.1.05v.68a.06.06,0,0,1-.06.06H11v.83H13.6a.06.06,0,0,1,.06.06v.69a.06.06,0,0,0,.1,0L14.88,11A.12.12,0,0,0,14.88,10.82Z" fill="#0078d4" />
+</svg>
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-intune-account-protection-cert-enable.png b/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-cert-enable.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/whfb-intune-account-protection-cert-enable.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-cert-enable.png
diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-intune-account-protection-enable.png b/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-enable.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/whfb-intune-account-protection-enable.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-enable.png
diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-intune-disable.png b/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-disable.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/whfb-intune-disable.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-disable.png
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md
index ce40bf460b..31073eae23 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md
@@ -5,6 +5,6 @@ ms.topic: include
 
 [!INCLUDE [intro](intro.md)]
 - **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
+- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-trust-cert.md)]
 - **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)]
 ---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md
index 7b367e4025..2ad97beb62 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md
@@ -5,6 +5,6 @@ ms.topic: include
 
 [!INCLUDE [intro](intro.md)]
 - **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)],[!INCLUDE [tooltip-cert-trust](../deploy/includes/tooltip-cert-trust.md)]
+- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)],[!INCLUDE [tooltip-cert-trust](../deploy/includes/tooltip-trust-cert.md)]
 - **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)]
 ---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md
index d7a1ab9c2f..e3c6bad7b3 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md
@@ -5,6 +5,6 @@ ms.topic: include
 
 [!INCLUDE [intro](intro.md)]
 - **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](tooltip-deployment-onpremises.md)]
-- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
+- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-trust-cert.md)]
 - **Join type:** [!INCLUDE [tooltip-join-domain](tooltip-join-domain.md)]
 ---
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
index dc0a2c315a..b944355d1a 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[cloud :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
+[cloud :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
index 5df4ec742e..4247fc5667 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[hybrid :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
+[hybrid :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
index 12dfec5f8a..620e12c556 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[on-premises :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
+[on-premises :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
index bb7302821e..ef02364191 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[domain join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md)
+[domain join :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
index 8c5916ead4..bcb2249f0a 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[Microsoft Entra join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
+[Microsoft Entra join :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
index e825d14f2d..515f955fed 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[Microsoft Entra hybrid join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
+[Microsoft Entra hybrid join :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
index 191890e588..f4723af8a0 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[certificate trust :::image type="icon" source="../../../../images/icons/information.svg" border="false":::](../../hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
\ No newline at end of file
+[certificate trust :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
index 4f19945d64..35ebb35bef 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[cloud Kerberos trust :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")
\ No newline at end of file
+[cloud Kerberos trust :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
index 2f901dc761..da9675a1b8 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[key trust :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
+[key trust :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/index.md b/windows/security/identity-protection/hello-for-business/deploy/index.md
index 4f8b485100..1ac0f82f03 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/index.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/index.md
@@ -10,7 +10,7 @@ appliesto:
 
 Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
 
-This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.
+This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](../hello-planning-guide.md) guide to determine the right deployment model for your organization.
 
 Once you've chosen a deployment model, the deployment guide for that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. Read the [Windows Hello for Business Deployment Prerequisite Overview](requirements.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
 
@@ -48,11 +48,11 @@ The trust model determines how you want users to authenticate to the on-premises
 
 Following are the various deployment guides and models included in this topic:
 
-- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hybrid-clud-kerberos-trust.md)
+- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hybrid-cloud-kerberos-trust.md)
 - [Microsoft Entra hybrid joined Key Trust Deployment](hybrid-key-trust.md)
 - [Microsoft Entra hybrid joined Certificate Trust Deployment](hybrid-cert-trust.md)
 - [Microsoft Entra join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
-- [On Premises Key Trust Deployment](hybrid-clud-kerberos-trust.md)
+- [On Premises Key Trust Deployment](hybrid-cloud-kerberos-trust.md)
 - [On Premises Certificate Trust Deployment](on-premises-cert-trust.md)
 
