mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 14:27:22 +00:00
updates
This commit is contained in:
Paolo Matarazzo
parent
5c201c955e
commit
02b5c13696
@ -54,7 +54,7 @@ The following method explains how to disable Windows Hello for Business enrollme
|
||||
When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.
|
||||
|
||||
> [!NOTE]
|
||||
> This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md).
|
||||
> This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](../hello-manage-in-organization.md).
|
||||
|
||||
## Disable Windows Hello for Business enrollment without Intune
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@ ms.topic: tutorial
|
||||
|
||||
After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
|
||||
|
||||
# [:::image type="icon" source="../../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
|
||||
# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
|
||||
|
||||
> [!IMPORTANT]
|
||||
> The information in this section applies to Microsoft Entra hybrid joined devices only.
|
||||
@ -96,7 +96,7 @@ The application of Group Policy object uses security group filtering. This solut
|
||||
|
||||
Users (or devices) must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding members to the *Windows Hello for Business Users* group. Users and groups who aren't members of this group won't attempt to enroll for Windows Hello for Business.
|
||||
|
||||
# [:::image type="icon" source="../../../images/icons/intune.svg"::: **Intune**](#tab/intune)
|
||||
# [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
|
||||
|
||||
## Configure Windows Hello for Business using Microsoft Intune
|
||||
|
||||
@ -129,7 +129,7 @@ To check the Windows Hello for Business policy applied at enrollment time:
|
||||
1. Select **Windows Hello for Business**
|
||||
1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
|
||||
|
||||
:::image type="content" source="../images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="../images/whfb-intune-disable.png":::
|
||||
:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
|
||||
|
||||
If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
|
||||
|
||||
@ -152,7 +152,7 @@ To configure Windows Hello for Business using an *account protection* policy:
|
||||
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
|
||||
1. Review the policy configuration and select **Create**
|
||||
|
||||
:::image type="content" source="../images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="../images/whfb-intune-account-protection-cert-enable.png":::
|
||||
:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-cert-enable.png":::
|
||||
|
||||
---
|
||||
|
||||
@ -172,7 +172,7 @@ This is the process that occurs after a user signs in, to enroll in Windows Hell
|
||||
1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
|
||||
1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key to Active Directory
|
||||
|
||||
:::image type="content" source="../images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
|
||||
:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
|
||||
|
||||
> [!IMPORTANT]
|
||||
> The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
|
||||
|
||||
@ -20,7 +20,7 @@ Hybrid environments are distributed systems that enable organizations to use on-
|
||||
This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](../hybrid-clud-kerberos-trust.md).
|
||||
> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](../hybrid-cloud-kerberos-trust.md).
|
||||
|
||||
It's recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ ms.topic: tutorial
|
||||
---
|
||||
# Configure and provision Windows Hello for Business - cloud Kerberos trust
|
||||
|
||||
[!INCLUDE [hello-hybrid-key-trust](includes/hello-hybrid-cloudkerb-trust.md)]
|
||||
[!INCLUDE [apply-to-hybrid-cloud-kerberos-trust](includes/apply-to-hybrid-cloud-kerberos-trust.md)]
|
||||
|
||||
## Deployment steps
|
||||
|
||||
@ -29,7 +29,7 @@ If you haven't deployed Microsoft Entra Kerberos, follow the instructions in the
|
||||
|
||||
After setting up the Microsoft Entra Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
|
||||
|
||||
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
|
||||
#### [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
|
||||
|
||||
For devices managed by Intune, you can use Intune policies to configure Windows Hello for Business.
|
||||
|
||||
@ -68,7 +68,7 @@ To configure Windows Hello for Business using an account protection policy:
|
||||
1. Specify a **Name** and, optionally, a **Description** > **Next**.
|
||||
1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available.
|
||||
- These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**.
|
||||
- For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business).
|
||||
- For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business).
