Delete unused images and update Windows Hello for Business enrollment steps

2025-07-02 18:53:41 +00:00 · 2023-12-28 15:55:35 -05:00
parent 3f196928bc
commit 05f9b9c423
4 changed files with 28 additions and 18 deletions
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
@ -107,7 +107,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-3] with the
 |--------|
 | - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCloudTrustForOnPremAuth`<br>- **Data type:** `bool`<br>- **Value:** `True`|

-For more information about the cloud Kerberos trust policy, see [Windows Hello for Business policy settings](../policy-settings.md#use-cloud-trust-for-on-prem-auth).
+For more information about the cloud Kerberos trust policy, see [Windows Hello for Business policy settings](../policy-settings.md#use-cloud-trust-for-on-premises-authentication).

 # [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)

@ -138,6 +138,8 @@ You can configure Windows Hello for Business cloud Kerberos trust using a Group

 ---

+Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
+
 > [!IMPORTANT]
 > If the **Use certificate for on-premises authentication** policy is enabled, certificate trust takes precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured**.

@ -148,26 +150,23 @@ The Windows Hello for Business provisioning process begins immediately after a u
 You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\
 This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].

-:::image type="content" alt-text="Cloud Kerberos trust prerequisite check in the user device registration log" source="images/cloud-trust-prereq-check.png" lightbox="images/cloud-trust-prereq-check.png":::
-
 The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Microsoft Entra Kerberos is set up for the user's domain and tenant. If Microsoft Entra Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Microsoft Entra joined.

 > [!NOTE]
 > The cloud Kerberos trust prerequisite check isn't done on Microsoft Entra joined devices. If Microsoft Entra Kerberos isn't provisioned, a user on a Microsoft Entra joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory.

-### PIN Setup
+### User experience

-After a user signs in, this is the process that occurs to enroll in Windows Hello for Business:
+After a user signs in, the Windows Hello for Business enrollment process begins:

-1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**.
-1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.
-1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device.
+1. If the device supports biometric authentication, the user is prompted to set up a biometric gesture. This gesture can be used to unlock the device and authenticate to resources that require Windows Hello for Business. The user can skip this step if they don't want to set up a biometric gesture
+1. The user is prompted to use Windows Hello with the organization account. The user selects **OK**
+1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
+1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device

-:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]

-### Sign-in
-
-Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Microsoft Entra hybrid joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
+Once a user completes enrollment with cloud Kerberos trust, the Windows Hello gesture can be used **immediately** for sign-in. On a Microsoft Entra hybrid joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.

 ## Migrate from key trust deployment model to cloud Kerberos trust

--- a/windows/security/identity-protection/hello-for-business/deploy/images/cloud-trust-prereq-check.png
+++ b/windows/security/identity-protection/hello-for-business/deploy/images/cloud-trust-prereq-check.png
--- a/windows/security/identity-protection/hello-for-business/deploy/images/haadj-whfb-pin-provisioning.gif
+++ b/windows/security/identity-protection/hello-for-business/deploy/images/haadj-whfb-pin-provisioning.gif
--- a/windows/security/identity-protection/hello-for-business/deploy/index.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/index.md
@ -243,16 +243,27 @@ Ensure you have a strategy in place to ensure the users have an MFA option that

 Depending on the hardware, users might be prompted to register their fingerprint or face.

-> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7]
+The next video shows the Windows Hello for Business enrollment experience after a user signs in with a password:

-After enrollment in Windows Hello, users should use their gesture (such as a PIN or fingerprint) for access to their devices and corporate resources.
+1. Since the device supports biometric authentication, the user is prompted to set up a biometric gesture. This gesture can be used to unlock the device and authenticate to resources that require Windows Hello for Business. The user can skip this step if they don't want to set up a biometric gesture
+1. The user is prompted to use Windows Hello with the organization account. The user selects **OK**
+1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
+1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device

-> [!NOTE]
-> The gesture is only valid on the enrolled device.
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]

-Although the organization might require users to change their Active Directory or Microsoft Entra account password at regular intervals, changes to their passwords have no effect on Hello.
+After enrollment in Windows Hello, users should use their gesture (such as a PIN or fingerprint) for access to their devices and corporate resources. The unlock gesture is valid only on the enrolled device.

-> [!VIDEO https://learn-video.azurefd.net/vod/player?id=44c16430-756f-490a-9fc1-80e2724fef8d]
+> [!IMPORTANT]
+> Although the organization might require users to change their Active Directory or Microsoft Entra account password at regular intervals, changes to their passwords have no effect on Hello.
+
+The next video shows the Windows Hello for Business enrollment experience as part of the out-of-box-experience (OOBE) process:
+
+1. The user joins the device to Microsoft Entra ID and is prompted for MFA during the join process
+1. The device is Managed by Microsoft Intune and applies Windows Hello for Business policy settings
+1. After the user profile is loaded, but before the access to the Desktop is granted, the user must enroll in Windows Hello
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=44c16430-756f-490a-9fc1-80e2724fef8d alt-text="Video showing the Windows Hello for Business enrollment steps after the out-of-box-experience process."]

 ## Next steps