Updates

windows/security/docfx.json

@@ -167,6 +167,11 @@
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
         ],
+        "identity-protection/hello-for-business/**/*.md": [
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2025 (preview)</a>"
+        ],
         "identity-protection/smart-cards/**/*.md": [
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",

windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md

@@ -1,7 +1,7 @@
 ---
 title: Configure Active Directory Federation Services in a hybrid certificate trust model
 description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business hybrid certificate trust model.
-ms.date: 03/12/2024
+ms.date: 06/23/2024
 ms.topic: tutorial
 ---
 
@@ -52,19 +52,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 1. Restart the AD FS server
 
 > [!NOTE]
-> For AD FS 2019 in a hybrid certificate trust model, a PRT issue exists. You may encounter this error in the AD FS Admin event logs: *Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'*. To remediate this error:
+> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. For more information about the isse and its resolution, see [Certificate trust provisioning with AD FS broken on windows server 2019](../hello-deployment-issues.md#certificate-trust-provisioning-with-ad-fs-broken-on-windows-server-2019).
->
-> 1. Launch AD FS management console and browse to **Services > Scope Descriptions**
-> 1. Right click **Scope Descriptions** and select **Add Scope Description**
-> 1. Under name type `ugs` and select **Apply > OK**
-> 1. Launch PowerShell as an administrator
-> 1. Obtain the *ObjectIdentifier* of the application permission with the `ClientRoleIdentifier` parameter equal to `38aa3b87-a06d-4817-b275-7a316988d93b`:
-> ```PowerShell
-> (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
-> ```
-> 1. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'`.
-> 1. Restart the AD FS service
-> 1. On the client: Restart the client. User should be prompted to provision Windows Hello for Business
 
 ## Section review and next steps
 

windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md

@@ -1,7 +1,7 @@
 ---
 title: Configure and enroll in Windows Hello for Business in hybrid certificate trust model
 description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario.
-ms.date: 03/12/2024
+ms.date: 06/23/2024
 ms.topic: tutorial
 ---
 

windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md

@@ -1,7 +1,7 @@
 ---
 title: Configure and validate the PKI in an hybrid certificate trust model
 description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model.
-ms.date: 03/12/2024
+ms.date: 06/23/2024
 ms.topic: tutorial
 ---
 

windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md

@@ -1,7 +1,7 @@
 ---
 title: Windows Hello for Business hybrid certificate trust deployment guide
 description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
-ms.date: 03/12/2024
+ms.date: 06/23/2024
 ms.topic: tutorial
 ---
 

windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-auth.md

@@ -61,4 +61,4 @@ CertUtil: -dsTemplate command completed successfully."
 ```
 
 >[!NOTE]
->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace `WHFBAuthentication` in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the `Get-CATemplate` ADCS Administration Windows PowerShell cmdlet on your certification authority.
+>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace `WHFBAuthentication` in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc).

windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-enrollment-agent.md

@@ -3,7 +3,7 @@ ms.date: 01/03/2024
 ms.topic: include
 ---
 
-### Configure an enrollment agent certificate template
+## Configure an enrollment agent certificate template
 
 A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. Windows Hello for Business certificate trust deployments use AD FS as the CRA.
 

windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md

@@ -1,7 +1,7 @@
 ---
 title: Configure Active Directory Federation Services in an on-premises certificate trust model
 description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business on-premises certificate trust model.
-ms.date: 03/12/2024
+ms.date: 06/23/2024
 ms.topic: tutorial
 ---
 
@@ -16,20 +16,7 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
 [!INCLUDE [adfs-deploy](includes/adfs-deploy.md)]
 
 > [!NOTE]
-> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
+> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. For more information about the isse and its resolution, see [Certificate trust provisioning with AD FS broken on windows server 2019](../hello-deployment-issues.md#certificate-trust-provisioning-with-ad-fs-broken-on-windows-server-2019).
->
-> 1. Launch AD FS management console. Browse to ***Services > Scope Descriptions**
-> 1. Right-click **Scope Descriptions** and select **Add Scope Description**
-> 1. Under name type *ugs* and select **Apply > OK**
-> 1. Launch PowerShell as an administrator and execute the following commands:
->
->     ```PowerShell
->     $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
->     Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs'
->     ```
->
-> 1. Restart the AD FS service
-> 1. Restart the client. User should be prompted to provision Windows Hello for Business
 
 ## Review to validate the AD FS and Active Directory configuration
 
@@ -40,6 +27,8 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
 > - Confirm you added the AD FS service account to the KeyAdmins group
 > - Confirm you enabled the Device Registration service
 
+[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)]
+
 ## Configure the certificate registration authority
 
 The Windows Hello for Business on-premises certificate-based deployment uses AD FS as the certificate registration authority (CRA). The registration authority is responsible for issuing certificates to users and devices. The registration authority is also responsible for revoking certificates when users or devices are removed from the environment.

windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 03/12/2024
+ms.date: 06/23/2024
 ms.topic: tutorial
 title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
 description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario

windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md

@@ -1,7 +1,7 @@
 ---
 title: Windows Hello for Business on-premises certificate trust deployment guide
 description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust scenario.
-ms.date: 03/12/2024
+ms.date: 06/23/2024
 ms.topic: tutorial
 ---
 
@@ -48,8 +48,6 @@ Windows Hello for Business must have a Public Key Infrastructure (PKI) when usin
 
 [!INCLUDE [web-server-certificate-template](includes/certificate-template-web-server.md)]
 
-[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)]
-
 [!INCLUDE [auth-certificate-template](includes/certificate-template-auth.md)]
 
 [!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]

windows/security/identity-protection/hello-for-business/deploy/toc.yml

@@ -8,7 +8,7 @@ items:
   - name: Cloud Kerberos trust deployment
     href: hybrid-cloud-kerberos-trust.md
   - name: Key trust deployment
-    items: 
+    items:
     - name: Requirements and validation
       href: hybrid-key-trust.md
       displayName: key trust
@@ -19,7 +19,7 @@ items:
       href: ../hello-hybrid-aadj-sso.md
       displayName: key trust
   - name: Certificate trust deployment
-    items: 
+    items:
     - name: Requirements and validation
       href: hybrid-cert-trust.md
       displayName: certificate trust
@@ -41,7 +41,7 @@ items:
 - name: On-premises deployments
   items:
   - name: Key trust deployment
-    items: 
+    items:
     - name: Requirements and validation
       href: on-premises-key-trust.md
     - name: Prepare and deploy Active Directory Federation Services (AD FS)
@@ -49,10 +49,10 @@ items:
     - name: Configure and enroll in Windows Hello for Business
       href: on-premises-key-trust-enroll.md
   - name: Certificate trust deployment
-    items: 
+    items:
     - name: Requirements and validation
       href: on-premises-cert-trust.md
-    - name: Prepare and Deploy Active Directory Federation Services (AD FS)
+    - name: Prepare and deploy Active Directory Federation Services (AD FS)
       href: on-premises-cert-trust-adfs.md
     - name: Configure and enroll in Windows Hello for Business
       href: on-premises-cert-trust-enroll.md