Merge pull request #2944 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
2025-06-25 15:23:40 +00:00 · 2020-05-29 15:22:14 -07:00
parent 36b09b3e0a 70a0bb25fb
commit 11e1a52263
8 changed files with 82 additions and 55 deletions
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@ -294,6 +294,8 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
 5. In the **Enterprise Root Certificate** blade, click **Assignments**.  In the **Include** tab, select **All Devices** from the **Assign to** list.  Click **Save**.
 ![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png)
 6. Sign out of the Microsoft Azure Portal.
+> [!NOTE]
+> After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same.

 ## Configure Windows Hello for Business Device Enrollment

--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@ -19,7 +19,7 @@ ms.reviewer:
 # Configure Windows Hello for Business: Active Directory Federation Services

 **Applies to**
-   Windows10, version 1703 or later
+-   Windows 10, version 1703 or later
 -   Hybrid deployment
 -   Certificate trust

@ -36,15 +36,14 @@ The Windows Hello for Business Authentication certificate template is configured
 Sign-in the AD FS server with *Domain Admin* equivalent credentials. 

 1. Open a **Windows PowerShell** prompt.
-2. Type the following command   
+2. Enter the following command:
  
    ```PowerShell
    Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true
    ```

-
->[!NOTE]
-> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates.  It's important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc).  Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
+    >[!NOTE]
+    > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates.  It's important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc).  Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.


 ### Group Memberships for the AD FS Service Account
@ -66,8 +65,8 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva

 ### Section Review
 > [!div class="checklist"]
-> * Configure the registration authority
-> * Update group memberships for the AD FS service account
+> * Configure the registration authority.
+> * Update group memberships for the AD FS service account.
 > 
 > 
 > [!div class="step-by-step"]
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@ -16,6 +16,7 @@ localizationpriority: medium
 ms.date: 10/23/2017
 ms.reviewer: 
 ---
+
 # Configure Hybrid Windows Hello for Business: Directory Synchronization

 **Applies to**
@ -26,7 +27,7 @@ ms.reviewer:

 ## Directory Synchronization

-In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure.  Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.  
+In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure.  Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.

 The key-trust model needs Windows Server 2016 domain controllers, which configure the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually.

@ -45,12 +46,12 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv
 6. In the **Applies to** list box, select **Descendant User objects**.
 7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**.
 8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCredentialLink**.
-9. Click **OK** three times to complete the task. 
+9. Click **OK** three times to complete the task.


 ### Group Memberships for the Azure AD Connect Service Account

-The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory.  
+The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory.

 Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.

@ -62,14 +63,14 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 6. Click **OK** to return to **Active Directory Users and Computers**.

 > [!NOTE]
-> If your AD forest has multiple domains. Please make sure you add the ADConnect sync service account (that is, MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest.
+> If your AD forest has multiple domains, make sure you add the ADConnect sync service account (ie. MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest.

 ### Section Review

 > [!div class="checklist"]
 > * Configure Permissions for Key Synchronization
 > * Configure group membership for Azure AD Connect
-> 
+>
 > [!div class="step-by-step"]
 > [< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md)
 > [Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md)