|
||||
1. Under **Enable to certificate for on-premises resources**, select **Not configured**
|
||||
1. Select **Next**.
|
||||
1. Optionally, add **scope tags** and select **Next**.
|
||||
@ -107,7 +107,7 @@ To configure the cloud Kerberos trust policy:
|
||||
|
||||
1. Assign the policy to a security group that contains as members the devices or users that you want to configure.
|
||||
|
||||
#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
|
||||
#### [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
|
||||
|
||||
Microsoft Entra hybrid joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
|
||||
|
||||
@ -118,7 +118,7 @@ You can configure the Enable Windows Hello for Business Group Policy setting for
|
||||
Cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
|
||||
|
||||
> [!NOTE]
|
||||
> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources).
|
||||
> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources).
|
||||
|
||||
#### Update administrative templates
|
||||
|
||||
@ -199,7 +199,7 @@ If you deployed Windows Hello for Business using the certificate trust model, an
|
||||
|
||||
## Frequently Asked Questions
|
||||
|
||||
For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](hello-faq.yml#cloud-kerberos-trust).
|
||||
For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](../hello-faq.yml#cloud-kerberos-trust).
|
||||
|
||||
<!--Links-->
|
||||
|
||||
|
||||
@ -84,7 +84,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a clou
|
||||
> * Provision Windows Hello for Business on Windows clients
|
||||
|
||||
> [!div class="nextstepaction"]
|
||||
> [Next: configure and provision Windows Hello for Business >](hybrid-clud-kerberos-trust-enroll.md)
|
||||
> [Next: configure and provision Windows Hello for Business >](hybrid-cloud-kerberos-trust-enroll.md)
|
||||
|
||||
<!--Links-->
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.topic: tutorial
|
||||
|
||||
After the prerequisites are met and the PKI configuration is validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
|
||||
|
||||
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
|
||||
#### [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
|
||||
|
||||
## Configure Windows Hello for Business using Microsoft Intune
|
||||
|
||||
@ -54,7 +54,7 @@ To configure Windows Hello for Business using an *account protection* policy:
|
||||
1. Specify a **Name** and, optionally, a **Description** > **Next**
|
||||
1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available
|
||||
- These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes**
|
||||
- For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
|
||||
- For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
|
||||
1. Select **Next**
|
||||
1. Optionally, add *scope tags* > **Next**
|
||||
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
|
||||
@ -62,7 +62,7 @@ To configure Windows Hello for Business using an *account protection* policy:
|
||||
|
||||
:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png":::
|
||||
|
||||
#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
|
||||
#### [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
|
||||
|
||||
## Configure Windows Hello for Business using group policies
|
||||
|
||||
@ -72,7 +72,7 @@ It's suggested to create a security group (for example, *Windows Hello for Busin
|
||||
The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
|
||||
|
||||
> [!NOTE]
|
||||
> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
|
||||
> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
|
||||
|
||||
### Enable Windows Hello for Business group policy setting
|
||||
|
||||
@ -101,7 +101,7 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv
|
||||
> [!NOTE]
|
||||
> Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*.
|
||||
>
|
||||
> For more information about these policies, see [Group Policy settings for Windows Hello for Business](hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business).
|
||||
> For more information about these policies, see [Group Policy settings for Windows Hello for Business](../hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business).
|
||||
|
||||
### Configure security for GPO
|
||||
|
||||
|
||||
@ -19,9 +19,9 @@ Hybrid environments are distributed systems that enable organizations to use on-
|
||||
This deployment guide describes how to deploy Windows Hello for Business in a hybrid key trust scenario.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-clud-kerberos-trust.md).
|
||||
> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md).
