Merge pull request #7510 from paolomatarazzo/pm-20221115-whfb-experiment

[WHFB] Experiment for data club
2025-05-13 22:07:22 +00:00 · 2022-11-16 17:01:34 -07:00 · 2022-11-16 17:01:34 -07:00 · eb472dd814
commit eb472dd814
parent 2f8660a51c 2cfea24983
4 changed files with 235 additions and 240 deletions
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@ -1,207 +1,202 @@
 ---
-title: Deploying Certificates to Key Trust Users to Enable RDP
+title: Deploy certificates for remote desktop sign-in
-description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials
+description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
 ms.prod: windows-client
 author: paolomatarazzo
 ms.author: paoloma
 manager: aaroncz
-ms.reviewer: prsriva
+ms.reviewer: erikdau
 ms.collection:
  - M365-identity-device-management
  - ContentEngagementFY23
-ms.topic: article
+ms.topic: how-to
 localizationpriority: medium
-ms.date: 02/22/2021
+ms.date: 11/15/2022
-appliesto: 
+appliesto:
-  - ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
  - ✅ <b>Windows 11</b>
  - ✅ <b>Hybrid deployment</b>
  - ✅ <b>Key trust</b>
  - ✅ <b>Cloud Kerberos trust</b>
 ms.technology: itpro-security
 ---
-# Deploy Certificates to Key Trust and Cloud Kerberos Trust Users to Enable RDP
+# Deploy certificates for remote desktop (RDP) sign-in
-Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time.
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
 ✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\.
 ✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md), [key trust](hello-how-it-works-technology.md#key-trust)\.
 ✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join).
-This document discusses an approach for key trust and cloud Kerberos trust deployments where authentication certificates can be deployed to an existing WHFB user.
+<br>
-Three approaches are documented here:
+---
 Windows Hello for Business supports using a certificate as the supplied credential, when establishing a remote desktop connection to another Windows device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
-1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy.
+- Deploy certificates to hybrid joined devices using an on-premises Active Directory Certificate Services enrollment policy
 - Deploy certificates to hybrid or Azure AD-joined devices using Intune
 - Work with third-party PKIs
-1. Deploying a certificate to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune.
+## Deploy certificates via Active Directory Certificate Services (AD CS)
 1. Working with non-Microsoft enterprise certificate authorities.
 ## Deploying a certificate to a hybrid joined device using an on-premises Active Directory Certificate enrollment policy
 ### Create a Windows Hello for Business certificate template
 1. Sign in to your issuing certificate authority (CA).
 1. Open the **Certificate Authority** Console (%windir%\system32\certsrv.msc).
 1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
 1. Right-click **Certificate Templates** and then click **Manage** to open the **Certificate Templates** console.
 1. Right-click the **Smartcard Logon** template and click **Duplicate Template**
    ![Duplicating Smartcard Template.](images/rdpcert/duplicatetemplate.png)
 1. On the **Compatibility** tab:
    1. Clear the **Show resulting changes** check box
    1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Authority list
    1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Recipient list
 1. On the **General** tab:
    1. Specify a Template display name, such as **WHfB Certificate Authentication**
    1. Set the validity period to the desired value
    1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example).
 1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
 1. On the **Subject Name** tab:
    1. Select the **Build from this Active Directory** information button if it is not already selected
    1. Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected
    1. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
 1. On the **Request Handling** tab:
    1. Select the **Renew with same key** check box
    1. Set the Purpose to **Signature and smartcard logon**
        1. Click **Yes** when prompted to change the certificate purpose
    1. Click **Prompt the user during enrollment**
 1. On the **Cryptography** tab:
    1. Set the Provider Category to **Key Storage Provider**
    1. Set the Algorithm name to **RSA**
    1. Set the minimum key size to **2048**
    1. Select **Requests must use one of the following providers**
    1. Tick **Microsoft Software Key Storage Provider**
    1. Set the Request hash to **SHA256**
 1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them.
 1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
 1. Close the Certificate Templates console.
 1. Open an elevated command prompt and change to a temporary working directory.
 1. Execute the following command:
    `certutil -dstemplate \<TemplateName\> \> \<TemplateName\>.txt`
    Replace \<TemplateName\> with the Template name you took note of earlier in step 7.
