edits

Author: ktoliver

articles/trusted-signing/faq.yml

@@ -48,7 +48,7 @@ sections:
           For pricing information, see [Trusted Signing pricing](https://azure.microsoft.com/pricing/details/trusted-signing/).
       - question: What are my support options when I set up Trusted Signing?
         answer: | 
-          You can create a support ticket in the Azure portal to get Azure support. Also, you can post a question or search for related questions on [Microsoft Q&A](https://learn.microsoft.com/answers/tags/509/trusted-signing) (use the tag `Azure Trusted Signing`) or [Stack Overflow](https://stackoverflow.com/questions/tagged/trusted-signing) (use the tag `trusted-signing`).  
+          You can create a support ticket in the Azure portal to get Azure support. Also, you can post a question or search for related questions on [Microsoft Q&A](https://learn.microsoft.com/answers/tags/509/trusted-signing) (use the tag **Azure Trusted Signing**) or [Stack Overflow](https://stackoverflow.com/questions/tagged/trusted-signing) (use the tag **trusted-signing**).  
   - name: Certificate profiles and identity validation
     questions:
       - question: What if my Trusted Signing subject name is different from the name in my certificate and my MSIX package name is different now? 
@@ -59,7 +59,7 @@ sections:
           No. If you delete a certificate profile, any certificates that were previously issued or used under that profile remain valid. The certificates aren't revoked.
       - question: Can I use a custom CN or a custom O with Trusted Signing? 
         answer: |
-          No, you can't use use a custom Common Name (CN) or a custom Organization (O) with Trusted Signing. Currently, the Trusted Signing service doesn't support customization. Also, keep in mind that per Code Signing Baseline Requirements (CSBRs) for publicly trusted code signing certificates, CN values must always be the legal entity's validated name (for example, `Microsoft Corporation`).
+          No, you can't use use a custom Common Name (CN) or a custom Organization (O) with Trusted Signing. Currently, the Trusted Signing service doesn't support customization. Also, keep in mind that per the Certification Authority Browser Forum (CA/Browser Forum) in the Code Signing Baseline Requirements (CSBRs) for publicly trusted code signing certificates, CN values must always be the legal entity's validated name (for example, `Microsoft Corporation`).
       - question: What if the "New identity validation" button in the Azure portal is inactive?
         answer: |
           If the **New identity validation** button in the Azure portal is inactive and you can't select it, you don't have the Trusted Signing Identity Verifier role assigned to your account. To assign yourself the role, complete the steps in [Assign roles in Trusted Signing](https://learn.microsoft.com/azure/trusted-signing/tutorial-assign-roles). 
@@ -77,7 +77,7 @@ sections:
           FIPS 140-2 Level 3 (mHSMs).
       - question: How do I include the appropriate EKU for our certificates in the ELAM driver resources? 
         answer: |
-          For information about the Early Launch Antimalware (ELAM) driver configuration for protecting anti-malware user-mode services, see the following guidance: "Beginning in 2022, all user mode anti-malware service binaries must be signed by Microsoft's Trusted Signing signing service. The Trusted Signing issued Authenticode certificate for signing anti-malware binaries is updated every 30 days for security. To prevent the need to update the ELAM driver every time the certificate is updated, we recommend that anti-malware vendors include the Trusted Signing PCA certificate TBS hash in the CertHash portion of the ELAM driver resource file info. Additionally, the anti-malware vendor must include their unique Trusted Signing EKU identity in the EKU field of the resource file info. The EKU identity will begin with the prefix `1.3.6.1.4.1.311.97.`."
+          For information about the Early Launch Antimalware (ELAM) driver configuration for protecting anti-malware user-mode services, see the following guidance: "Beginning in 2022, all user mode anti-malware service binaries must be signed by Microsoft's Trusted Signing signing service. The Trusted Signing issued Authenticode certificate for signing anti-malware binaries is updated every 30 days for security. To prevent the need to update the ELAM driver every time the certificate is updated, we recommend that anti-malware vendors include the Trusted Signing PCA certificate TBS hash in the CertHash portion of the ELAM driver resource file info. Additionally, the anti-malware vendor must include their unique Trusted Signing EKU identity in the EKU field of the resource file info. The EKU identity will begin with the prefix `1.3.6.1.4.1.311.97.*`."
           
           For the Microsoft ID Verified Code Signing PCA 2021 certificate, see the [Microsoft PKI Services repository](https://www.microsoft.com/pkiops/docs/repository.htm).
       - question: What happens if we run binaries that are signed by using Trusted Signing on a computer that doesn't have the Trusted Signing update (especially binaries that are flagged for /INTEGRITYCHECK?
@@ -108,7 +108,7 @@ sections:
           If you get an internal error, check that the CN name that you used matches the certificate name. Verify the package name, and copy the complete value for the subject from the Azure portal to the manifest file during signing. 
       - question: I see the status "Command succeeded" for SignTool, but the file doesn't appear to be signed when I check the digital signature. What should I do? 
         answer: |
-          If the signature doesn't appear in the digital signature property, run this command: `.\signtool.exe verify /v /debug /pa fileName`. Not all file types have the **Signature** tab in **Properties**.
+          If the signature doesn't appear in the digital signature property, run this command: `.\signtool.exe verify /v /debug /pa fileName`. Not all file types include the **Signature** tab in **Properties**.
       - question: How do I fix pop-up credentials in an Azure virtual machine when I run the SignTool + dlib command?
         answer: |
           1. Create a [user-assigned managed identity](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview).