deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #2944 from MicrosoftDocs/repo_sync_working_branch

Browse Source 
Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
This commit is contained in:
Gary Moore 2020-05-29 15:22:14 -07:00 committed by GitHub
commit 11e1a52263
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 82 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
devices/hololens/hololens2-language-support.md
View File

@ -62,7 +62,7 @@ The setup process configures your HoloLens for a specific region and language. Y
If the supported language that you're looking for is not in the menu, follow these steps: If the supported language that you're looking for is not in the menu, follow these steps:
1. Under **Preferred languages**, select **Add a language**. 1. Under **Preferred languages**, select **Add a language**.
2. Locater and add the language. 2. Locate and add the language.
3. Select the **Windows display language** menu again, and then select the language that you added in the previous step. 3. Select the **Windows display language** menu again, and then select the language that you added in the previous step.
### To change the keyboard layout ### To change the keyboard layout

8
windows/client-management/administrative-tools-in-windows-10.md
View File

@ -29,7 +29,7 @@ The tools in the folder might vary depending on which edition of Windows you are
![Screenshot of folder of admin tools](images/admin-tools-folder.png) ![Screenshot of folder of admin tools](images/admin-tools-folder.png)
These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool. These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.
@ -43,6 +43,8 @@ These tools were included in previous versions of Windows and the associated doc
- [ODBC Data Sources]( https://go.microsoft.com/fwlink/p/?LinkId=708494) - [ODBC Data Sources]( https://go.microsoft.com/fwlink/p/?LinkId=708494)
- [Performance Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708495) - [Performance Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708495)
- [Print Management](https://go.microsoft.com/fwlink/p/?LinkId=708496) - [Print Management](https://go.microsoft.com/fwlink/p/?LinkId=708496)
- [Recovery Drive](https://support.microsoft.com/help/4026852/windows-create-a-recovery-drive)
- [Registry Editor](https://docs.microsoft.com/windows/win32/sysinfo/registry)
- [Resource Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708497) - [Resource Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708497)
- [Services](https://go.microsoft.com/fwlink/p/?LinkId=708498) - [Services](https://go.microsoft.com/fwlink/p/?LinkId=708498)
- [System Configuration](https://go.microsoft.com/fwlink/p/?LinkId=708499) - [System Configuration](https://go.microsoft.com/fwlink/p/?LinkId=708499)
@ -60,7 +62,3 @@ These tools were included in previous versions of Windows and the associated doc