 1. Open the text file created by the command above.
    1. Delete the last line of the output from the file that reads **CertUtil: -dsTemplate command completed successfully.**
    1. Modify the line that reads **pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"** to **pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"**
 1. Save the text file.
 1. Update the certificate template by executing the following command:
    certutil -dsaddtemplate \<TemplateName\>.txt
 1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue**
    ![Selecting Certificate Template to Issue.](images/rdpcert/certificatetemplatetoissue.png)
 1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list.
 1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks** and then click **Stop Service**. Right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
 ### Requesting a Certificate
 1. Ensure the hybrid Azure AD joined device has network line of sight to Active Directory domain controllers and the issuing certificate authority. 
 1. Start the **Certificates – Current User** console (%windir%\system32\certmgr.msc).
 1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…**
    ![Request a new certificate.](images/rdpcert/requestnewcertificate.png)
 1. On the Certificate Enrollment screen, click **Next**.
 1. Under Select Certificate Enrollment Policy, ensure **Active Directory Enrollment Policy** is selected and then click **Next**.
 1. Under Request Certificates, click the check-box next to the certificate template you created in the previous section (WHfB Certificate Authentication) and then click **Enroll**.
 1. After a successful certificate request, click Finish on the Certificate Installation Results screen
 ## Deploying a certificate to Hybrid or Azure AD Joined Devices using Simple Certificate Enrollment Protocol (SCEP) via Intune
 Deploying a certificate to Azure AD Joined Devices may be achieved with the Simple Certificate Enrollment Protocol (SCEP) via Intune. For guidance deploying the required infrastructure, refer to [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-scep-configure).
 Next you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD Joined Devices using a Trusted root certificate profile with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune](/mem/intune/protect/certificates-trusted-root).
 Once these requirements have been met, a new device configuration profile may be configured from Intune that provisions a certificate for the user of the device. Proceed as follows:
 1. Sign in to the Microsoft [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Navigate to Devices \> Configuration Profiles \> Create profile.
 1. Enter the following properties:
    1. For Platform, select **Windows 10 and later**.
    1. For Profile, select **SCEP Certificate**.
    1. Click **Create**.
 1. In **Basics**, enter the following parameters:
    1. **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is SCEP profile for entire company.
    1. **Description**: Enter a description for the profile. This setting is optional, but recommended.
    1. Select **Next**.
 1. In the **Configuration settings**, complete the following:
    1. For Certificate Type, choose **User**.
    1. For Subject name format, set it to **CN={{UserPrincipalName}}**.
    1. Under Subject alternative name, select **User principal name (UPN)** from the drop-down menu and set the value to **CN={{UserPrincipalName}}**.
    1. For Certificate validity period, set a value of your choosing.
    1. For Key storage provider (KSP), choose **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**.
    1. For Key usage, choose **Digital Signature**.
    1. For Key size (bits), choose **2048**.
    1. For Hash algorithm, choose **SHA-2**.
    1. Under Root Certificate, click **+Root Certificate** and select the trusted certificate profile you created earlier for the Root CA Certificate.
    1. Under Extended key usage, add the following:
        | Name | Object Identifier | Predefined Values |
        |------|-------------------|-------------------|
        | Smart Card Logon | 1.3.6.1.4.1.311.20.2.2 | Smart Card Logon |
        | Client Authentication | 1.3.6.1.5.5.7.3.2 | Client Authentication |
    1. For Renewal threshold (%), set a value of your choosing.
    1. For SCEP Server URLs, provide the public endpoint that you configured during the deployment of your SCEP infrastructure.
    1. Click **Next**
 1. In Assignments, target the devices or users who should receive a certificate and click **Next**
 1. In Applicability Rules, provide additional issuance restrictions if required and click **Next**
 1. In Review + create, click **Create**
 Once the configuration profile has been created, targeted clients will receive the profile from Intune on their next refresh cycle. You should find a new certificate in the user store. To validate the certificate is present, do the following steps:
 1. Open the Certificates - Current User console (%windir%\system32\certmgr.msc)
 1. In the left pane of the MMC, expand **Personal** and select **Certificates**
 1. In the right-hand pane of the MMC, check for the new certificate
 > [!NOTE]
-> This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid Azure Active Directory-Joined devices using Intune Policies.
+> This process is applicable to *hybrid Azure AD joined* devices only.
-## Using non-Microsoft Enterprise Certificate Authorities
+To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template*, and then deploy certificates based on that template.