|
||||
|
||||
It is recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
|
||||
It is recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
|
||||
|
Before Width: | Height: | Size: 400 KiB After Width: | Height: | Size: 400 KiB |
|
Before Width: | Height: | Size: 475 KiB After Width: | Height: | Size: 475 KiB |
|
Before Width: | Height: | Size: 114 KiB After Width: | Height: | Size: 114 KiB |
|
Before Width: | Height: | Size: 98 KiB After Width: | Height: | Size: 98 KiB |
@ -0,0 +1,3 @@
|
||||
<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
|
||||
<path d="M1792 0q53 0 99 20t82 55 55 81 20 100q0 53-20 99t-55 82-81 55-100 20h-128v1280q0 53-20 99t-55 82-81 55-100 20H256q-53 0-99-20t-82-55-55-81-20-100q0-53 20-99t55-82 81-55 100-20V256q0-53 20-99t55-82 81-55T512 0h1280zM128 1792q0 27 10 50t27 40 41 28 50 10h930q-34-60-34-128t34-128H256q-27 0-50 10t-40 27-28 41-10 50zm1280 128q27 0 50-10t40-27 28-41 10-50V256q0-68 34-128H512q-27 0-50 10t-40 27-28 41-10 50v1280h1024q26 0 45 19t19 45q0 26-19 45t-45 19q-25 0-49 9t-42 28q-18 18-27 42t-10 49q0 27 10 50t27 40 41 28 50 10zm384-1536q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10q-27 0-50 10t-40 27-28 41-10 50v128h128zm-1280 0h896v128H512V384zm0 256h256v128H512V640zm0 256h256v128H512V896zm0 256h256v128H512v-128zm640-512q53 0 99 20t82 55 55 81 20 100q0 17-4 33t-4 31v539l-248-124-248 124V960q0-14-4-30t-4-34q0-53 20-99t55-82 81-55 100-20zm0 128q-27 0-50 10t-40 27-28 41-10 50q0 27 10 50t27 40 41 28 50 10q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10zm136 549v-204q-30 20-65 29t-71 10q-36 0-71-9t-65-30v204l136-68 136 68z" fill="#0078D4" />
|
||||
</svg>
|
||||
|
After Width: | Height: | Size: 1.1 KiB |
|
Before Width: | Height: | Size: 3.1 MiB After Width: | Height: | Size: 3.1 MiB |
|
Before Width: | Height: | Size: 52 KiB After Width: | Height: | Size: 52 KiB |
|
Before Width: | Height: | Size: 15 KiB After Width: | Height: | Size: 15 KiB |
|
Before Width: | Height: | Size: 651 KiB After Width: | Height: | Size: 651 KiB |
|
Before Width: | Height: | Size: 680 B After Width: | Height: | Size: 680 B |
@ -0,0 +1,24 @@
|
||||
<svg id="a9ed4d43-c916-4b9a-b9ca-be76fbdc694c" xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
|
||||
<defs>
|
||||
<linearGradient id="aaede26b-698f-4a65-b6db-859d207e2da6" x1="8.05" y1="11.32" x2="8.05" y2="1.26" gradientUnits="userSpaceOnUse">
|
||||
<stop offset="0" stop-color="#0078d4" />
|
||||
<stop offset="0.82" stop-color="#5ea0ef" />
|
||||
</linearGradient>
|
||||
<linearGradient id="bc54987f-34ba-4701-8ce4-6eca10aff9e9" x1="8.05" y1="15.21" x2="8.05" y2="11.32" gradientUnits="userSpaceOnUse">
|
||||
<stop offset="0" stop-color="#1490df" />
|
||||
<stop offset="0.98" stop-color="#1f56a3" />
|
||||
</linearGradient>
|
||||
<linearGradient id="a5434fd8-c18c-472c-be91-f2aa070858b7" x1="8.05" y1="7.87" x2="8.05" y2="4.94" gradientUnits="userSpaceOnUse">
|
||||
<stop offset="0" stop-color="#d2ebff" />
|
||||
<stop offset="1" stop-color="#f0fffd" />
|
||||
</linearGradient>
|
||||
</defs>
|
||||
<title>Icon-intune-329</title>
|
||||
<rect x="0.5" y="1.26" width="15.1" height="10.06" rx="0.5" fill="url(#aaede26b-698f-4a65-b6db-859d207e2da6)" />
|
||||
<rect x="1.34" y="2.1" width="13.42" height="8.39" rx="0.28" fill="#fff" />
|
||||
<path d="M11.08,14.37c-1.5-.23-1.56-1.31-1.55-3h-3c0,1.74-.06,2.82-1.55,3a.87.87,0,0,0-.74.84h7.54A.88.88,0,0,0,11.08,14.37Z" fill="url(#bc54987f-34ba-4701-8ce4-6eca10aff9e9)" />
|
||||
<path d="M17.17,5.91H10.29a2.31,2.31,0,1,0,0,.92H11v9.58a.33.33,0,0,0,.33.33h5.83a.33.33,0,0,0,.33-.33V6.24A.33.33,0,0,0,17.17,5.91Z" fill="#32bedd" />
|
||||
<rect x="11.62" y="6.82" width="5.27" height="8.7" rx="0.12" fill="#fff" />
|
||||
<circle cx="8.05" cy="6.41" r="1.46" opacity="0.9" fill="url(#a5434fd8-c18c-472c-be91-f2aa070858b7)" />
|
||||
<path d="M14.88,10.82,13.76,9.7a.06.06,0,0,0-.1.05v.68a.06.06,0,0,1-.06.06H11v.83H13.6a.06.06,0,0,1,.06.06v.69a.06.06,0,0,0,.1,0L14.88,11A.12.12,0,0,0,14.88,10.82Z" fill="#0078d4" />
|
||||
</svg>
|
||||
|
After Width: | Height: | Size: 1.8 KiB |
|
