diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md index 9551e30cb2..0e2b829e79 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md +++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md @@ -13,10 +13,10 @@ ms.topic: how-to > [!div class="checklist"] > -> - [Authentication](index.md#authentication) -> - [Device configuration](index.md#device-configuration) -> - [Licensing for cloud services](index.md#licensing-for-cloud-services) -> - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello) +> - [Authentication](index.md#authentication-to-microsoft-entra-id) +> - [Device configuration](index.md#device-configuration-options) +> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements) +> - [Prepare users to use Windows Hello](prepare-users.md) ## Deployment steps diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md index e4d03d96dd..b418bbd569 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md @@ -108,7 +108,7 @@ This information is also available using the `dsregcmd.exe /status` command from > [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."] -After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. +After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows sends the certificate request to the AD FS server for certificate enrollment. The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md index 00e2397357..5b1211c41a 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md @@ -16,11 +16,11 @@ ms.topic: tutorial > [!div class="checklist"] > -> - [Public Key Infrastructure](index.md#public-key-infrastructure-pki) -> - [Authentication](index.md#authentication) -> - [Device configuration](index.md#device-configuration) -> - [Licensing for cloud services](index.md#licensing-for-cloud-services) -> - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello) +> - [Public Key Infrastructure](index.md#pki-requirements) +> - [Authentication](index.md#authentication-to-microsoft-entra-id) +> - [Device configuration](index.md#device-configuration-options) +> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements) +> - [Prepare users to use Windows Hello](prepare-users.md) ## Deployment steps diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md index d8b48b96a6..584fff10d0 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md @@ -13,11 +13,11 @@ ms.topic: tutorial > [!div class="checklist"] > -> - [Authentication](index.md#authentication) -> - [Device configuration](index.md#device-configuration) +> - [Authentication](index.md#authentication-to-microsoft-entra-id) +> - [Device configuration](index.md#device-configuration-options) > - [Windows requirements](index.md#windows-requirements) > - [Windows Server requirements](index.md#windows-server-requirements) -> - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello) +> - [Prepare users to use Windows Hello](prepare-users.md) > [!IMPORTANT] > When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1]. diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md index 345cdb581d..e5a08f2117 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md @@ -16,10 +16,10 @@ ms.topic: tutorial > [!div class="checklist"] > -> - [Public Key Infrastructure](index.md#public-key-infrastructure-pki) -> - [Authentication](index.md#authentication) -> - [Device configuration](index.md#device-configuration) -> - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello) +> - [Public Key Infrastructure](index.md#pki-requirements) +> - [Authentication](index.md#authentication-to-microsoft-entra-id) +> - [Device configuration](index.md#device-configuration-options) +> - [Prepare users to use Windows Hello](prepare-users.md) ## Deployment steps diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md index 510988a482..6bd1a94800 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md @@ -14,13 +14,13 @@ ms.topic: tutorial > [!div class="checklist"] > -> - [Public Key Infrastructure](index.md#public-key-infrastructure-pki) -> - [Authentication](index.md#authentication) -> - [Device configuration](index.md#device-configuration) -> - [Licensing for cloud services](index.md#licensing-for-cloud-services) +> - [Public Key Infrastructure](index.md#pki-requirements) +> - [Authentication](index.md#authentication-to-microsoft-entra-id) +> - [Device configuration](index.md#device-configuration-options) +> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements) > - [Windows requirements](index.md#windows-requirements) > - [Windows Server requirements](index.md#windows-server-requirements) -> - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello) +> - [Prepare users to use Windows Hello](prepare-users.md) ## Deployment steps diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md index 8d7ea6b21a..a5a2281196 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md @@ -13,13 +13,13 @@ ms.topic: tutorial > [!div class="checklist"] > -> - [Public Key Infrastructure](index.md#public-key-infrastructure-pki) -> - [Authentication](index.md#authentication) -> - [Device configuration](index.md#device-configuration) -> - [Licensing for cloud