From ea8b66f522c7a4c0ef2ec7858e183af0b2ddc7b9 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 15 Nov 2022 12:14:50 -0500
Subject: [PATCH] updates

---
 .../hello-deployment-rdp-certs.md             | 31 ++++++++++---------
 .../hello-for-business/toc.yml                | 18 +++++------
 2 files changed, 25 insertions(+), 24 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 3c3763245b..7fd201a853 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -13,11 +13,11 @@ ms.topic: how-to
 localizationpriority: medium
 ms.date: 11/15/2022
 appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10, version 21H2 and later</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ms.technology: itpro-security
 ---
 
-# Deploy certificates to cloud Kerberos trust and key trust users to enable RDP
+# Deploy certificates to cloud Kerberos trust and key trust users for RDP authentication
 
 This document describes Windows Hello for Business functionalities or scenarios that apply to:\
 ✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\
@@ -28,9 +28,7 @@ This document describes Windows Hello for Business functionalities or scenarios
 
 ---
 
-Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For *cloud Kerberos trust* and *certificate trust* deployments, the creation of this certificate occurs at container creation time.
-
-This document discusses three approaches for cloud Kerberos trust and key trust deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
+Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
 
 - Deploy certificates to hybrid joined devices using an on-premises Active Directory certificate enrollment policy
 - Deploy certificates to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune
@@ -38,12 +36,13 @@ This document discusses three approaches for cloud Kerberos trust and key trust
 
 ## Deploy certificates to a hybrid joined devices using an on-premises Active Directory Certificate enrollment policy
 
-To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must:
+To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a certificate template and then deploy certificates based on the template.
 
-1. Create a suitable certificate template
-1. Deploy certificates to your users based on the template
+Expand the following sections to learn more about the process.
 
-### Create a Windows Hello for Business certificate template
+<br>
+<details>
+<summary><b>Create a Windows Hello for Business certificate template</b></summary>
 
 Follow these steps to create a certificate template:
 
@@ -99,24 +98,26 @@ Follow these steps to create a certificate template:
 1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list.
 1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service**
 
-### Requesting a Certificate
+</details>
 
+
+
+<br>
+<details>
+<summary><b>Request a Certificate</b></summary>
 1. Ensure the hybrid Azure AD joined device has network line of sight to Active Directory domain controllers and the issuing certificate authority. 
-
 1. Start the **Certificates – Current User** console (%windir%\system32\certmgr.msc).
-
 1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…**
 
     ![Request a new certificate.](images/rdpcert/requestnewcertificate.png)
 
 1. On the Certificate Enrollment screen, click **Next**.
-
 1. Under Select Certificate Enrollment Policy, ensure **Active Directory Enrollment Policy** is selected and then click **Next**.
-
 1. Under Request Certificates, click the check-box next to the certificate template you created in the previous section (WHfB Certificate Authentication) and then click **Enroll**.
-
 1. After a successful certificate request, click Finish on the Certificate Installation Results screen
 
+</details>
+
 ## Deploying a certificate to Hybrid or Azure AD Joined Devices using Simple Certificate Enrollment Protocol (SCEP) via Intune
 
 Deploying a certificate to Azure AD Joined Devices may be achieved with the Simple Certificate Enrollment Protocol (SCEP) via Intune. For guidance deploying the required infrastructure, refer to [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-scep-configure).
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 55cadf5a94..e0319abca3 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -35,6 +35,8 @@
     href: hello-prepare-people-to-use.md
   - name: Deployment guides
     items:
+    - name: Cloud-only deployment
+      href: hello-aad-join-cloud-only-deploy.md
     - name: Hybrid cloud Kerberos trust deployment
       href: hello-hybrid-cloud-kerberos-trust.md
     - name: Hybrid Azure AD Join key trust
@@ -75,7 +77,7 @@
         href: hello-hybrid-aadj-sso-base.md
       - name: Using certificates for on-premises SSO
         href: hello-hybrid-aadj-sso-cert.md
-    - name: On-premises Key Trust
+    - name: On-premises key trust
       items: 
       - name: Key trust deployment
         href: hello-deployment-key-trust.md
@@ -103,15 +105,13 @@
         href: hello-cert-trust-validate-deploy-mfa.md
       - name: Configure Windows Hello for Business policy settings
         href: hello-cert-trust-policy-settings.md
-    - name: Azure AD join cloud only deployment
-      href: hello-aad-join-cloud-only-deploy.md
-    - name: Manage Windows Hello for Business in your organization
-      href: hello-manage-in-organization.md
-    - name: Deploy certificates for remote desktop (RDP) connections
+    - name: Deploy certificates for remote desktop (RDP) authentication
       href: hello-deployment-rdp-certs.md
+  - name: Manage Windows Hello for Business in your organization
+    href: hello-manage-in-organization.md
   - name: Windows Hello for Business features
     items:
-    - name: Conditional Access 
+    - name: Conditional access 
       href: hello-feature-conditional-access.md
     - name: PIN Reset
       href: hello-feature-pin-reset.md
@@ -125,9 +125,9 @@
       href: hello-feature-remote-desktop.md
   - name: Troubleshooting
     items:
-    - name: Known Deployment Issues
+    - name: Known deployment issues
       href: hello-deployment-issues.md
-    - name: Errors During PIN Creation
+    - name: Errors during PIN creation
       href: hello-errors-during-pin-creation.md
     - name: Event ID 300 - Windows Hello successfully created
       href: hello-event-300.md