Before Width: | Height: | Size: 242 KiB After Width: | Height: | Size: 242 KiB |
|
Before Width: | Height: | Size: 234 KiB After Width: | Height: | Size: 234 KiB |
|
Before Width: | Height: | Size: 249 KiB After Width: | Height: | Size: 249 KiB |
@ -5,6 +5,6 @@ ms.topic: include
|
||||
|
||||
[!INCLUDE [intro](intro.md)]
|
||||
- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
|
||||
- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
|
||||
- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-trust-cert.md)]
|
||||
- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)]
|
||||
---
|
||||
@ -5,6 +5,6 @@ ms.topic: include
|
||||
|
||||
[!INCLUDE [intro](intro.md)]
|
||||
- **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)]
|
||||
- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)],[!INCLUDE [tooltip-cert-trust](../deploy/includes/tooltip-cert-trust.md)]
|
||||
- **Trust type:** [!INCLUDE [tooltip-trust-key](tooltip-trust-key.md)],[!INCLUDE [tooltip-cert-trust](../deploy/includes/tooltip-trust-cert.md)]
|
||||
- **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)]
|
||||
---
|
||||
@ -5,6 +5,6 @@ ms.topic: include
|
||||
|
||||
[!INCLUDE [intro](intro.md)]
|
||||
- **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](tooltip-deployment-onpremises.md)]
|
||||
- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-cert-trust.md)]
|
||||
- **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-trust-cert.md)]
|
||||
- **Join type:** [!INCLUDE [tooltip-join-domain](tooltip-join-domain.md)]
|
||||
---
|
||||
@ -3,4 +3,4 @@ ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[cloud :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
|
||||
[cloud :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
|
||||
|
||||
@ -3,4 +3,4 @@ ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[hybrid :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
|
||||
[hybrid :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
|
||||
|
||||
@ -3,4 +3,4 @@ ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[on-premises :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
|
||||
[on-premises :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
|
||||
|
||||
@ -3,4 +3,4 @@ ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[domain join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md)
|
||||
[domain join :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md)
|
||||
|
||||
@ -3,4 +3,4 @@ ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[Microsoft Entra join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
|
||||
[Microsoft Entra join :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
|
||||
|
||||
@ -3,4 +3,4 @@ ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[Microsoft Entra hybrid join :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
|
||||
[Microsoft Entra hybrid join :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
|
||||
|
||||
@ -3,4 +3,4 @@ ms.date: 12/15/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[certificate trust :::image type="icon" source="../../../../images/icons/information.svg" border="false":::](../../hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
|
||||
[certificate trust :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
|
||||
@ -3,4 +3,4 @@ ms.date: 12/08/2022
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[cloud Kerberos trust :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")
|
||||
[cloud Kerberos trust :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")
|
||||
@ -3,4 +3,4 @@ ms.date: 12/08/2022
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
[key trust :::image type="icon" source="information.svg" border="false":::](../../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
|
||||
[key trust :::image type="icon" source="..images/information.svg" border="false":::](../../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
|
||||
@ -10,7 +10,7 @@ appliesto:
|
||||
|
||||
Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
|
||||
|
||||
This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.