 For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](on-premises-key-trust-mfa.md) and [for certificate trust](deploy/on-premises-cert-trust-mfa.md) deployments.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
index 53fa558172..265478462d 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
@@ -52,7 +52,7 @@ Sign-in the federation server with *domain administrator* equivalent credentials
 1. Select **Next** on the **Select Certificate Enrollment Policy** page
 1. On the **Request Certificates** page, select the **Internal Web Server** check box
 1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link
-    :::image type="content" source="../images/hello-internal-web-server-cert.png" lightbox="../images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
+    :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
 1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add**
 1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished
 1. Select **Enroll**
@@ -161,11 +161,11 @@ Sign-in to the federation server with *Enterprise Administrator* equivalent cred
 1. In the details pane, select **Configure device registration**
 1. In the **Configure Device Registration** dialog, Select **OK**
 
-:::image type="content" source="../images/adfs-device-registration.png" lightbox="../images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point.":::
+:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point.":::
 
 Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover.
 
-:::image type="content" source="../images/adfs-scp.png" lightbox="../images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS.":::
+:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS.":::
 
 ## Review to validate the AD FS and Active Directory configuration
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/toc.yml b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
index dfeb68e1f8..87ab1eb026 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
@@ -10,10 +10,10 @@ items:
   - name: Cloud Kerberos trust deployment
     items:
       - name: Overview
-        href: hybrid-clud-kerberos-trust.md
+        href: hybrid-cloud-kerberos-trust.md
         displayName: cloud Kerberos trust
       - name: Configure and provision Windows Hello for Business
-        href: hybrid-clud-kerberos-trust-enroll.md
+        href: hybrid-cloud-kerberos-trust-enroll.md
         displayName: cloud Kerberos trust
   - name: Key trust deployment
     items: 
@@ -54,7 +54,7 @@ items:
   - name: Key trust deployment
     items: 
     - name: Overview
-      href: hybrid-clud-kerberos-trust.md
+      href: hybrid-cloud-kerberos-trust.md
     - name: Configure and validate the PKI
       href: on-premises-key-trust-pki.md
     - name: Prepare and deploy Active Directory Federation Services (AD FS)
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index 9067db991e..0a441f9e0c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -80,7 +80,7 @@ To use Iris authentication, you'll need a [HoloLens 2 device](/hololens/). All H
 
 ## Related topics
 
-- [Windows Hello for Business](hello-identity-verification.md)
+- [Windows Hello for Business](requirements.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index b848b6347e..481b9e8a63 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -106,7 +106,7 @@ In Windows 10 and Windows 11, cloud experience host is an application used while
 
 ### Related to cloud experience host
 
-- [Windows Hello for Business](hello-identity-verification.md)
+- [Windows Hello for Business](requirements.md)
 - [Managed Windows Hello in organization](hello-manage-in-organization.md)
 
 ### More information on cloud experience host
@@ -131,7 +131,7 @@ Giving the simplicity offered by this model, cloud Kerberos trust is the recomme
 
 ### More information about cloud Kerberos trust
 
-[Cloud Kerberos trust deployment](hybrid-clud-kerberos-trust.md)
+[Cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md)
 
 ## Deployment type
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index ee893787c7..629c651006 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -44,7 +44,7 @@ For more information read [how authentication works](hello-how-it-works-authenti
 ## Related topics
 
 - [Technology and Terminology](hello-how-it-works-technology.md)
-- [Windows Hello for Business](hello-identity-verification.md)
+- [Windows Hello for Business](requirements.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index b9a871f8a9..4a2846f9e6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -6,7 +6,7 @@ ms.topic: how-to
 ---
 # Configure single sign-on for Microsoft Entra joined devices
 
-[!INCLUDE [hello-hybrid-key-trust](includes/hello-hybrid-keycert-trust-aad.md)]
+[!INCLUDE [apply-to-hybrid-key-and-cert-trust](deploy/includes/apply-to-hybrid-key-and-cert-trust.md)]
 
 Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Microsoft Entra joined devices may need to access these resources. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
 
@@ -203,7 +203,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
 1. Repeat this procedure on all your domain controllers
 
 > [!NOTE]
-> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](hello-deployment-guide.md) to learn how to deploy automatic certificate enrollment for domain controllers.
+> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](index.md) to learn how to deploy automatic certificate enrollment for domain controllers.
 