-If you are using a Public Key Infrastructure that uses non-Microsoft services, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune](/mem/intune/protect/certificate-authority-add-scep-overview).
+Expand the following sections to learn more about the process.
-As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest](https://www.powershellgallery.com/packages/Generate-CertificateRequest) PowerShell commandlet.
+<br>
-The Generate-CertificateRequest commandlet will generate an .inf file for a pre-existing Windows Hello for Business key. The .inf can be used to generate a certificate request manually using certreq.exe. The commandlet will also generate a .req file, which can be submitted to your PKI for a certificate.
+<details>
 <summary><b>Create a Windows Hello for Business certificate template</b></summary>
-## RDP Sign-in with Windows Hello for Business Certificate Authentication
+Follow these steps to create a certificate template:
-After adding the certificate using an approach from any of the previous sections, you should be able to RDP to any Windows device or server in the same Forest as the user’s on-premises Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server.
+1. Sign in to your issuing certificate authority (CA) and open *Server Manager*.
 1. Select **Tools > Certification Authority**. The Certification Authority Microsoft Management Console (MMC) opens.
 1. In the MMC, expand the CA name and right-click **Certificate Templates > Manage**.
 1. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane.
 1. Right-click the **Smartcard Logon** template and select **Duplicate Template**.
 1. Use the following table to configure the template:
-1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid Azure Active Directory-Joined client where the authentication certificate has been deployed.
+    | Tab Name | Configurations |
    | --- | --- |
    | *Compatibility* | <ul><li>Clear the **Show resulting changes** check box.</li><li>Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*.</li><li>Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*.</li></ul>|
    | *General* | <ul><li>Specify a **Template display name**, for example *WHfB Certificate Authentication*.</li><li>Set the validity period to the desired value.</li><li>Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example).</li></ul>|
    | *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**.|
    | *Subject Name* | <ul><li> Select the **Build from this Active Directory** information button if it isn't already selected.</li><li>Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected.</li><li>Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.</li></ul>|
    |*Request Handling*|<ul><li>Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose.</li><li>Select the **Renew with same key** check box.</li><li>Select **Prompt the user during enrollment**.</li></ul>|
    |*Cryptography*|<ul><li>Set the Provider Category to **Key Storage Provider**.</li><li>Set the Algorithm name to **RSA**.</li><li>Set the minimum key size to **2048**.</li><li>Select **Requests must use one of the following providers**.</li><li>Select **Microsoft Software Key Storage Provider**.</li><li>Set the Request hash to **SHA256**.</li></ul>|
    |*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them.|
 1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
 1. Close the Certificate Templates console.
 1. Open an elevated command prompt and change to a temporary working directory.
 1. Execute the following command, replacing `<TemplateName>` with the **Template display name** noted above.
    ```cmd
    certutil.exe -dstemplate <TemplateName> > <TemplateName.txt>
    ```
 1. Open the text file created by the command above.
    - Delete the last line of the output from the file that reads\
      `CertUtil: -dsTemplate command completed successfully.`
    - Modify the line that reads\
      `pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"` to\
      `pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"`.
 1. Save the text file.
 1. Update the certificate template by executing the following command:
    ```cmd
    certutil.exe -dsaddtemplate <TemplateName.txt>
    ```
 1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue**.
 1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list.
 1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service**.
 </details>
 <br>
 <details>
 <summary><b>Request a certificate</b></summary>
 1. Sign in to a client that is hybrid Azure AD joined, ensuring that the client has line of sight to a domain controller and the issuing CA.
 1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`.
 1. In the left pane of the MMC, right-click **Personal > All Tasks > Request New Certificate…**.
 1. On the Certificate Enrollment screen, select **Next**.
 1. Under *Select Certificate Enrollment Policy*, select **Active Directory Enrollment Policy > Next**.
 1. Under *Request Certificates*, select the check-box for the certificate template you created in the previous section (*WHfB Certificate Authentication*) and then select **Enroll**.
 1. After a successful certificate request, select **Finish** on the Certificate Installation Results screen.
 </details>
 ## Deploy certificates via Intune
 > [!NOTE]
 > This process is applicable to both *Azure AD joined* and *hybrid Azure AD joined* devices that are managed via Intune.
 Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PKCS (PFX) via Intune. For guidance deploying the required infrastructure, refer to:
 - [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune][MEM-1].