|
||||
This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](../hello-planning-guide.md) guide to determine the right deployment model for your organization.
|
||||
|
||||
Once you've chosen a deployment model, the deployment guide for that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. Read the [Windows Hello for Business Deployment Prerequisite Overview](requirements.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
|
||||
|
||||
@ -48,11 +48,11 @@ The trust model determines how you want users to authenticate to the on-premises
|
||||
|
||||
Following are the various deployment guides and models included in this topic:
|
||||
|
||||
- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hybrid-clud-kerberos-trust.md)
|
||||
- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hybrid-cloud-kerberos-trust.md)
|
||||
- [Microsoft Entra hybrid joined Key Trust Deployment](hybrid-key-trust.md)
|
||||
- [Microsoft Entra hybrid joined Certificate Trust Deployment](hybrid-cert-trust.md)
|
||||
- [Microsoft Entra join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
|
||||
- [On Premises Key Trust Deployment](hybrid-clud-kerberos-trust.md)
|
||||
- [On Premises Key Trust Deployment](hybrid-cloud-kerberos-trust.md)
|
||||
- [On Premises Certificate Trust Deployment](on-premises-cert-trust.md)
|
||||
|
||||
For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](on-premises-key-trust-mfa.md) and [for certificate trust](deploy/on-premises-cert-trust-mfa.md) deployments.
|
||||
|
||||
@ -52,7 +52,7 @@ Sign-in the federation server with *domain administrator* equivalent credentials
|
||||
1. Select **Next** on the **Select Certificate Enrollment Policy** page
|
||||
1. On the **Request Certificates** page, select the **Internal Web Server** check box
|
||||
1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link
|
||||
:::image type="content" source="../images/hello-internal-web-server-cert.png" lightbox="../images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
|
||||
:::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
|
||||
1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add**
|
||||
1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished
|
||||
1. Select **Enroll**
|
||||
@ -161,11 +161,11 @@ Sign-in to the federation server with *Enterprise Administrator* equivalent cred
|
||||
1. In the details pane, select **Configure device registration**
|
||||
1. In the **Configure Device Registration** dialog, Select **OK**
|
||||
|
||||
:::image type="content" source="../images/adfs-device-registration.png" lightbox="../images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point.":::
|
||||
:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point.":::
|
||||
|
||||
Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover.
|
||||
|
||||
:::image type="content" source="../images/adfs-scp.png" lightbox="../images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS.":::
|
||||
:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS.":::
|
||||
|
||||
## Review to validate the AD FS and Active Directory configuration
|
||||
|
||||
|
||||
@ -10,10 +10,10 @@ items:
|
||||
- name: Cloud Kerberos trust deployment
|
||||
items:
|
||||
- name: Overview
|
||||
href: hybrid-clud-kerberos-trust.md
|
||||
href: hybrid-cloud-kerberos-trust.md
|
||||
displayName: cloud Kerberos trust
|
||||
- name: Configure and provision Windows Hello for Business
|
||||
href: hybrid-clud-kerberos-trust-enroll.md
|
||||
href: hybrid-cloud-kerberos-trust-enroll.md
|
||||
displayName: cloud Kerberos trust
|
||||
- name: Key trust deployment
|
||||
items:
|
||||
@ -54,7 +54,7 @@ items:
|
||||
- name: Key trust deployment
|
||||
items:
|
||||
- name: Overview
|
||||
href: hybrid-clud-kerberos-trust.md
|
||||
href: hybrid-cloud-kerberos-trust.md
|
||||
- name: Configure and validate the PKI
|
||||
href: on-premises-key-trust-pki.md
|
||||
- name: Prepare and deploy Active Directory Federation Services (AD FS)
|
||||
|
||||
@ -80,7 +80,7 @@ To use Iris authentication, you'll need a [HoloLens 2 device](/hololens/). All H
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Windows Hello for Business](hello-identity-verification.md)
|
||||
- [Windows Hello for Business](requirements.md)
|
||||
- [How Windows Hello for Business works](hello-how-it-works.md)
|
||||
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
|
||||
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
|
||||
|
||||
