edits

Author: ktoliver

articles/trusted-signing/faq.yml

@@ -17,21 +17,21 @@ sections:
     questions:
       - question: What versions of Windows does Trusted Signing support?
         answer: | 
-          The Trusted Signing service supports all versions of Windows that run the general user-mode code integrity (UMCI) security policy.  
+          The Trusted Signing service supports all versions of Windows that support the general user-mode code integrity (UMCI) security policy.  
           
           Support for signed binaries was added in the July 2021 Certificate Trust List (CTL) update for Windows. In a typical scenario, when an end-entity certificate from a chain is encountered on a computer, the system retrieves the root certificate authority (CA) certificate and adds it to the trust root store.  
 
           For more information about Windows support for Trusted Signing, see [Trusted Signing Program Windows Support](https://support.microsoft.com/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-fa1e-4ea6-85dd-6630229e8ef4).  
-      - question: How do I grant API access to Trusted Signing in Microsoft Entra ID?
+      - question: How do I grant API access to Trusted Signing in Microsoft Entra?
         answer: | 
          Ask your Microsoft Entra admin to approve your request for access. For more information about permissions, see these articles:
 
           - [Overview of consent and permissions](https://learn.microsoft.com/entra/identity/enterprise-apps/user-admin-consent-overview)
           - [Configure the admin consent workflow](https://learn.microsoft.com/entra/identity/enterprise-apps/configure-admin-consent-workflow)
           - [Review permissions granted to applications](https://learn.microsoft.com/entra/identity/enterprise-apps/manage-application-permissions?pivots=portal)
-      - question: What if I don't see `Microsoft.CodeSigning` as a resource provider? 
+      - question: What if I don't see Microsoft.CodeSigning as a resource provider? 
         answer: | 
-          To register the `Microsoft.CodeSigning` app, go to the subscription **Resource providers** pane as shown in this example:
+          To register the Microsoft.CodeSigning app, go to the subscription **Resource providers** pane as shown in this example:
           
           :::image type="content" source="media/trusted-signing-resource-provider.png" alt-text="Screenshot of registering the Microsoft.CodeSigning resource provider." lightbox="media/trusted-signing-resource-provider.png":::
 
@@ -42,25 +42,25 @@ sections:
           - If identity validation fails, but not because of a missed email verification, the Microsoft validation team wasn't able to make a determination about your request based on the information that you provided. Even if you provide more documentation when we request it, if we can't validate the information, we can't onboard you to Trusted Signing. In this scenario, we recommend that you delete your Trusted Signing account so that you aren't billed for unused resources.
       - question: What if I need assistance with identity validation?
         answer: | 
-          For questions about identity validation in Trusted Signing, contact us by using [Microsoft Q&A](https://learn.microsoft.com/answers/tags/509/trusted-signing) (use the tag `Azure Trusted Signing`) or [Stack Overflow](https://stackoverflow.com/questions/tagged/trusted-signing) (use the tag `trusted-signing`). Azure support doesn't resolve identity validation issues for Trusted Signing.
+          For questions about identity validation in Trusted Signing, contact us by using [Microsoft Q&A](https://learn.microsoft.com/answers/tags/509/trusted-signing) (use the tag **Azure Trusted Signing**) or [Stack Overflow](https://stackoverflow.com/questions/tagged/trusted-signing) (use the tag **trusted-signing**). Azure support doesn't resolve identity validation issues for Trusted Signing.
       - question: What is the cost of using Trusted Signing?
         answer: | 
-          For pricing information, see the [Trusted Signing pricing page](https://azure.microsoft.com/pricing/details/trusted-signing/).
+          For pricing information, see [Trusted Signing pricing](https://azure.microsoft.com/pricing/details/trusted-signing/).
       - question: What are my support options when I set up Trusted Signing?
         answer: | 
           You can create a support ticket in the Azure portal to get Azure support. Also, you can post a question or search for related questions on [Microsoft Q&A](https://learn.microsoft.com/answers/tags/509/trusted-signing) (use the tag `Azure Trusted Signing`) or [Stack Overflow](https://stackoverflow.com/questions/tagged/trusted-signing) (use the tag `trusted-signing`).  
   - name: Certificate profiles and identity validation
     questions:
       - question: What if my Trusted Signing subject name is different from the name in my certificate and my MSIX package name is different now? 
         answer: |
-          Follow the persistent identity guidance in [MSIX persistent identity](/windows/msix/package/persistent-identity).
+          For Windows app MSIX packages, follow the guidance in [MSIX persistent identity](/windows/msix/package/persistent-identity).
       - question: Does deleting a certificate profile revoke the certificates? 
         answer: |
           No. If you delete a certificate profile, any certificates that were previously issued or used under that profile remain valid. The certificates aren't revoked.
       - question: Can I use a custom CN or a custom O with Trusted Signing? 
         answer: |
           No, you can't use use a custom Common Name (CN) or a custom Organization (O) with Trusted Signing. Currently, the Trusted Signing service doesn't support customization. Also, keep in mind that per Code Signing Baseline Requirements (CSBRs) for publicly trusted code signing certificates, CN values must always be the legal entity's validated name (for example, `Microsoft Corporation`).
-      - question: What if the **New identity validation** button in the Azure portal is inactive?
+      - question: What if the "New identity validation" button in the Azure portal is inactive?
         answer: |
           If the **New identity validation** button in the Azure portal is inactive and you can't select it, you don't have the Trusted Signing Identity Verifier role assigned to your account. To assign yourself the role, complete the steps in [Assign roles in Trusted Signing](https://learn.microsoft.com/azure/trusted-signing/tutorial-assign-roles). 
       - question: What if my identity validation expires?
@@ -77,7 +77,7 @@ sections:
           FIPS 140-2 Level 3 (mHSMs).
       - question: How do I include the appropriate EKU for our certificates in the ELAM driver resources? 
         answer: |
-          For information about the Early Launch Antimalware (ELAM) driver configuration for protecting anti-malware user-mode services, see the following guidance: "Beginning in 2022, all user mode anti-malware service binaries must be signed by Microsoft's Trusted Signing signing service. The Trusted Signing issued Authenticode certificate for signing anti-malware binaries is updated every 30 days for security. To prevent the need to update the ELAM driver every time the certificate is updated, we recommend that anti-malware vendors include the Trusted Signing PCA certificate TBS hash in the CertHash portion of the ELAM driver resource file info. Additionally, the anti-malware vendor must include their unique Trusted Signing EKU identity in the EKU field of the resource file info. The EKU identity will begin with the prefix `1.3.6.1.4.1.311.97.*`."
+          For information about the Early Launch Antimalware (ELAM) driver configuration for protecting anti-malware user-mode services, see the following guidance: "Beginning in 2022, all user mode anti-malware service binaries must be signed by Microsoft's Trusted Signing signing service. The Trusted Signing issued Authenticode certificate for signing anti-malware binaries is updated every 30 days for security. To prevent the need to update the ELAM driver every time the certificate is updated, we recommend that anti-malware vendors include the Trusted Signing PCA certificate TBS hash in the CertHash portion of the ELAM driver resource file info. Additionally, the anti-malware vendor must include their unique Trusted Signing EKU identity in the EKU field of the resource file info. The EKU identity will begin with the prefix `1.3.6.1.4.1.311.97.`."
           