 > [!IMPORTANT]
 > If you are not using automatic certificate enrollment, create a calendar reminder to alert you two months before the certificate expiration date. Send the reminder to multiple people in the organization to ensure more than one or two people know when these certificates expire.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 6dfedc9c3e..db7b0b3eff 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -82,7 +82,7 @@ It's fundamentally important to understand which deployment model to use for a s
 A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trust types: key trust and certificate trust.
 
 > [!NOTE]
-> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hybrid-clud-kerberos-trust.md).
+> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hybrid-cloud-kerberos-trust.md).
 
 The key trust type doesn't require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 87cd5f6ea5..094d134856 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -44,7 +44,7 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci
 
 ## Related topics
 
-- [Windows Hello for Business](hello-identity-verification.md)
+- [Windows Hello for Business](requirements.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index a66a69f90c..fd387134b6 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -155,7 +155,7 @@ A successful transition relies on user acceptance testing. It's impossible for y
 
 #### Deploy Windows Hello for Business to test users
 
-Next, you'll want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming password-less. Use the [Windows Hello for Business planning guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business.
+Next, you'll want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming password-less. Use the [Windows Hello for Business planning guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](index.md) to deploy Windows Hello for Business.
 
 With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you'll only need to deploy the infrastructure once. When other targeted work personas need to start using Windows Hello for Business, add them to a group. You'll use the first work persona to validate your Windows Hello for Business deployment.
 

From 5a5924afd39def42cfd3b3d3a89735f5ba88ecfa Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 15 Dec 2023 18:23:49 -0500
Subject: [PATCH 03/13] Fix typo in file paths and links

---
 .../deploy/includes/apply-to-hybrid-key-and-cert-trust.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md
index 2ad97beb62..1a17ea9d1f 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md
@@ -5,6 +5,6 @@ ms.topic: include
 
 [!INCLUDE [intro](intro.md)]
 - **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)],[!INCLUDE [tooltip-cert-trust](../deploy/includes/tooltip-trust-cert.md)]
+- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)],[!INCLUDE [tooltip-cert-trust](tooltip-trust-cert.md)]
 - **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)]
 ---
\ No newline at end of file

From fe4efd0dc8daf912e4aaa5821f305b0600fe6f71 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 15 Dec 2023 18:39:38 -0500
Subject: [PATCH 04/13] Update image paths in tooltip files

---
 .../deploy/includes/tooltip-deployment-cloud.md                 | 2 +-
 .../deploy/includes/tooltip-deployment-hybrid.md                | 2 +-
 .../deploy/includes/tooltip-deployment-onpremises.md            | 2 +-
 .../hello-for-business/deploy/includes/tooltip-join-domain.md   | 2 +-
 .../hello-for-business/deploy/includes/tooltip-join-entra.md    | 2 +-
 .../hello-for-business/deploy/includes/tooltip-join-hybrid.md   | 2 +-
 .../hello-for-business/deploy/includes/tooltip-trust-cert.md    | 2 +-
 .../deploy/includes/tooltip-trust-cloud-kerberos.md             | 2 +-
 .../hello-for-business/deploy/includes/tooltip-trust-key.md     | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
index b944355d1a..fa5e9a3489 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[cloud :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
+[cloud :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
index 4247fc5667..d273002ddd 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[hybrid :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
+[hybrid :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
index 620e12c556..5594bf39dd 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[on-premises :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
+[on-premises :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
index ef02364191..5e4dd851b9 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[domain join :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md)
+[domain join :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
index bcb2249f0a..dbddf38006 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[Microsoft Entra join :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
+[Microsoft Entra join :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
index 515f955fed..206857ace8 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[Microsoft Entra hybrid join :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
+[Microsoft Entra hybrid join :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
index f4723af8a0..8719e2a1cc 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
@@ -3,4 +3,4 @@ ms.date: 12/15/2023
 ms.topic: include
 ---
 
-[certificate trust :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
\ No newline at end of file
+[certificate trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
index 35ebb35bef..cb9d49f23b 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[cloud Kerberos trust :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")
\ No newline at end of file
+[cloud Kerberos trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
index da9675a1b8..3bbbe2214f 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[key trust :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
+[key trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file