 - [Configure and use PKCS certificates with Intune][MEM-2].
 Next, you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD joined Devices using a *Trusted root certificate* policy with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune][MEM-5].
 Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device.
 <br>
 <details>
 <summary><b>Create a policy in Intune</b></summary>
 This section describes how to configure a SCEP policy in Intune. Similar steps can be followed to configure a PKCS policy.
 1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>.
 1. Select **Devices > Configuration profiles > Create profile**.
 1. Select **Platform > Windows 10 and later** and **Profile type > Templates > SCEP Certificate**.
 1. Select **Create**.
 1. In the *Basics* panel, provide a **Name** and, optionally, a **Description > Next**.
 1. In the *Configuration settings* panel, use the following table to configure the policy:
    | Setting| Configurations |
    | --- | --- |
    |*Certificate Type*| User |
    |*Subject name format* | `CN={{UserPrincipalName}}` |
    |*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `CN={{UserPrincipalName}}`.|
    |*Certificate validity period* | Configure a value of your choosing|
    |*Key storage provider (KSP)* | **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**.|
    |*Key usage*| **Digital Signature**|
    |*Key size (bits)* | **2048**|
    |*For Hash algorithm*|**SHA-2**|
    |*Root Certificate*| Select **+Root Certificate** and select the trusted certificate profile created earlier for the Root CA Certificate.|
    |*Extended key usage*| <ul><li>*Name:* **Smart Card Logon**</li><li>*Object Identifier:* `1.3.6.1.4.1.311.20.2.2`</li><li>*Predefined Values:* **Smart Card Logon**</li><br><li>*Name:* **Client Authentication**</li><li>*Object Identifier:* `1.3.6.1.5.5.7.3.2 `</li><li>*Predefined Values:* **Client Authentication**</li></ul>|
    |*Renewal threshold (%)*|Configure a value of your choosing.|
    |*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure.|
 1. Select **Next**.
 1. In the *Assignments* panel, assign the policy to a security group that contains as members the devices or users that you want to configure and select **Next**.
 1. In the *Applicability Rules* panel, configure issuance restrictions, if needed, and select **Next**.
 1. In the *Review + create* panel, review the policy configuration and select **Create**.
 For more information how to configure SCEP policies, see [Configure SCEP certificate profiles in Intune][MEM-3].
 To configure PKCS policies, see [Configure and use PKCS certificate with Intune][MEM-4].
 </details>
 <br>
 <details>
 <summary><b>Request a certificate</b></summary>
 Once the Intune policy is created, targeted clients will request a certificate during their next policy refresh cycle. To validate that the certificate is present in the user store, follow these steps:
 1. Sign in to a client targeted by the Intune policy.
 1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`.
 1. In the left pane of the MMC, expand **Personal** and select **Certificates**.
 1. In the right-hand pane of the MMC, check for the new certificate.
 </details>
 ## Use third-party certification authorities
 If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune][MEM-6].
 As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest][HTTP-1] PowerShell commandlet.
 The `Generate-CertificateRequest` commandlet will generate an *.inf* file for a pre-existing Windows Hello for Business key. The *.inf* can be used to generate a certificate request manually using `certreq.exe`. The commandlet will also generate a *.req* file, which can be submitted to your PKI for a certificate.
 ## RDP sign-in with Windows Hello for Business certificate authentication
 After obtaining a certificate, users can RDP to any Windows devices in the same Active Directory forest as the user's Active Directory account.
 > [!NOTE]
 > The certificate chain of the issuing CA must be trusted by the target server.
 1. Open the Remote Desktop Client (`mstsc.exe`) on the client where the authentication certificate has been deployed.
 1. Attempt an RDP session to a target server.
-1. Use the certificate credential protected by your Windows Hello for Business gesture.
+1. Use the certificate credential protected by your Windows Hello for Business gesture to authenticate.