services](index.md#licensing-for-cloud-services) +> - [Public Key Infrastructure](index.md#pki-requirements) +> - [Authentication](index.md#authentication-to-microsoft-entra-id) +> - [Device configuration](index.md#device-configuration-options) +> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements) > - [Windows requirements](index.md#windows-requirements) > - [Windows Server requirements](index.md#windows-server-requirements) -> - [Prepare users to use Windows Hello](index.md#prepare-users-to-use-windows-hello) +> - [Prepare users to use Windows Hello](prepare-users.md) ## Deployment steps diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md index 390d0f7041..2cae34b3ec 100644 --- a/windows/security/identity-protection/hello-for-business/how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/how-it-works.md @@ -1,8 +1,8 @@ --- title: How Windows Hello for Business works -description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services. +description: Learn how Windows Hello for Business works, and how it can help you protect your organization. ms.date: 01/03/2024 -ms.topic: overview +ms.topic: concept-article --- # How Windows Hello for Business works @@ -12,7 +12,6 @@ ms.topic: overview ## How Windows Hello for Business works: key points - Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device. -- - Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. To guarantee that keys are generated in hardware, you must set policy. - Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture doesn't roam between devices and isn't shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared. - The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process. @@ -48,15 +47,15 @@ Windows Hello for Business is a distributed system that requires multiple techno :::column span="3"::: During this phase, the user authenticates using one form of authentication (typically, username/password) to request a new Windows Hello for Business credential. The provisioning flow requires a second factor of authentication before it can create a strong, two-factor Windows Hello for Business credential. - After multi-factor authentication (MFA), the provisioning process generates a key pair bound to the Trusted Platform Module (TPM), if available, or in software: - - the private key is protected by the TPM and can't be exported - - the public key is registered with the IdP and the private key is stored in the TPM + After multi-factor authentication (MFA), the provisioning process: + 1. **Generates a key pair** bound to the Trusted Platform Module (TPM), if available, or in software. The private key is stored and protected by the TPM, and can't be exported + 2. **Registers the public key** with the IdP :::column-end::: :::row-end::: :::row::: :::column span=""::: - **Key Registration** + **Key synchronization** :::column-end::: :::row-end::: :::row::: @@ -64,7 +63,7 @@ Windows Hello for Business is a distributed system that requires multiple techno :::image type="content" source="images/howitworks/synchronization.png" alt-text="Icon representing the synchronization phase." border="false"::: :::column-end::: :::column span="3"::: - In this phase, applicable only to hybrid deploments, the user's public key is synchronized from Microsoft Entra ID to Active Directory. + In this phase, applicable only to hybrid deploments, the user's public key is synchronized from Microsoft Entra ID to Active Directory. :::column-end::: :::row-end::: :::row::: @@ -77,7 +76,7 @@ Windows Hello for Business is a distributed system that requires multiple techno :::image type="content" source="images/howitworks/certificate-enrollment.png" alt-text="Icon representing the certificate enrollment phase." border="false"::: :::column-end::: :::column span="3"::: - This phase occurs only in certificate trust deployments. A user certificate is issued by an internal PKI and the public key stored in the Windows Hello container + In this phase, applicable only to deploments using certificates, a certificate is issued to the user using the organization's public key infrastructure (PKI). :::column-end::: :::row-end::: :::row::: @@ -229,6 +228,8 @@ Changes to a user account password doesn't affect sign-in or unlock, since Windo ## Next steps > [!div class="nextstepaction"] -> Whether you have have a cloud-only deployment, hybrid, or on-premises, Windows Hello for Business has a deployment option for you. To learn more, see [Plan a Windows Hello for Business Deployment](deploy/index.md). +> Whether you have have a cloud-only deployment, hybrid, or on-premises, Windows Hello for Business has a deployment option for you. +> +> To learn more, see: > > [Plan a Windows Hello for Business Deploymen](deploy/index.md) diff --git a/windows/security/identity-protection/hello-for-business/images/hello-container.png b/windows/security/identity-protection/hello-for-business/images/hello-container.png index 7bc87c0776..09ba0e89b7 100644 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-container.png and b/windows/security/identity-protection/hello-for-business/images/hello-container.png differ