From f6a4b8c0bad73f2d58436e4581a0bbfa70f73f2a Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Sat, 16 Dec 2023 08:54:11 -0500
Subject: [PATCH 05/13] Update Windows Hello for Business links

---
 .../hello-for-business/deploy/hybrid-cert-trust.md  |   2 +-
 .../deploy/hybrid-cloud-kerberos-trust.md           |   2 +-
 .../deploy/hybrid-key-trust-enroll.md               |   2 +-
 .../deploy/hybrid-key-trust-pki.md                  |   4 +++-
 .../{ => deploy}/images/event358.png                | Bin
 .../hello-for-business/deploy/index.md              |   4 ++--
 .../hello-biometrics-in-enterprise.md               |   4 +---
 .../hello-how-it-works-technology.md                |   4 ++--
 .../hello-for-business/hello-how-it-works.md        |   2 +-
 .../hello-for-business/hello-planning-guide.md      |   2 +-
 .../hello-prepare-people-to-use.md                  |   2 +-
 11 files changed, 14 insertions(+), 14 deletions(-)
 rename windows/security/identity-protection/hello-for-business/{ => deploy}/images/event358.png (100%)

diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
index 36eb5fa683..da5c1e134a 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
@@ -20,7 +20,7 @@ Hybrid environments are distributed systems that enable organizations to use on-
 This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
 
 > [!IMPORTANT]
-> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](../hybrid-cloud-kerberos-trust.md).
+> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md).
 
 It's recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
index f6e7a28d29..c53e872bb1 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
@@ -45,7 +45,7 @@ When Microsoft Entra Kerberos is enabled in an Active Directory domain, an *Azur
 :::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Microsoft Entra Kerberos server ":::
 
 For more information about how Microsoft Entra Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][AZ-1].\
-For more information about how Microsoft Entra Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-cloud-kerberos-trust).
+For more information about how Microsoft Entra Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](../hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-cloud-kerberos-trust).
 
 > [!IMPORTANT]
 > When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
index f334ccb78a..10b8e56a94 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
@@ -100,7 +100,7 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv
 
 > [!NOTE]
 > Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*.
-> 
+>
 > For more information about these policies, see [Group Policy settings for Windows Hello for Business](../hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business).
 
 ### Configure security for GPO
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
index 299039ae2e..a32c3b4e05 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
@@ -53,6 +53,7 @@ Sign in using *Enterprise Administrator* equivalent credentials on a Windows Ser
 
 > [!IMPORTANT]
 > For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to:
+>
 > - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
 > - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
 
@@ -74,7 +75,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 1. Close the console
 
 > [!IMPORTANT]
-> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md).
+> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](../hello-hybrid-aadj-sso.md).
 
 ## Configure and deploy certificates to domain controllers
 
@@ -89,6 +90,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 Before moving to the next section, ensure the following steps are complete:
 
 > [!div class="checklist"]
+>
 > - Configure domain controller certificates
 > - Supersede existing domain controller certificates
 > - Unpublish superseded certificate templates
diff --git a/windows/security/identity-protection/hello-for-business/images/event358.png b/windows/security/identity-protection/hello-for-business/deploy/images/event358.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/event358.png
rename to windows/security/identity-protection/hello-for-business/deploy/images/event358.png
diff --git a/windows/security/identity-protection/hello-for-business/deploy/index.md b/windows/security/identity-protection/hello-for-business/deploy/index.md
index 1ac0f82f03..46c44a5c62 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/index.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/index.md
@@ -51,11 +51,11 @@ Following are the various deployment guides and models included in this topic:
 - [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hybrid-cloud-kerberos-trust.md)
 - [Microsoft Entra hybrid joined Key Trust Deployment](hybrid-key-trust.md)
 - [Microsoft Entra hybrid joined Certificate Trust Deployment](hybrid-cert-trust.md)
-- [Microsoft Entra join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
+- [Microsoft Entra join Single Sign-on Deployment Guides](../hello-hybrid-aadj-sso.md)
 - [On Premises Key Trust Deployment](hybrid-cloud-kerberos-trust.md)
 - [On Premises Certificate Trust Deployment](on-premises-cert-trust.md)
 
-For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](on-premises-key-trust-mfa.md) and [for certificate trust](deploy/on-premises-cert-trust-mfa.md) deployments.
+For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](on-premises-key-trust-mfa.md) and [for certificate trust](on-premises-cert-trust-mfa.md) deployments.
 