 [MEM-1]: /mem/intune/protect/certificates-scep-configure
 [MEM-2]: /mem/intune/protect/certificates-pfx-configure
 [MEM-3]: /mem/intune/protect/certificates-profile-scep
 [MEM-4]: /mem/intune/protect/certificates-pfx-configure
 [MEM-5]: /mem/intune/protect/certificates-trusted-root
 [MEM-6]: /mem/intune/protect/certificate-authority-add-scep-overview
 [HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@ -194,7 +194,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr
 ## Hybrid deployment
-The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
+The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
 ### Related to hybrid deployment
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@ -5,7 +5,7 @@ ms.prod: windows-client
 author: paolomatarazzo
 ms.author: paoloma
 manager: aaroncz
-ms.reviewer: prsriva
+ms.reviewer: erikdau
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@ -2,12 +2,12 @@
  href: index.yml
 - name: Overview
  items:
-  - name: Windows Hello for Business Overview
+  - name: Windows Hello for Business overview
    href: hello-overview.md
 - name: Concepts
  expanded: true
  items:
-  - name: Passwordless Strategy
+  - name: Passwordless strategy
    href: passwordless-strategy.md
  - name: Why a PIN is better than a password
    href: hello-why-pin-is-better-than-password.md
@ -15,7 +15,7 @@
    href: hello-biometrics-in-enterprise.md
  - name: How Windows Hello for Business works
    href: hello-how-it-works.md
-  - name: Technical Deep Dive
+  - name: Technical deep dive
    items:
    - name: Provisioning
      href: hello-how-it-works-provisioning.md
@ -25,93 +25,93 @@
      href: webauthn-apis.md
 - name: How-to Guides
  items:
-  - name: Windows Hello for Business Deployment Overview
+  - name: Windows Hello for Business deployment overview
    href: hello-deployment-guide.md
-  - name: Planning a Windows Hello for Business Deployment
+  - name: Planning a Windows Hello for Business deployment
    href: hello-planning-guide.md
-  - name: Deployment Prerequisite Overview
+  - name: Deployment prerequisite overview
    href: hello-identity-verification.md
  - name: Prepare people to use Windows Hello
    href: hello-prepare-people-to-use.md
-  - name: Deployment Guides
+  - name: Deployment guides
    items:
-    - name: Hybrid Cloud Kerberos Trust Deployment
+    - name: Hybrid cloud Kerberos trust deployment
      href: hello-hybrid-cloud-kerberos-trust.md
-    - name: Hybrid Azure AD Joined Key Trust
+    - name: Azure AD join
      items: 
-      - name: Hybrid Azure AD Joined Key Trust Deployment
+      - name: Cloud-only deployment
        href: hello-aad-join-cloud-only-deploy.md
      - name: On-premises SSO for Azure AD joined devices
        href: hello-hybrid-aadj-sso.md
      - name: Configure Azure AD joined devices for on-premises SSO
        href: hello-hybrid-aadj-sso-base.md
      - name: Using certificates for on-premises SSO
        href: hello-hybrid-aadj-sso-cert.md
    - name: Hybrid Azure AD join with key trust
      items: 
      - name: Key trust deployment
        href: hello-hybrid-key-trust.md
      - name: Prerequisites
        href: hello-hybrid-key-trust-prereqs.md
-      - name: New Installation Baseline
+      - name: New installation baseline
        href: hello-hybrid-key-new-install.md
-      - name: Configure Directory Synchronization
+      - name: Configure directory synchronization
        href: hello-hybrid-key-trust-dirsync.md
-      - name: Configure Azure Device Registration
+      - name: Configure Azure AD device registration
        href: hello-hybrid-key-trust-devreg.md
      - name: Configure Windows Hello for Business settings
        href: hello-hybrid-key-whfb-settings.md
-      - name: Sign-in and Provisioning
+      - name: Sign-in and provisioning
        href: hello-hybrid-key-whfb-provision.md
-    - name: Hybrid Azure AD Joined Certificate Trust
+    - name: Hybrid Azure AD join with certificate trust
      items: 
-      - name: Hybrid Azure AD Joined Certificate Trust Deployment
+      - name: Certificate trust deployment
        href: hello-hybrid-cert-trust.md
      - name: Prerequisites
        href: hello-hybrid-cert-trust-prereqs.md
-      - name: New Installation Baseline
+      - name: New installation baseline
        href: hello-hybrid-cert-new-install.md
-      - name: Configure Azure Device Registration
+      - name: Configure Azure AD device registration
        href: hello-hybrid-cert-trust-devreg.md
      - name: Configure Windows Hello for Business settings
        href: hello-hybrid-cert-whfb-settings.md
-      - name: Sign-in and Provisioning