71
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -37,7 +37,7 @@ The auto-enrollment relies on the presence of an MDM service and the Azure Activ
When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/). In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/)
For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
@ -52,9 +52,10 @@ The following steps demonstrate required settings using the Intune service:
![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png) ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png)
> [!IMPORTANT] > [!IMPORTANT]
> For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. > For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
> For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. >
> For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
3. Verify that the device OS version is Windows 10, version 1709 or later. 3. Verify that the device OS version is Windows 10, version 1709 or later.
4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. This means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. 4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. This means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line.
@ -93,7 +94,7 @@ You may contact your domain administrators to verify if the group policy has bee
This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices). This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
Requirements: Requirements:
- AD-joined PC running Windows 10, version 1709 - AD-joined PC running Windows 10, version 1709 or later
- Enterprise has MDM service already configured - Enterprise has MDM service already configured
- Enterprise AD must be registered with Azure AD - Enterprise AD must be registered with Azure AD
@ -109,27 +110,27 @@ Requirements:
![MDM policies](images/autoenrollment-mdm-policies.png) ![MDM policies](images/autoenrollment-mdm-policies.png)
4. Double-click **Enable Automatic MDM enrollment using default Azure AD credentials**. 4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10, version 1709 and later once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available.
![MDM autoenrollment policy](images/autoenrollment-policy.png) ![MDM autoenrollment policy](images/autoenrollment-policy.png)
5. Click **Enable**, then click **OK**. 5. Click **Enable**, then click **OK**.
> [!NOTE] > [!NOTE]
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
The default behavior for older releases is to revert to **User Credential**. > The default behavior for older releases is to revert to **User Credential**.
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot. If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png) ![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png)
> [!Tip] > [!Tip]
> You can avoid this behavior by using Conditional Access Policies in Azure AD. > You can avoid this behavior by using Conditional Access Policies in Azure AD.
Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview). Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview).
6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account. 6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account.
@ -159,27 +160,28 @@ Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/a
## Configure the auto-enrollment for a group of devices ## Configure the auto-enrollment for a group of devices
Requirements: Requirements:
- AD-joined PC running Windows 10, version 1709 - AD-joined PC running Windows 10, version 1709 or later
- Enterprise has MDM service already configured (with Intune or a third party service provider) - Enterprise has MDM service already configured (with Intune or a third party service provider)
- Enterprise AD must be integrated with Azure AD. - Enterprise AD must be integrated with Azure AD.
- Ensure that PCs belong to same computer group. - Ensure that PCs belong to same computer group.
> [!IMPORTANT] [!IMPORTANT]
> If you do not see the policy, it may be because you dont have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible): If you do not see the policy, it may be because you dont have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):
> 1. Download: 1. Download:
> 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or
> 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or
> 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all) 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
> 2. Install the package on the Domain Controller. 2. Install the package on the Domain Controller.
> 3. Navigate, depending on the version to the folder: 3. Navigate, depending on the version to the folder:
> 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or
> 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or
> 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
> 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**. 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
> 5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. 5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**.
> (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain). (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain).
> 6. Restart the Domain Controller for the policy to be available. 6. Restart the Domain Controller for the policy to be available.
> This procedure will work for any future version as well.
This procedure will work for any future version as well.
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
2. Create a Security Group for the PCs. 2. Create a Security Group for the PCs.
@ -187,7 +189,6 @@ Requirements:
4. Filter using Security Groups. 4. Filter using Security Groups.
## Troubleshoot auto-enrollment of devices ## Troubleshoot auto-enrollment of devices
Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device.
To collect Event Viewer logs: To collect Event Viewer logs:
@ -241,10 +242,10 @@ To collect Event Viewer logs:
- [Link a Group Policy Object](https://technet.microsoft.com/library/cc732979(v=ws.11).aspx) - [Link a Group Policy Object](https://technet.microsoft.com/library/cc732979(v=ws.11).aspx)
- [Filter Using Security Groups](https://technet.microsoft.com/library/cc752992(v=ws.11).aspx) - [Filter Using Security Groups](https://technet.microsoft.com/library/cc752992(v=ws.11).aspx)
- [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx) - [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx)
- [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
### Useful Links ### Useful Links
- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591) - [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) - [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
- [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880)

2
windows/client-management/mdm/understanding-admx-backed-policies.md
View File

@ -260,7 +260,7 @@ Note that the data payload of the SyncML needs to be encoded so that it does not
The **LocURI** for the above GP policy is: The **LocURI** for the above GP policy is:
`.\Device\Vendor\MSFT\Policy\Config\AppVirtualization\PublishingAllowServer2` `./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2`
To construct SyncML for your area/policy using the samples below, you need to update the **data id** and the **value** in the `<Data>` section of the SyncML. The items prefixed with an '&' character are the escape characters needed and can be retained as shown. To construct SyncML for your area/policy using the samples below, you need to update the **data id** and the **value** in the `<Data>` section of the SyncML. The items prefixed with an '&' character are the escape characters needed and can be retained as shown.

28
windows/client-management/new-policies-for-windows-10.md
View File

@ -25,6 +25,33 @@ ms.topic: reference
Windows 10 includes the following new policies for management. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://www.microsoft.com/download/100591). Windows 10 includes the following new policies for management. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://www.microsoft.com/download/100591).
## New Group Policy settings in Windows 10, version 1903
The following Group Policy settings were added in Windows 10, version 1903:
**System**
- System\Service Control Manager Settings\Security Settings\Enable svchost.exe mitigation options
- System\Storage Sense\Allow Storage Sense
- System\Storage Sense\Allow Storage Sense Temporary Files cleanup
- System\Storage Sense\Configure Storage Sense
- System\Storage Sense\Configure Storage Sense Cloud content dehydration threshold
- System\Storage Sense\Configure Storage Sense Recycle Bin cleanup threshold
- System\Storage Sense\Configure Storage Sense Downloads cleanup threshold
- System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Troubleshooting:Allow users to access recommended troubleshooting for known problems
**Windows Components**
- Windows Components\App Privacy\Let Windows apps activate with voice
- Windows Components\App Privacy\Let Windows apps activate with voice while the system is locked
- Windows Components\Data Collection and Preview Builds\Allow commercial data pipeline
- Windows Components\Data Collection and Preview Builds\Configure collection of browsing data for Desktop Analytics
- Windows Components\Data Collection and Preview Builds\Configure diagnostic data upload endpoint for Desktop Analytics
- Windows Components\Delivery Optimization\Delay background download Cache Server fallback (in seconds)
- Windows Components\Delivery Optimization\Delay Foreground download Cache Server fallback (in seconds)
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use WDDM graphics display driver for Remote Desktop Connections
- Windows Components\Windows Logon Options\Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot
## New Group Policy settings in Windows 10, version 1809 ## New Group Policy settings in Windows 10, version 1809
@ -496,4 +523,3 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=

