From 27ef2374349bea488bfaf85f01d46172686282d1 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 21 Dec 2022 16:43:14 -0500 Subject: [PATCH] updates --- .../hello-for-business/hello-hybrid-key-trust.md | 13 +++++++------ .../identity-protection/hello-for-business/toc.yml | 10 ++++++---- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index 1712a5710f..a1a6b93b28 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -16,7 +16,7 @@ Windows Hello for Business replaces password sign-in with strong authentication, Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources. > [!IMPORTANT] -> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the preferred deployment model if you do not need to support certificate authentication scenarios. For more information see [cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md). +> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information see [cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md). ## Prerequisites @@ -29,11 +29,11 @@ Hybrid Windows Hello for Business needs two directories: - an on-premises Active Directory - an Azure Active Directory tenant -The two directories must be synchronized. You need [Azure AD Connect Sync][AZ-1] to synchronize user accounts from the on-premises Active Directory to Azure AD.\ +The two directories must be synchronized with [Azure AD Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Azure AD.\ During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Azure AD. *Azure AD Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory. > [!NOTE] -> Windows Hello for Business Hybrid key trust is not supported if the users' on-premises domain cannot be added as a verified domain in Azure AD. +> Windows Hello for Business Hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Azure AD. Ensure that you have [adequate Domain Controllers](/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers) in each Active Directory site where users will be authenticating with Windows Hello for Business. @@ -41,12 +41,13 @@ Ensure that you have [adequate Domain Controllers](/windows/security/identity-pr Authentication to Azure AD can be configured with or without federation: -- for non-federated environments, you must deploy [password hash synchronization](/azure/active-directory/hybrid/whatis-phs) or [Azure Active Directory Pass-through-Authentication](/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication)
  • -- for federated environments, you use Active Directory Federation Services (AD FS) or third-party federation services +- for non-federated environments, you must deploy [password hash synchronization](/azure/active-directory/hybrid/whatis-phs) or [Azure Active Directory Pass-through-Authentication](/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication) +- for federated environments, you can use Active Directory Federation Services (AD FS) or third-party federation services ### Device registration -The Windows client devices where Windows Hello for Business will be provisioned, must be registered in Azure AD. This ensures that only approved computers are used with that Azure AD tenant. You can *Azure AD join* or *hybrid Azure AD join* to register devices to Azure AD. For *hybrid Azure AD join* devices, review the guidance on the [Plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) page. +The Windows client devices where Windows Hello for Business will be provisioned, must be registered in Azure AD. This ensures that only approved computers are used with that Azure AD tenant. You can *Azure AD join* or *hybrid Azure AD join* to register devices to Azure AD.\ +For *hybrid Azure AD joined* devices, review the guidance on the [Plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) page. ### Public Key Infrastructure diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 99f20b0f21..16e5fbceaf 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -28,9 +28,11 @@ - name: Cloud Kerberos trust deployment href: hello-hybrid-cloud-kerberos-trust.md - name: Key trust deployment - href: hello-hybrid-key-trust.md - - name: New installation baseline - href: hello-hybrid-key-new-install.md + items: + - name: Overview + href: hello-hybrid-key-trust.md + - name: Configure and validate the PKI + href: hello-hybrid-key-trust-validate-pki.md - name: Certificate trust deployment items: - name: Overview @@ -73,7 +75,7 @@ href: hello-deployment-key-trust.md - name: Validate Active Directory prerequisites href: hello-key-trust-validate-ad-prereq.md - - name: Configure and validate Public Key Infrastructure (PKI) + - name: Configure and validate the PKI href: hello-key-trust-validate-pki.md - name: Prepare and deploy Active Directory Federation Services (AD FS) href: hello-key-trust-adfs.md