updates

2025-05-18 08:17:23 +00:00 · 2023-01-03 12:17:59 -05:00 · 2023-01-03 12:17:59 -05:00 · 275d75f1f7
commit 275d75f1f7
parent 093461e07c
8 changed files with 115 additions and 138 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -20379,6 +20379,11 @@
      "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md",
      "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md",
      "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki",
      "redirect_document_id": true
    }
  ]
 }
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@ -32,49 +32,12 @@ Expand the following sections to configure the PKI for Windows Hello for Busines
 [!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)]
 <br>
 <details>
 <summary><b>Configure a certificate registration authority template</b></summary>
-A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. The Windows Hello for Business on-premises certificate-based deployment uses AD FS as the CRA.
+[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
 The CRA enrolls for an *enrollment agent* certificate. Once the CRA verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the CA. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The CA only issues a certificate for that template if the registration authority signs the certificate request.
 Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
 1. Open the **Certification Authority** management console
 1. Right-click **Certificate Templates** and select **Manage**
 1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template**
 1. On the **Compatibility** tab:
   - Clear the **Show resulting changes** check box
   - Select **Windows Server 2016** from the **Certification Authority** list. 
   - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
 1. On the **General** tab:
   - Type *WHFB Enrollment Agent* in **Template display name**
   - Adjust the validity and renewal period to meet your enterprise's needs
 1. On the **Subject** tab, select the **Supply in the request** button if it is not already selected
   > [!NOTE]
   > Group Managed Service Accounts (GMSA) do not support the *Build from this Active Directory information* option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with *Supply in the request* to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
 1. On the **Cryptography** tab:
   - Select **Key Storage Provider** from the **Provider Category** list
   - Select **RSA** from the **Algorithm name** list
   - Type *2048* in the **Minimum key size** text box
   - Select **SHA256** from the **Request hash** list
 1. On the **Security** tab, select **Add**
 1. Select **Object Types** and select the **Service Accounts** check box. Select **OK**
 1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK**
 1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section:
   - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission
   - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared
   - Select **OK**
 1. Close the console
 </details>
 <br>
-[!INCLUDE [dc-certificate-template](includes/auth-certificate-template.md)]
+[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
 <br>
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md
@ -39,6 +39,14 @@ Expand the following sections to configure the PKI for Windows Hello for Busines
 <br>
 [!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
 <br>
 [!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
 <br>
 [!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
 <br>
@ -76,14 +84,16 @@ Before moving to the next section, ensure the following steps are complete:
 > [!div class="checklist"]
 > - Configure domain controller certificates
-> -_ Supersede existing domain controller certificates
+> - Supersede existing domain controller certificates
 > - Unpublish superseded certificate templates
-> - Publish the certificate template to the CA
+> - Configure an enrollment agent certificate template
 > - Configure an authentication certificate template
 > - Publish the certificate templates to the CA
 > - Deploy certificates to the domain controllers
 > - Validate the domain controllers configuration
 > [!div class="nextstepaction"]
-> [Next: configure and provision Windows Hello for Business >](hello-hybrid-cert-trust-provision.md)
+> [Next: configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md)
 <!--links-->
 [SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@ -12,6 +12,8 @@ ms.topic: how-to
 [!INCLUDE [hello-hybrid-cert-trust](./includes/hello-hybrid-cert-trust.md)]
 Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
 This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
 > [!IMPORTANT]
@ -24,7 +26,7 @@ The following prerequisites must be met for a hybrid certificate trust deploymen
 > [!div class="checklist"]
 > * Directories and directory synchronization
-> * Federation
+> * Federated authentication to Azure AD
 > * Device registration
 > * Public Key Infrastructure
 > * Multi-factor authentication
@ -43,10 +45,10 @@ The hybrid-certificate trust deployment needs an *Azure Active Directory Premium
 > [!NOTE]
 > Windows Hello for Business hybrid certificate trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Azure AD.
-> [!NOTE]
+> [!IMPORTANT]
 > Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Azure Active Directory and Active Directory.
-### Federation
+### Federated authentication to Azure AD
 Windows Hello for Business hybrid certificate trust doesn't support Azure AD *Pass-through Authentication* (PTA) or *password hash sync* (PHS).\
 Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Azure Active Directory using AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
@ -103,7 +105,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a hybr
 > [!div class="checklist"]
 > * Configure and validate the PKI
-> * Configure and validate AD FS
+> * Configure AD FS
 > * Configure Windows Hello for Business settings
 > * Provision Windows Hello for Business on Windows clients
 > * Configure single sign-on (SSO) for Azure AD joined devices
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@ -1,91 +0,0 @@
 ### Enrollment Agent certificate template
 Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request, or when the service first starts.
 Approximately 60 days prior to the enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew and expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
 > [!IMPORTANT]
 > Follow the procedures below based on the AD FS service account used in your environment.
 #### Creating an Enrollment Agent certificate for Group Managed Service Accounts
 Sign-in to a certificate authority or management workstation with _Domain Admin_ equivalent credentials.
 1. Open the **Certification Authority Management** console.
 2. Right-click **Certificate Templates** and click **Manage**.
 3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**.
 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list.
 5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise's needs.
 6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
   > [!NOTE]
   > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the _Build from this Active Directory information_ option, which will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with _Supply in the request_ to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.
