deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Corrected PIN policy settings statement and removed incorrect prerequistes

Browse Source
This commit is contained in:
Mike Stephens
2017-07-24 18:07:19 -07:00
parent 8bf17ed0db
commit 16df974cd4
1 changed files with 1 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
windows/access-protection/hello-for-business/hello-manage-in-organization.md
View File

@ -25,7 +25,7 @@ You can create a Group Policy or mobile device management (MDM) policy that will
>
>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
>
>Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business.
>Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business.
 
## Group Policy settings for Windows Hello for Business
@ -292,71 +292,6 @@ The following table lists the MDM policy settings that you can configure for Win
>[!NOTE]  
> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.
 
## Prerequisites
To deploy Windows Hello for Business, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you dont have to replace or remove your existing Active Directory servers — the servers required for Windows Hello for Business build on and add capability to your existing infrastructure. You dont have to change the domain or forest functional level, and you can either add on-premises servers or use Azure Active Directory to deploy Windows Hello for Business in your network.
Youll need this software to set Windows Hello for Business policies in your enterprise.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Windows Hello for Business mode</th>
<th align="left">Azure AD</th>
<th align="left">Active Directory (AD) on-premises (only supported with Windows 10, version 1703 clients)</th>
<th align="left">Azure AD/AD hybrid (available with production release of Windows Server 2016)</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Key-based authentication</td>
<td align="left">Azure AD subscription</td>
<td align="left"><ul>
<li>Active Directory Federation Service (AD FS) (Windows Server 2016)</li>
<li>A few Windows Server 2016 domain controllers on-site</li>
</ul></td>
<td align="left"><ul>
<li>Azure AD subscription</li>
<li>[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
<li>A few Windows Server 2016 domain controllers on-site</li>
<li>A management solution, such as Configuration Manager, Group Policy, or MDM</li>
<li>Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)</li>
</ul></td>
</tr>
<tr class="even">
<td align="left">Certificate-based authentication</td>
<td align="left"><ul>
<li>Azure AD subscription</li>
<li>Intune or non-Microsoft mobile device management (MDM) solution</li>
<li>PKI infrastructure</li>
</ul></td>
<td align="left"><ul>
<li>ADFS (Windows Server 2016)</li>
<li>Active Directory Domain Services (AD DS) Windows Server 2016 schema</li>
<li>PKI infrastructure</li>
</ul></td>
<td align="left"><ul>
<li>Azure AD subscription</li>
<li>[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
<li>AD CS with NDES</li>
<li>Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Windows Hello for Business</li>
</ul></td>
</tr>
</tbody>
</table>
 
Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business.
Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
>[!IMPORTANT]
>Active Directory on-premises deployment **is not currently available** and will become available with a future update of ADFS on Windows Server 2016. The requirements listed in the above table will apply when this deployment type becomes available.
## How to use Windows Hello for Business with Azure Active Directory