2
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
View File

@ -294,6 +294,8 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**. 5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**.
![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png) ![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png)
6. Sign out of the Microsoft Azure Portal. 6. Sign out of the Microsoft Azure Portal.
> [!NOTE]
> After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same.
## Configure Windows Hello for Business Device Enrollment ## Configure Windows Hello for Business Device Enrollment

13
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
View File

@ -19,7 +19,7 @@ ms.reviewer:
# Configure Windows Hello for Business: Active Directory Federation Services # Configure Windows Hello for Business: Active Directory Federation Services
**Applies to** **Applies to**
- Windows10, version 1703 or later - Windows 10, version 1703 or later
- Hybrid deployment - Hybrid deployment
- Certificate trust - Certificate trust
@ -36,15 +36,14 @@ The Windows Hello for Business Authentication certificate template is configured
Sign-in the AD FS server with *Domain Admin* equivalent credentials. Sign-in the AD FS server with *Domain Admin* equivalent credentials.
1. Open a **Windows PowerShell** prompt. 1. Open a **Windows PowerShell** prompt.
2. Type the following command 2. Enter the following command:
```PowerShell ```PowerShell
Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true
``` ```
>[!NOTE]
>[!NOTE] > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
### Group Memberships for the AD FS Service Account ### Group Memberships for the AD FS Service Account
@ -66,8 +65,8 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
### Section Review ### Section Review
> [!div class="checklist"] > [!div class="checklist"]
> * Configure the registration authority > * Configure the registration authority.
> * Update group memberships for the AD FS service account > * Update group memberships for the AD FS service account.
> >
> >
> [!div class="step-by-step"] > [!div class="step-by-step"]

11
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
View File

@ -16,6 +16,7 @@ localizationpriority: medium
ms.date: 10/23/2017 ms.date: 10/23/2017
ms.reviewer: ms.reviewer:
--- ---
# Configure Hybrid Windows Hello for Business: Directory Synchronization # Configure Hybrid Windows Hello for Business: Directory Synchronization
**Applies to** **Applies to**
@ -26,7 +27,7 @@ ms.reviewer:
## Directory Synchronization ## Directory Synchronization
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
The key-trust model needs Windows Server 2016 domain controllers, which configure the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. The key-trust model needs Windows Server 2016 domain controllers, which configure the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually.
@ -45,12 +46,12 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv
6. In the **Applies to** list box, select **Descendant User objects**. 6. In the **Applies to** list box, select **Descendant User objects**.
7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. 7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**.
8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCredentialLink**. 8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCredentialLink**.
9. Click **OK** three times to complete the task. 9. Click **OK** three times to complete the task.
### Group Memberships for the Azure AD Connect Service Account ### Group Memberships for the Azure AD Connect Service Account
The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory. The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory.
Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
@ -62,14 +63,14 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
6. Click **OK** to return to **Active Directory Users and Computers**. 6. Click **OK** to return to **Active Directory Users and Computers**.
> [!NOTE] > [!NOTE]
> If your AD forest has multiple domains. Please make sure you add the ADConnect sync service account (that is, MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest. > If your AD forest has multiple domains, make sure you add the ADConnect sync service account (ie. MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest.
### Section Review ### Section Review
> [!div class="checklist"] > [!div class="checklist"]
> * Configure Permissions for Key Synchronization > * Configure Permissions for Key Synchronization
> * Configure group membership for Azure AD Connect > * Configure group membership for Azure AD Connect
> >
> [!div class="step-by-step"] > [!div class="step-by-step"]
> [< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) > [< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md)
> [Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) > [Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md)