           For the Microsoft ID Verified Code Signing PCA 2021 certificate, see the [Microsoft PKI Services repository](https://www.microsoft.com/pkiops/docs/repository.htm).
       - question: What happens if we run binaries that are signed by using Trusted Signing on a computer that doesn't have the Trusted Signing update (especially binaries that are flagged for /INTEGRITYCHECK?
@@ -106,13 +106,13 @@ sections:
       - question: I get errors when I do Private Trust signing. What should I do? 
         answer: |
           If you get an internal error, check that the CN name that you used matches the certificate name. Verify the package name, and copy the complete value for the subject from the Azure portal to the manifest file during signing. 
-      - question: I'm see the status **Command succeeded** for SignTool, but the file doesn't appear to be signed when I check the digital signature. What should I do? 
+      - question: I see the status "Command succeeded" for SignTool, but the file doesn't appear to be signed when I check the digital signature. What should I do? 
         answer: |
           If the signature doesn't appear in the digital signature property, run this command: `.\signtool.exe verify /v /debug /pa fileName`. Not all file types have the **Signature** tab in **Properties**.
-      - question: How do I fix popup credentials in an Azure virtual machine when I run the SignTool + dlib command?
+      - question: How do I fix pop-up credentials in an Azure virtual machine when I run the SignTool + dlib command?
         answer: |
           1. Create a [user-assigned managed identity](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview). 
-          1. Add the user-assigned managed identity to the virtual machine (VM):
+          1. Add the user-assigned managed identity to the VM:
              1. Select the VM.
              1. On the left menu, select **Identity**, and then select **User assigned**.
              1. Select **Add** to add the managed identity. 

articles/trusted-signing/how-to-change-sku.md

@@ -9,11 +9,11 @@ ms.date: 05/30/2024
 ---
 
 
-# Select or change Trusted Signing SKU (pricing tier)
+# Change a Trusted Signing account SKU (pricing tier)
 
 Trusted Signing gives you a choice between two pricing tiers: Basic and Premium. Both tiers are tailored to offer the service at an optimal cost and to be suitable for any signing scenario.
 
-For more information about pricing, see the Trusted Signing [Pricing](https://azure.microsoft.com/pricing/details/trusted-signing/) article.
+For more information, see [Trusted Signing pricing](https://azure.microsoft.com/pricing/details/trusted-signing/).
 
 ## SKU (pricing tier) overview
 
@@ -40,15 +40,15 @@ Things to keep in mind:
 - SKU updates are effective beginning in the next billing cycle.
 - SKU limitations for an updated SKU are enforced after the update is successful.
 - After you change the SKU, you must manually refresh the account overview to see the updated SKU under **SKU (Pricing tier)**. (We are actively working to resolve this known limitation.)
+- To upgrade to Premium:
+
+  - No limitations are applied when you upgrade from the Basic SKU to the Premium SKU.
 - To downgrade to Basic:
 
-  - The Basic SKU allows only one certificate profile of each type. For example, if you have two certificate profiles of the Public Trust type, you need to delete any single profile to be eligible to downgrade. The same limitation applies for other certificate profile types.
+  - The Basic SKU allows only one certificate profile of each type. For example, if you have two certificate profiles of the Public Trust type, you must delete any single profile to be eligible to downgrade. The same limitation applies for other certificate profile types.
   - In the Azure portal, on the **Certificate Profiles** pane, make sure that you select **Status: All** to view all certificate profiles. Viewing all certificate profiles can help you delete all relevant certificate profiles to meet the criteria to downgrade.
 
     :::image type="content" source="media/trusted-signing-certificate-profile-deletion-changesku.png" alt-text="Screenshot that shows selecting all certificate profile statuses to view all certificate profiles." lightbox="media/trusted-signing-certificate-profile-deletion-changesku.png":::
-- To upgrade to Premium:
-
-  - No limitations are applied when you upgrade from the Basic SKU to the Premium SKU.
 
 # [Azure portal](#tab/sku-portal)