 ## Provisioning
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index 0a441f9e0c..d80393b040 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -25,9 +25,7 @@ The Windows Hello authenticator works to authenticate and allow employees onto y
 Windows Hello provides many benefits, including:
 
 - It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge.
-
 - Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords!
-
 - Support for Windows Hello is built into the operating system so you can add additional biometric devices and policies as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic.
 
 ## Where is Windows Hello data stored?
@@ -80,7 +78,7 @@ To use Iris authentication, you'll need a [HoloLens 2 device](/hololens/). All H
 
 ## Related topics
 
-- [Windows Hello for Business](requirements.md)
+- [Windows Hello for Business](deploy/requirements.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 481b9e8a63..3ed49353ea 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -106,7 +106,7 @@ In Windows 10 and Windows 11, cloud experience host is an application used while
 
 ### Related to cloud experience host
 
-- [Windows Hello for Business](requirements.md)
+- [Windows Hello for Business](deploy/requirements.md)
 - [Managed Windows Hello in organization](hello-manage-in-organization.md)
 
 ### More information on cloud experience host
@@ -131,7 +131,7 @@ Giving the simplicity offered by this model, cloud Kerberos trust is the recomme
 
 ### More information about cloud Kerberos trust
 
-[Cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md)
+[Cloud Kerberos trust deployment](deploy/hybrid-cloud-kerberos-trust.md)
 
 ## Deployment type
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 629c651006..d8f299c354 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -44,7 +44,7 @@ For more information read [how authentication works](hello-how-it-works-authenti
 ## Related topics
 
 - [Technology and Terminology](hello-how-it-works-technology.md)
-- [Windows Hello for Business](requirements.md)
+- [Windows Hello for Business](deploy/requirements.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index db7b0b3eff..55a70b9a89 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -82,7 +82,7 @@ It's fundamentally important to understand which deployment model to use for a s
 A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trust types: key trust and certificate trust.
 
 > [!NOTE]
-> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hybrid-cloud-kerberos-trust.md).
+> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](deploy/hybrid-cloud-kerberos-trust.md).
 
 The key trust type doesn't require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 094d134856..52459fe655 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -44,7 +44,7 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci
 
 ## Related topics
 
-- [Windows Hello for Business](requirements.md)
+- [Windows Hello for Business](deploy/requirements.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)

From c723c0c73d902ddb22d8b1d4b88c87b719868546 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Sat, 16 Dec 2023 12:08:10 -0500
Subject: [PATCH 06/13] updates

---
 ...blishing.redirection.windows-security.json | 72 ++++++++++++++++++-
 .../vpn/vpn-authentication.md                 |  2 +-
 .../wdsc-account-protection.md                |  2 +-
 3 files changed, 73 insertions(+), 3 deletions(-)

diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json
index 0c3ed90ba7..4d5a16a8af 100644
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@@ -8114,6 +8114,76 @@
       "source_path": "windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md",
       "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki",
       "redirect_document_id": false
-    }
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/cloud",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-deployment-guide.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-mfa",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-identity-verification.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/requirements",
+      "redirect_document_id": false
+    }    
   ]
 }
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
index 92d8638c40..60dd8c3517 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
@@ -74,7 +74,7 @@ For a UWP VPN plug-in, the app vendor controls the authentication method to be u
 See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EAP XML configuration.
 
 >[!NOTE]
->To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](/windows/client-management/mdm/eap-configuration) to create a smart card certificate. [Learn more about Windows Hello for Business.](../../../identity-protection/hello-for-business/hello-identity-verification.md).
+>To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](/windows/client-management/mdm/eap-configuration) to create a smart card certificate. [Learn more about Windows Hello for Business.](../../../identity-protection/hello-for-business/index.md).
 
