From 23f720c6092040683191a911b4cd4536cd09dc66 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 20 Aug 2018 07:29:04 -0700 Subject: [PATCH] - minor fixes - Updated headers of pages to reflect deployment and trust type --- .../hello-for-business/hello-cert-trust-adfs.md | 5 +++-- .../hello-for-business/hello-cert-trust-deploy-mfa.md | 5 +++-- .../hello-cert-trust-policy-settings.md | 11 ++++++----- .../hello-cert-trust-validate-ad-prereq.md | 9 +++++---- .../hello-cert-trust-validate-deploy-mfa.md | 6 +++--- .../hello-cert-trust-validate-pki.md | 5 +++-- .../hello-for-business/hello-deployment-cert-trust.md | 11 ++++++----- .../hello-for-business/hello-deployment-key-trust.md | 7 ++++--- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 4 +++- .../hello-for-business/hello-key-trust-adfs.md | 5 +++-- .../hello-for-business/hello-key-trust-deploy-mfa.md | 5 +++-- .../hello-key-trust-policy-settings.md | 5 +++-- .../hello-key-trust-validate-ad-prereq.md | 5 +++-- .../hello-key-trust-validate-deploy-mfa.md | 5 +++-- .../hello-key-trust-validate-pki.md | 5 +++-- 15 files changed, 54 insertions(+), 39 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 81e21395d6..570b69dde7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -14,9 +14,10 @@ ms.date: 08/19/2018 # Prepare and Deploy Windows Server 2016 Active Directory Federation Services **Applies to** -- Windows 10 +- Windows 10, version 1703 or later +- On-premises deployment +- Certificate trust -> This guide only applies to Windows 10, version 1703 or higher. Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md index 058ca43ce1..e8ac53a3f2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md @@ -14,9 +14,10 @@ ms.date: 08/19/2018 # Configure or Deploy Multifactor Authentication Services **Applies to** -- Windows 10 +- Windows 10, version 1703 or later +- On-premises deployment +- Certificate trust -> This guide only applies to Windows 10, version 1703 or higher. On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index bb2c1c1317..97f8ceee36 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -6,17 +6,18 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin ms.localizationpriority: medium -ms.author: daniha -ms.date: 07/27/2017 +author: mikestephens-MS +ms.author: mstephen +ms.date: 08/20/2018 --- # Configure Windows Hello for Business Policy settings **Applies to** -- Windows 10 +- Windows 10, version 1703 or later +- On-premises deployment +- Certificate trust -> This guide only applies to Windows 10, version 1703 or higher. You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 8f3b9c0a2c..9c64a37ec4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -6,17 +6,18 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin ms.localizationpriority: medium -ms.author: daniha +author: mikestephens-MS +ms.author: mstephen ms.date: 08/19/2018 --- # Validate Active Directory prerequisites **Applies to** -- Windows 10 +- Windows 10, version 1703 or later +- On-premises deployment +- Certificate trust -> This guide only applies to Windows 10, version 1703 or higher. The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index 156c35ce69..63ea357adc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -9,15 +9,15 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen ms.localizationpriority: medium -ms.author: daniha ms.date: 08/19/2018 --- # Validate and Deploy Multifactor Authentication Services (MFA) **Applies to** -- Windows 10 +- Windows 10, version 1703 or later +- On-premises deployment +- Certificate trust -> This guide only applies to Windows 10, version 1703 or higher. Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index a91d8d52c9..294064bd90 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -14,9 +14,10 @@ ms.date: 08/19/2018 # Validate and Configure Public Key Infrastructure **Applies to** -- Windows 10 +- Windows 10, version 1703 or later +- On-premises deployment +- Certificate trust -> This guide only applies to Windows 10, version 1703 or higher. Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md index cdda9c2ea9..0945e7436d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md @@ -6,17 +6,18 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin ms.localizationpriority: medium -ms.author: daniha -ms.date: 07/27/2017 +author: mikestephens-MS +ms.author: mstephen +ms.date: 08/19/2018 --- # On Premises Certificate Trust Deployment **Applies to** -- Windows 10 +- Windows 10, version 1703 or later +- On-premises deployment +- Certificate trust -> This guide only applies to Windows 10, version 1703 or higher. Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md index bccca366a7..1c7fd1f995 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md @@ -9,14 +9,15 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen ms.localizationpriority: medium -ms.date: 10/23/2017 +ms.date: 08/20/2018 --- # On Premises Key Trust Deployment **Applies to** -- Windows 10 +- Windows 10, version 1703 or later +- On-premises deployment +- Key trust -> This guide only applies to Windows 10, version 1703 or higher. Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index e48da6508a..2b6475cc54 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -292,7 +292,9 @@ Sign-in a workstation with access equivalent to a _domain user_. 8. Select **Enabled** from the **Configure Windows Hello for Business** list. 9. Select **Required** next to **Use a Trusted Platform Module (TPM). By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software based keys. 10. Type the desired **Minimum PIN length** and **Maximum PIN length**. -> [!IMPORTANT]> The default minimum PIN length for Windows Hello for Business on Windows 10 is 6. Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to 6. +> [!IMPORTANT] +> The default minimum PIN length for Windows Hello for Business on Windows 10 is 6. Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to 6. + ![Intune Windows Hello for Business policy settings](images/aadj/IntuneWHFBPolicy-01.png) 11. Select the appropriate configuration for the following settings. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index de527182d4..125313997c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -14,9 +14,10 @@ ms.date: 08/19/2018 # Prepare and Deploy Windows Server 2016 Active Directory Federation Services **Applies to** -- Windows 10 +- Windows 10, version 1703 or later +- On-premises deployment +- Key trust -> This guide only applies to Windows 10, version 1703 or higher. Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md index adca684cc9..67a8061c4d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md @@ -14,9 +14,10 @@ ms.date: 08/19/2018 # Configure or Deploy Multifactor Authentication Services **Applies to** -- Windows 10 +- Windows 10, version 1703 or later +- On-premises deployment +- Key trust -> This guide only applies to Windows 10, version 1703 or higher. On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 5b622bf503..bbc808feae 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -14,9 +14,10 @@ ms.date: 08/19/2018 # Configure Windows Hello for Business Policy settings **Applies to** -- Windows 10 +- Windows 10, version 1703 or later +- On-premises deployment +- Key trust -> This guide only applies to Windows 10, version 1703 or higher. You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index 383590e40d..9c5067319d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -15,9 +15,10 @@ ms.date: 08/19/2018 # Validate Active Directory prerequisites **Applies to** -- Windows 10 +- Windows 10, version 1703 or later +- On-premises deployment +- Key trust -> This guide only applies to Windows 10, version 1703 or higher. Key trust deployments need an adequate number of 2016 domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 7e189412aa..f657b6ca14 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -14,9 +14,10 @@ ms.date: 08/19/2018 # Validate and Deploy Multifactor Authentication Services (MFA) **Applies to** -- Windows 10 +- Windows 10, version 1703 or later +- On-premises deployment +- Key trust -> This guide only applies to Windows 10, version 1703 or higher. Windows Hello for Business requires all users perform an additional factor of authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 5f3bd34161..764dacd461 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -14,9 +14,10 @@ ms.date: 08/19/2018 # Validate and Configure Public Key Infrastructure **Applies to** -- Windows 10 +- Windows 10, version 1703 or later +- On-premises deployment +- Key trust -> This guide only applies to Windows 10, version 1703 or higher. Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.