+      - name: Sign-in and provisioning
        href: hello-hybrid-cert-whfb-provision.md
-    - name: On-premises SSO for Azure AD Joined Devices
+    - name: Active Directory domain join with key trust
      items: 
-      - name: On-premises SSO for Azure AD Joined Devices Deployment 
+      - name: Key trust deployment
        href: hello-hybrid-aadj-sso.md
      - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
        href: hello-hybrid-aadj-sso-base.md
      - name: Using Certificates for AADJ On-premises Single-sign On
        href: hello-hybrid-aadj-sso-cert.md
    - name: On-premises Key Trust
      items: 
      - name: On-premises Key Trust Deployment
        href: hello-deployment-key-trust.md
-      - name: Validate Active Directory Prerequisites
+      - name: Validate Active Directory prerequisites
        href: hello-key-trust-validate-ad-prereq.md
-      - name: Validate and Configure Public Key Infrastructure
+      - name: Validate and configure Public Key Infrastructure (PKI)
        href: hello-key-trust-validate-pki.md
-      - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+      - name: Prepare and deploy Active Directory Federation Services (AD FS)
        href: hello-key-trust-adfs.md
-      - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+      - name: Validate and deploy multi-factor authentication (MFA) services
        href: hello-key-trust-validate-deploy-mfa.md
      - name: Configure Windows Hello for Business policy settings
        href: hello-key-trust-policy-settings.md
-    - name: On-premises Certificate Trust
+    - name: Active Directory domain join with certificate trust
      items: 
-      - name: On-premises Certificate Trust Deployment
+      - name: Certificate trust deployment
        href: hello-deployment-cert-trust.md
-      - name: Validate Active Directory Prerequisites
+      - name: Validate Active Directory prerequisites
        href: hello-cert-trust-validate-ad-prereq.md
-      - name: Validate and Configure Public Key Infrastructure
+      - name: Validate and configure Public Key Infrastructure (PKI)
        href: hello-cert-trust-validate-pki.md
-      - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+      - name: Prepare and Deploy Active Directory Federation Services (AD FS)
        href: hello-cert-trust-adfs.md
-      - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+      - name: Validate and deploy multi-factor authentication (MFA) services
        href: hello-cert-trust-validate-deploy-mfa.md
      - name: Configure Windows Hello for Business policy settings
        href: hello-cert-trust-policy-settings.md
-    - name: Azure AD join cloud only deployment
+    - name: Deploy certificates for RDP sign-in
      href: hello-aad-join-cloud-only-deploy.md
    - name: Managing Windows Hello for Business in your organization
      href: hello-manage-in-organization.md
    - name: Deploying Certificates to Key Trust Users to Enable RDP
      href: hello-deployment-rdp-certs.md
-  - name: Windows Hello for Business Features
+  - name: Manage Windows Hello for Business in your organization
    href: hello-manage-in-organization.md
  - name: Windows Hello for Business features
    items:
-    - name: Conditional Access 
+    - name: Conditional access 
      href: hello-feature-conditional-access.md
    - name: PIN Reset
      href: hello-feature-pin-reset.md
@ -121,21 +121,21 @@
      href: hello-feature-dynamic-lock.md
    - name: Multi-factor Unlock
      href: feature-multifactor-unlock.md
-    - name: Remote Desktop
+    - name: Remote desktop (RDP) sign-in
      href: hello-feature-remote-desktop.md
-  - name: Troubleshooting
+- name: Troubleshooting
-    items:
+  items:
-    - name: Known Deployment Issues
+  - name: Known deployment issues
-      href: hello-deployment-issues.md
+    href: hello-deployment-issues.md
-    - name: Errors During PIN Creation
+  - name: Errors during PIN creation
-      href: hello-errors-during-pin-creation.md
+    href: hello-errors-during-pin-creation.md
-    - name: Event ID 300 - Windows Hello successfully created
+  - name: Event ID 300 - Windows Hello successfully created
-      href: hello-event-300.md
+    href: hello-event-300.md
-    - name: Windows Hello and password changes
+  - name: Windows Hello and password changes
-      href: hello-and-password-changes.md
+    href: hello-and-password-changes.md
 - name: Reference
  items:
-  - name: Technology and Terminology
+  - name: Technology and terminology
    href: hello-how-it-works-technology.md
  - name: Frequently Asked Questions (FAQ)
    href: hello-faq.yml