 8. On the **Security** tab, click **Add**.
 9. Click **Object Types**.  Select the **Service Accounts** check box and click **OK**.
 10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**.
 11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
 12. Close the console.
 #### Creating an Enrollment Agent certificate for typical Service Accounts
 Sign-in to a certificate authority or management workstation with *Domain Admin* equivalent credentials.
 1. Open the **Certification Authority** management console.
 2. Right-click **Certificate Templates** and click **Manage**.
 3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent (Offline request)** template in the details pane and click **Duplicate Template**.
 4. On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list.
 5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise's needs.
 6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected.  Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.
 8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**.
 9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
 10. Close the console.
 ### Section Review
 > [!div class="checklist"]
 > * Domain Controller certificate template
 > * Configure superseded domain controller certificate templates
 > * Enrollment Agent certificate template
 > * Windows Hello for Business Authentication certificate template
 > * Mark the certificate template as Windows Hello for Business sign-in template
 > * Publish Certificate templates to certificate authorities
 > * Unpublish superseded certificate templates
 > 
 > [!div class="step-by-step"]
 > [< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md)
 > [Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md)
 <br><br>
 <hr>
 ## Follow the Windows Hello for Business hybrid certificate trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
 2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
 5. Configure Windows Hello for Business settings: PKI (*You are here*)
 6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
@ -100,7 +100,7 @@ Before moving to the next section, ensure the following steps are complete:
 > [!div class="checklist"]
 > - Configure domain controller certificates
-> -_ Supersede existing domain controller certificates
+> - Supersede existing domain controller certificates
 > - Unpublish superseded certificate templates
 > - Publish the certificate template to the CA
 > - Deploy certificates to the domain controllers
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@ -18,6 +18,8 @@ This deployment guide describes how to deploy Windows Hello for Business in a hy
 > [!IMPORTANT]
 > Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md).
 It is recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
 ## Prerequisites
 The following prerequisites must be met for a hybrid key trust deployment:
--- a/windows/security/identity-protection/hello-for-business/includes/enrollment-agent-certificate-template.md
+++ b/windows/security/identity-protection/hello-for-business/includes/enrollment-agent-certificate-template.md
@ -0,0 +1,86 @@
 ---
 ms.date: 01/03/2022
 ms.topic: include
 ---
 <details>
 <summary><b>Configure an enrollment agent certificate template</b></summary>
 A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. The Windows Hello for Business on-premises certificate-based deployment uses AD FS as the CRA.
 The CRA enrolls for an *enrollment agent certificate*. Once the CRA verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the CA. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The CA only issues a certificate for that template if the registration authority signs the certificate request.
 > [!IMPORTANT]
 > Follow the procedures below based on the AD FS service account used in your environment.
 ### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA)
 Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
 1. Open the **Certification Authority** management console
 1. Right-click **Certificate Templates** and select **Manage**
 1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template**
 1. On the **Compatibility** tab:
   - Clear the **Show resulting changes** check box
   - Select **Windows Server 2016** from the **Certification Authority** list. 
   - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
 1. On the **General** tab:
   - Type *WHFB Enrollment Agent* in **Template display name**
   - Adjust the validity and renewal period to meet your enterprise's needs
 1. On the **Subject** tab, select the **Supply in the request** button if it is not already selected
   > [!NOTE]
   > Group Managed Service Accounts (GMSA) do not support the *Build from this Active Directory information* option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with *Supply in the request* to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
 1. On the **Cryptography** tab:
   - Select **Key Storage Provider** from the **Provider Category** list
   - Select **RSA** from the **Algorithm name** list
   - Type *2048* in the **Minimum key size** text box
   - Select **SHA256** from the **Request hash** list
 1. On the **Security** tab, select **Add**
 1. Select **Object Types** and select the **Service Accounts** check box. Select **OK**
 1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK**
 1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section:
   - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission
   - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared
   - Select **OK**
 1. Close the console
 ### Create an enrollment agent certificate for a standard service account
 Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
 1. Open the **Certification Authority** management console
 1. Right-click **Certificate Templates** and select **Manage**
 1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template**
 1. On the **Compatibility** tab:
   - Clear the **Show resulting changes** check box
   - Select **Windows Server 2016** from the **Certification Authority** list. 
   - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
 1. On the **General** tab:
   - Type *WHFB Enrollment Agent* in **Template display name**
   - Adjust the validity and renewal period to meet your enterprise's needs
 1. On the **Subject** tab:
   - Select the **Build from this Active Directory information** button
   - Select **Fully distinguished name** from the **Subject name format**
   - Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
 1. On the **Cryptography** tab:
   - Select **Key Storage Provider** from the **Provider Category** list
   - Select **RSA** from the **Algorithm name** list
   - Type *2048* in the **Minimum key size** text box
   - Select **SHA256** from the **Request hash** list
 1. On the **Security** tab, select **Add**
 1. Select **Object Types** and select the **Service Accounts** check box. Select **OK**
 1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK**
 1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section:
   - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission
   - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared
   - Select **OK**
 1. Close the console
 > [!NOTE]
 > AD FS used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request, or when the service first starts.
 >
 > Approximately 60 days prior to the enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew and expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
 </details>