updates

2025-05-12 13:27:23 +00:00 · 2022-11-21 11:18:34 -05:00 · 2022-11-21 11:18:34 -05:00 · 2a74e340ca
commit 2a74e340ca
parent cab8a87ac6
21 changed files with 65 additions and 0 deletions
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@ -110,6 +110,8 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
 ## Review & validate
 [!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
 Before you continue with the deployment, validate your deployment progress by reviewing the following items:
 - Confirm the AD FS farm uses the correct database configuration.
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@ -12,6 +12,8 @@ ms.topic: article
 ---
 # Configure Windows Hello for Business Policy settings - Certificate Trust
 [!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
 To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
 Install the Remote Server Administration Tools for Windows on a computer running Windows 10 or later.
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@ -9,6 +9,8 @@ ms.topic: article
 ---
 # Validate Active Directory prerequisites for cert-trust deployment
 [!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
 The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
 > [!NOTE]
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@ -9,6 +9,8 @@ ms.topic: article
 ---
 # Validate and Deploy Multi-Factor Authentication feature
 [!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
 Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
 For information on available third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@ -9,6 +9,8 @@ ms.topic: article
 ---
 # Validate and Configure Public Key Infrastructure - Certificate Trust Model
 [!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
 Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model.  All trust models depend on the domain controllers having a certificate.  The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.  The certificate trust model extends certificate issuance to client computers.  During Windows Hello for Business provisioning, the user receives a sign-in certificate.
 ## Deploy an enterprise certificate authority
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@ -9,6 +9,8 @@ ms.topic: article
 ---
 # On Premises Certificate Trust Deployment
 [!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
 Windows Hello for Business replaces username and password sign-in to Windows with authentication using an asymmetric key pair. This deployment guide provides the information you'll need to successfully deploy Windows Hello for Business in an existing environment.  
 Below, you can find all the information needed to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment:
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@ -8,6 +8,8 @@ ms.topic: article
 ---
 # Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation
 [!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
 Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure.  Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies
 - [Active Directory](#active-directory)
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@ -8,6 +8,8 @@ ms.topic: article
 ---
 # Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
 [!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)]
 Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.  
 > [!IMPORTANT]
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@ -8,6 +8,8 @@ ms.topic: article
 ---
 # Hybrid Azure AD joined Windows Hello for Business Prerequisites
 [!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
 Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
 The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure.  High-level pieces of the infrastructure include:
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@ -8,6 +8,8 @@ ms.topic: article
 ---
 # Hybrid Azure AD joined Certificate Trust Deployment
 [!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
 Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
 It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide.  The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.  You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@ -8,6 +8,8 @@ ms.topic: article
 ---
 # Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning
 [!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
 ## Provisioning
 The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop.  Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@ -8,6 +8,8 @@ ms.topic: article
 ---
 # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory
 [!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
 The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. 
 ### Creating Security Groups
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@ -8,6 +8,8 @@ ms.topic: article
 ---
 # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services
 [!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
 ## Federation Services
 The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@ -9,6 +9,8 @@ ms.topic: article
 # Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization
 [!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
 ## Directory Synchronization
 In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure.  Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@ -9,6 +9,8 @@ ms.topic: article
 # Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure
 [!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
 Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer.
 All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@ -8,6 +8,7 @@ ms.topic: article
 ---
 # Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
 [!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)]
 ## Policy Configuration
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@ -8,6 +8,8 @@ ms.topic: article
 ---
 # Configure Hybrid Azure AD joined Windows Hello for Business
 [!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
 Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model.  
 > [!IMPORTANT]
 > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.  
--- a/windows/security/includes/hello-hybrid-cert-trust-aad.md
+++ b/windows/security/includes/hello-hybrid-cert-trust-aad.md
@ -0,0 +1,8 @@
 This document describes Windows Hello for Business functionalities or scenarios that apply to:\
 ✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
 ✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
 ✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join)
 <br>
 ---
--- a/windows/security/includes/hello-hybrid-cert-trust-ad.md
+++ b/windows/security/includes/hello-hybrid-cert-trust-ad.md
@ -0,0 +1,8 @@
 This document describes Windows Hello for Business functionalities or scenarios that apply to:\
 ✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
 ✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
 ✅ **Device registration type:** [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
 <br>
 ---
--- a/windows/security/includes/hello-hybrid-cert-trust.md
+++ b/windows/security/includes/hello-hybrid-cert-trust.md
@ -0,0 +1,8 @@
 This document describes Windows Hello for Business functionalities or scenarios that apply to:\
 ✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
 ✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
 ✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
 <br>
 ---
--- a/windows/security/includes/hello-on-premises-cert-trust.md
+++ b/windows/security/includes/hello-on-premises-cert-trust.md
@ -0,0 +1,8 @@
 This document describes Windows Hello for Business functionalities or scenarios that apply to:\
 ✅ **Deployment type:** [on-premises](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment)\
 ✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
 ✅ **Device registration type:** Active Directory domain join
 <br>
 ---