@ -106,7 +106,7 @@ In Windows 10 and Windows 11, cloud experience host is an application used while
|
||||
|
||||
### Related to cloud experience host
|
||||
|
||||
- [Windows Hello for Business](hello-identity-verification.md)
|
||||
- [Windows Hello for Business](requirements.md)
|
||||
- [Managed Windows Hello in organization](hello-manage-in-organization.md)
|
||||
|
||||
### More information on cloud experience host
|
||||
@ -131,7 +131,7 @@ Giving the simplicity offered by this model, cloud Kerberos trust is the recomme
|
||||
|
||||
### More information about cloud Kerberos trust
|
||||
|
||||
[Cloud Kerberos trust deployment](hybrid-clud-kerberos-trust.md)
|
||||
[Cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md)
|
||||
|
||||
## Deployment type
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ For more information read [how authentication works](hello-how-it-works-authenti
|
||||
## Related topics
|
||||
|
||||
- [Technology and Terminology](hello-how-it-works-technology.md)
|
||||
- [Windows Hello for Business](hello-identity-verification.md)
|
||||
- [Windows Hello for Business](requirements.md)
|
||||
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
|
||||
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
|
||||
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
|
||||
|
||||
@ -6,7 +6,7 @@ ms.topic: how-to
|
||||
---
|
||||
# Configure single sign-on for Microsoft Entra joined devices
|
||||
|
||||
[!INCLUDE [hello-hybrid-key-trust](includes/hello-hybrid-keycert-trust-aad.md)]
|
||||
[!INCLUDE [apply-to-hybrid-key-and-cert-trust](deploy/includes/apply-to-hybrid-key-and-cert-trust.md)]
|
||||
|
||||
Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Microsoft Entra joined devices may need to access these resources. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
|
||||
|
||||
@ -203,7 +203,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
|
||||
1. Repeat this procedure on all your domain controllers
|
||||
|
||||
> [!NOTE]
|
||||
> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](hello-deployment-guide.md) to learn how to deploy automatic certificate enrollment for domain controllers.
|
||||
> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](index.md) to learn how to deploy automatic certificate enrollment for domain controllers.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> If you are not using automatic certificate enrollment, create a calendar reminder to alert you two months before the certificate expiration date. Send the reminder to multiple people in the organization to ensure more than one or two people know when these certificates expire.
|
||||
|
||||
@ -82,7 +82,7 @@ It's fundamentally important to understand which deployment model to use for a s
|
||||
A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
|
||||
|
||||
> [!NOTE]
|
||||
> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hybrid-clud-kerberos-trust.md).
|
||||
> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hybrid-cloud-kerberos-trust.md).
|
||||
|
||||
The key trust type doesn't require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Windows Hello for Business](hello-identity-verification.md)
|
||||
- [Windows Hello for Business](requirements.md)
|
||||
- [How Windows Hello for Business works](hello-how-it-works.md)
|
||||
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
|
||||
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
|
||||
|
||||
@ -155,7 +155,7 @@ A successful transition relies on user acceptance testing. It's impossible for y
|
||||
|
||||
#### Deploy Windows Hello for Business to test users
|
||||
|
||||
Next, you'll want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming password-less. Use the [Windows Hello for Business planning guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business.
|
||||
Next, you'll want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming password-less. Use the [Windows Hello for Business planning guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](index.md) to deploy Windows Hello for Business.
|
||||
|
||||
With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you'll only need to deploy the infrastructure once. When other targeted work personas need to start using Windows Hello for Business, add them to a group. You'll use the first work persona to validate your Windows Hello for Business deployment.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user