From 16ad3d32a0372f5ae9798404de1265f970054db7 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 23 Oct 2017 17:07:33 -0700 Subject: [PATCH] minor edits --- .../hello-for-business/hello-deployment-key-trust.md | 6 +++--- .../hello-hybrid-cert-whfb-settings-ad.md | 7 +------ .../hello-hybrid-cert-whfb-settings-adfs.md | 6 ------ .../hello-hybrid-cert-whfb-settings-dir-sync.md | 7 +------ .../hello-hybrid-cert-whfb-settings-pki.md | 5 ----- .../hello-hybrid-cert-whfb-settings-policy.md | 7 +------ .../hello-for-business/hello-hybrid-cert-whfb-settings.md | 4 ---- .../hello-hybrid-key-whfb-settings-ad.md | 4 ---- .../hello-hybrid-key-whfb-settings-dir-sync.md | 4 ---- .../hello-hybrid-key-whfb-settings-pki.md | 4 ---- .../hello-hybrid-key-whfb-settings-policy.md | 6 +----- .../hello-for-business/hello-hybrid-key-whfb-settings.md | 4 ---- .../hello-key-trust-validate-ad-prereq.md | 4 +--- 13 files changed, 8 insertions(+), 60 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-deployment-key-trust.md b/windows/access-protection/hello-for-business/hello-deployment-key-trust.md index 2d64b3973b..d924194aa8 100644 --- a/windows/access-protection/hello-for-business/hello-deployment-key-trust.md +++ b/windows/access-protection/hello-for-business/hello-deployment-key-trust.md @@ -1,5 +1,5 @@ --- -title: Windows Hello for Business Deployment Guide - On Premises Certificate Key Deployment +title: Windows Hello for Business Deployment Guide - On Premises Key Deployment description: A guide to an On Premises, Certificate trust Windows Hello for Business deployment keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 @@ -11,7 +11,7 @@ ms.author: mstephen localizationpriority: high ms.date: 10/08/2017 --- -# On Premises Certificate Trust Deployment +# On Premises Key Trust Deployment **Applies to** - Windows 10 @@ -20,7 +20,7 @@ ms.date: 10/08/2017 Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. -Below, you can find all the infromation you will need to deploy Windows Hello for Business in a Certificate Key Model in your on-premises environment: +Below, you can find all the infromation you need to deploy Windows Hello for Business in a key trust model in your on-premises environment: 1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) 2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 27eba8dd44..981d5feaae 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -16,15 +16,10 @@ ms.date: 09/08/2017 **Applies to** - Windows 10 ->[!div class="step-by-step"] -[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) -[Configure Azure AD Connect >](hello-hybrid-cert-whfb-settings-dir-sync.md) +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. ->[!IMPORTANT] ->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. - ### Creating Security Groups Windows Hello for Business uses several security groups to simplify the deployment and managment. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index e68276a09e..54223b71a4 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -18,14 +18,8 @@ ms.date: 09/08/2017 ## Federation Services ->[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. ->[!div class="step-by-step"] -[< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) -[Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md) - - The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 36c163ea27..38c71a7599 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -16,15 +16,10 @@ ms.date: 09/08/2017 **Applies to** - Windows 10 ->[!div class="step-by-step"] -[< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) -[Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. ## Directory Synchronization ->[!IMPORTANT] ->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. - In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 27ea8e8a47..d7f825257f 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -17,11 +17,6 @@ ms.date: 09/08/2017 **Applies to** - Windows 10 -> [!div class="step-by-step"] -[< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md) -[Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md) - ->[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 2c0b6759f9..ac4c7d3339 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -16,15 +16,10 @@ ms.date: 09/08/2017 **Applies to** - Windows 10 -> [!div class="step-by-step"] -[< Configure AD FS](hello-hybrid-cert-whfb-settings-adfs.md) - +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. ## Policy Configuration ->[!IMPORTANT] ->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. - You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 2dbfc5fda4..cc34481466 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -16,10 +16,6 @@ ms.date: 09/08/2017 **Applies to** - Windows 10 -> [!div class="step-by-step"] -[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) - ->[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. You're environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md index 901edef2af..4a4a25924e 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -16,10 +16,6 @@ ms.date: 10/20/2017 **Applies to** - Windows 10 ->[!div class="step-by-step"] -[< Configure Windows Hello for Business](hello-hybrid-key-whfb-settings.md) -[Configure Azure AD Connect >](hello-hybrid-key-whfb-settings-dir-sync.md) - >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 69700ebc4b..7518007d20 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -16,10 +16,6 @@ ms.date: 10/20/2017 **Applies to** - Windows 10 ->[!div class="step-by-step"] -[< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) -[Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) - >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. ## Directory Syncrhonization diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index cb21c9a8f5..3d9691dd88 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -17,10 +17,6 @@ ms.date: 10/20/2017 **Applies to** - Windows 10 -> [!div class="step-by-step"] -[< Configure Azure AD Connect](hello-hybrid-key-whfb-settings-dir-sync.md) -[Configure policy settings >](hello-hybrid-key-whfb-settings-policy.md) - >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index bd47b15b29..75e5789a7e 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -16,14 +16,10 @@ ms.date: 10/20/2017 **Applies to** - Windows 10 -> [!div class="step-by-step"] -[< Configure PKI ](hello-hybrid-key-whfb-settings-pki.md) +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. ## Policy Configuration ->[!IMPORTANT] ->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. - You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 38de12b175..591af4f0c8 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -16,10 +16,6 @@ ms.date: 09/08/2017 **Applies to** - Windows 10 -> [!div class="step-by-step"] -[Configure Active Directory >](hello-hybrid-key-whfb-settings-ad.md) - ->[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. You are ready to configure your hybrid key trust environment for Windows Hello for Business. diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index 2b2c06183a..540da3aa71 100644 --- a/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -22,13 +22,11 @@ Key trust deployments need an adequate number of 2016 domain controllers to ensu The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. -Ensure each site where you plan to deploy key trust Windows Hello for Business has an adequate number of Windows Server 2016 domain controllers/ - ## Create the Windows Hello for Business Users Security Global Group The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by simply adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business. -Sign-in a domain controller or management workstation with Domain Admin equivalent credentials. +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. 1. Open **Active Directory Users and Computers**. 2. Click **View** and click **Advanced Features**.