 The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
 
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
index 0282a7bcb2..6f077f8f37 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
@@ -11,7 +11,7 @@ ms.topic: article
 The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
 
 - [Microsoft Account](https://account.microsoft.com/account/faq)
-- [Windows Hello for Business](../../../identity-protection/hello-for-business/hello-identity-verification.md)
+- [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
 - [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
 
 You can also choose to hide the section from users of the device, if you don't want your employees to access or view user-configured options for these features.

From a6ce82a72a8bd65bf12daa2290d06acef0a1cf6d Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Sat, 16 Dec 2023 12:19:59 -0500
Subject: [PATCH 07/13] Fix typos and improve readability in tooltip and
 documentation

---
 .../deploy/includes/tooltip-trust-cloud-kerberos.md           | 2 +-
 .../hello-for-business/deploy/on-premises-key-trust.md        | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
index cb9d49f23b..57fd74f5c3 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[cloud Kerberos trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")
\ No newline at end of file
+[cloud Kerberos trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that don't need certificate authentication")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
index 5b0dbd90fa..961219b27e 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
@@ -13,12 +13,12 @@ Windows Hello for Business replaces username and password authentication to Wind
 
 1. [Validate and configure a PKI](on-premises-key-trust-pki.md)
 1. [Prepare and deploy AD FS](on-premises-key-trust-adfs.md)
-1. [Validate and deploy multi-factor authentication (MFA)](on-premises-key-trust-mfa.md)
+1. [Validate and deploy multifactor authentication (MFA)](on-premises-key-trust-mfa.md)
 1. [Configure Windows Hello for Business Policy settings](on-premises-key-trust-enroll.md)
 
 ## Create the Windows Hello for Business Users security group
 
-While this is not a required step, it is recommended to create a security group to simplify the deployment.
+While this isn't a required step, it's recommended to create a security group to simplify the deployment.
 
 The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
 

From a9a6c1c0f50c92ed3faba6244edbbe0716468dc6 Mon Sep 17 00:00:00 2001
From: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com>
Date: Mon, 18 Dec 2023 10:44:05 +0530
Subject: [PATCH 08/13] Pencil edit

---
 .../identity-protection/hello-for-business/deploy/cloud.md      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud.md b/windows/security/identity-protection/hello-for-business/deploy/cloud.md
index dfbd20da90..ca409fc0b7 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/cloud.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/cloud.md
@@ -62,7 +62,7 @@ If you don't use Intune in your organization, then you can disable Windows Hello
 
 Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies`**
 
-To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:
+To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign in with your organization's account:
 
 ```msgraph-interactive
 GET https://graph.microsoft.com/v1.0/organization?$select=id

From 24afc8f3995017b6f1a11387a6f7768836d5a412 Mon Sep 17 00:00:00 2001
From: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com>
Date: Mon, 18 Dec 2023 10:48:12 +0530
Subject: [PATCH 09/13] Pencil edit and fixed alt text.

---
 .../hello-for-business/deploy/hybrid-cert-trust-enroll.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
index da2bb39379..a9363c8a74 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
@@ -113,7 +113,7 @@ There are different ways to enable and configure Windows Hello for Business in I
 - Using a policy applied at the tenant level. The tenant policy:
   - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune
   - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group
-- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. Chose from the following policy types:
+- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. Choose from the following policy types:
   - [Settings catalog][MEM-1]
   - [Security baselines][MEM-2]
   - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4]
@@ -129,7 +129,7 @@ To check the Windows Hello for Business policy applied at enrollment time:
 1. Select **Windows Hello for Business**
 1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
 
-:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
+:::image type="content" source="images/whfb-intune-disable.png" alt-text="Screenshot that shows disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
 
 If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
 
@@ -152,7 +152,7 @@ To configure Windows Hello for Business using an *account protection* policy:
 1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
 1. Review the policy configuration and select **Create**
 
-:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-cert-enable.png":::
+:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Screenshot that shows enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-cert-enable.png":::
 
 ---
 
@@ -172,7 +172,7 @@ This is the process that occurs after a user signs in, to enroll in Windows Hell
 1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
 1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key to Active Directory
 
-:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
+:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Screenshot that shows animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
 
 > [!IMPORTANT]
 > The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).

From e9dfb62e7e74fce42d489f4cffcfef216f373fe7 Mon Sep 17 00:00:00 2001
From: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com>
Date: Mon, 18 Dec 2023 10:51:51 +0530
Subject: [PATCH 10/13] Pencil edit

---
 .../hello-for-business/deploy/hybrid-cert-trust-pki.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
index b20e3a55c4..7ff5c70e48 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
@@ -10,7 +10,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
 ms.topic: tutorial
 ---
-# Configure and validate the PKI in an hybrid certificate trust model
+# Configure and validate the PKI in a hybrid certificate trust model
 
 [!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
 

From 63e7af961294db55a89b40adf31d55b99ac70ae8 Mon Sep 17 00:00:00 2001
From: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com>
Date: Mon, 18 Dec 2023 10:56:06 +0530
Subject: [PATCH 11/13] Pencil edit

---
 .../hello-for-business/deploy/hybrid-cert-trust.md              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
index da5c1e134a..a9d49ebfec 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
@@ -44,7 +44,7 @@ Hybrid Windows Hello for Business needs two directories:
 - A Microsoft Entra tenant with a Microsoft Entra ID P1 or P2 subscription
 
 The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.
-The hybrid-certificate trust deployment needs an *Microsoft Entra ID P1 or P2* subscription because it uses the device write-back synchronization feature.
+The hybrid-certificate trust deployment needs a *Microsoft Entra ID P1 or P2* subscription because it uses the device write-back synchronization feature.
 
 > [!NOTE]
 > Windows Hello for Business hybrid certificate trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID.

From df2d6662b23a6e1f912ac32e923c6f0ac085edee Mon Sep 17 00:00:00 2001
From: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com>
Date: Mon, 18 Dec 2023 11:04:03 +0530
Subject: [PATCH 12/13] Pencil edit

---
 .../hello-for-business/deploy/hybrid-key-trust-pki.md         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
index a32c3b4e05..2fa08c15c9 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
@@ -1,6 +1,6 @@
 ---
-title: Configure and validate the Public Key Infrastructure in an hybrid key trust model
-description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in an hybrid key trust model.
+title: Configure and validate the Public Key Infrastructure in a hybrid key trust model
+description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid key trust model.
 ms.date: 01/03/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>

From 2e5cadee3f44c9bdb633e50a71e3e306ce99b33c Mon Sep 17 00:00:00 2001
From: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com>
Date: Mon, 18 Dec 2023 11:27:49 +0530
Subject: [PATCH 13/13] Pencil edit

---
 .../deploy/on-premises-cert-trust-adfs.md                 | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
index 265478462d..1757f9c6b1 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
@@ -52,7 +52,7 @@ Sign-in the federation server with *domain administrator* equivalent credentials
 1. Select **Next** on the **Select Certificate Enrollment Policy** page
 1. On the **Request Certificates** page, select the **Internal Web Server** check box
 1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link
-    :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
+    :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Screenshot that shows example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
 1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add**
 1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished
 1. Select **Enroll**
@@ -161,11 +161,11 @@ Sign-in to the federation server with *Enterprise Administrator* equivalent cred
 1. In the details pane, select **Configure device registration**
 1. In the **Configure Device Registration** dialog, Select **OK**
 
-:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point.":::
+:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="Screenshot that shows AD FS device registration: configuration of the service connection point.":::
 
 Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover.
 
-:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS.":::
+:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="Screenshot that shows AD FS device registration: service connection point object created by AD FS.":::
 
 ## Review to validate the AD FS and Active Directory configuration
 
@@ -320,4 +320,4 @@ Each file in this folder represents a certificate in the service account's Perso
 For detailed information about the certificate, use `Certutil -q -v <certificateThumbprintFileName>`.
 
 > [!div class="nextstepaction"]
-> [Next: validate and deploy multi-factor authentication (MFA) >](on-premises-cert-trust-mfa.md)
\ No newline at end of file
+> [Next: validate and deploy multi-factor authentication (MFA) >](on-premises-cert-trust-mfa.md)