updates

windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md

@@ -1,6 +1,6 @@
 ---
-title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust
+title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust model
-description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business certificate trust model.
+description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business on-premises certificate trust model.
 ms.date: 12/12/2022
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
@@ -183,7 +183,7 @@ Open a **Windows PowerShell** prompt and type the following command:
 Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication
    ```
 >[!NOTE]
-   > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates.
+> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA.
 
 ### Enrollment agent certificate enrollment
 

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md

@@ -9,11 +9,11 @@ ms.topic: tutorial
 ---
 # Configure and validate the Public Key Infrastructure - hybrid certificate trust
 
-[!INCLUDE [hello-hybrid-key-trust](./includes/hello-on-premises-cert-trust.md)]
+[!INCLUDE [hello-hybrid-cert-trust](./includes/hello-hybrid-cert-trust.md)]
 
-Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *certificate trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
+Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
 
-Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to the domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
+Hybrid certificate trust deployments issue users a sign-in certificate, enabling them to authenticate to Active Directory using Windows Hello for Business credentials. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
 
 [!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
 

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md

@@ -55,12 +55,12 @@ Windows Hello for Business hybrid certificate trust requires Active Directory to
 
 If you're new to AD FS and federation services:
 
-- review [key AD FS concepts][SER-3] prior to deploying the AD FS farm
+- Review [key AD FS concepts][SER-3] prior to deploying the AD FS farm
-- review the [AD FS design guide][SER-4] to design and plan your federation service
+- Review the [AD FS design guide][SER-4] to design and plan your federation service
 
 Once you have your AD FS design ready:
 
-- review [deploying a federation server farm][SER-2] to configure AD FS in your environment
+- Review [deploying a federation server farm][SER-2] to configure AD FS in your environment
 
 The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
 

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md

@@ -1,90 +1,80 @@
 ---
-title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS)
+title: Configure Active Directory Federation Services in a hybrid certificate trust model
-description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business
+description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business hybrid certificate trust model.
-ms.date: 4/30/2021
+ms.date: 01/03/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-ms.topic: article
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
+ms.topic: tutorial
 ---
-# Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services
+# Configure Active Directory Federation Services - hybrid certificate trust
 
 [!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cert-trust.md)]
 
-## Federation Services
+The Windows Hello for Business certificate-based deployments use AD FS as the certificate registration authority (CRA).
-
+The CRA is responsible for issuing and revoking certificates to users. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.\
-The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
+The CRA enrolls for an *enrollment agent certificate*, and the Windows Hello for Business *authentication certificate template* is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.
-
-The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.
 
 > [!NOTE]
-> In order for AD FS to verify user certificate requests for Windows Hello for Business, it needs to be able to access the ```https://enterpriseregistration.windows.net``` endpoint.
+> In order for AD FS to verify user certificate requests for Windows Hello for Business, it needs to be able to access the `https://enterpriseregistration.windows.net` endpoint.
 
-### Configure the Registration Authority
+## Configure the certificate registration authority
 
-Sign-in the AD FS server with *Domain Admin* equivalent credentials.
+Sign-in the AD FS server with *domain administrator* equivalent credentials.
 
-1. Open a **Windows PowerShell** prompt.
+Open a **Windows PowerShell** prompt and type the following command:
-2. Enter the following command:
   
 ```PowerShell
 Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true
 ```
 
 >[!NOTE]
-    > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates.  It's important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc).  Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
+> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA.
 
-### Group Memberships for the AD FS Service Account
+## Enrollment agent certificate enrollment
 
-The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.
+AD FS performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
+
+Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
+
+### Group Memberships for the AD FS service account
+
+The AD FS service account must be member of the security group targeted by the authentication certificate template auto-enrollment (e.g. *Window Hello for Business Users*). The security group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.
 
 > [!TIP]
 > The adfssvc account is the AD FS service account.
 
 Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
 
-1. Open **Active Directory Users and Computers**.
+1. Open **Active Directory Users and Computers**
-2. Click the **Users** container in the navigation pane.
+1. Search for the security group targeted by the authentication certificate template auto-enrollment (e.g. *Window Hello for Business Users*)
-3. Right-click **Windows Hello for Business Users** group.
+1. Select the **Members** tab and select **Add**
-4. Click the **Members** tab and click **Add**.
+1. In the **Enter the object names to select** text box, type **adfssvc** or substitute the name of the AD FS service account in your AD FS deployment > **OK**
-5. In the **Enter the object names to select** text box, type **adfssvc** or substitute the name of the AD FS service account in your AD FS deployment.  Click **OK**.
+1. Select **OK** to return to **Active Directory Users and Computers**
-6. Click **OK** to return to **Active Directory Users and Computers**.
+1. Restart the AD FS server
-7. Restart the AD FS server.
 
 > [!NOTE]
-> For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
+> For AD FS 2019 in a hybrid certificate trust model, a PRT issue exists. You may encounter this error in the AD FS Admin event logs: *Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'*. To remediate this error:
 >
-> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions".
+> 1. Launch AD FS management console and browse to **Services > Scope Descriptions**
-> 2. Right click "Scope Descriptions" and select "Add Scope Description".
+> 1. Right click **Scope Descriptions** and select **Add Scope Description**
-> 3. Under name type "ugs" and Click Apply > OK.
+> 1. Under name type `ugs` and select **Apply > OK**
-> 4. Launch PowerShell as an administrator.
+> 1. Launch PowerShell as an administrator
-> 5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b":
+> 1. Obtain the *ObjectIdentifier* of the application permission with the `ClientRoleIdentifier` parameter equal to `38aa3b87-a06d-4817-b275-7a316988d93b`:
 > ```PowerShell
 > (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
 > ```
-> 6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'`.
+> 1. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'`.
-> 7. Restart the AD FS service.
+> 1. Restart the AD FS service
-> 8. On the client: Restart the client. User should be prompted to provision Windows Hello for Business.
+> 1. On the client: Restart the client. User should be prompted to provision Windows Hello for Business
 
-### Section Review
+## Section review and next steps
+
+Before moving to the next section, ensure the following steps are complete:
 
 > [!div class="checklist"]
-> * Configure the registration authority.
+> - Configure the certificate registration authority
-> * Update group memberships for the AD FS service account.
+> - Update group memberships for the AD FS service account
-> 
-> 
-> [!div class="step-by-step"]
-> [< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md)
-> [Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md)
-
-<br><br>
-
-<hr>
-
-## Follow the Windows Hello for Business hybrid certificate trust deployment guide
-1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
-3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
-4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
-5. Configure Windows Hello for Business settings: AD FS (*You are here*)
-6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
 
+> [!div class="nextstepaction"]
+> [Next: configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md)

windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md

@@ -13,33 +13,10 @@ ms.topic: tutorial
 
 Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
 
-## Deploy an enterprise certification authority
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
-
-This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role.
-
-### Lab-based PKI
-
-The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**.
-
-Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed.
-
->[!NOTE]
->Never install a certification authority on a domain controller in a production environment.
-
-1. Open an elevated Windows PowerShell prompt
-1. Use the following command to install the Active Directory Certificate Services role.
-    ```PowerShell
-    Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
-    ```
-3. Use the following command to configure the CA using a basic certification authority configuration
-    ```PowerShell
-    Install-AdcsCertificationAuthority
-    ```
 
 ## Configure the enterprise PKI
 
-If you don't have an existing PKI, review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your PKI using the information from your design session.
-
 Expand the following sections to configure the PKI for Windows Hello for Business.
 
 <br>

windows/security/identity-protection/hello-for-business/includes/auth-certificate-template.md

@@ -38,10 +38,10 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
    - Select **Fully distinguished name** from the **Subject name format** list
    - Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
 1. On the **Request Handling** tab, select the **Renew with same key** check box
-1. On the **Security** tab, select **Add**. Type *Window Hello for Business Users* in the **Enter the object names to select** text box and select **OK**
+1. On the **Security** tab, select **Add**. Target an Active Directory security group that contains the users that you want to enroll in Windows Hello for Business. For example, if you have a group called *Window Hello for Business Users*, type it in the **Enter the object names to select** text box and select **OK**
 1. Select the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section:
    - Select the **Allow** check box for the **Enroll** permission
-   - Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared
+   - Excluding the group above (e.g. *Window Hello for Business Users*), clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared
    - Select **OK**
 1. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template
 1. Select on the **Apply** to save changes and close the console
@@ -56,9 +56,9 @@ Open an elevated command prompt end execute the following command
 certutil.exe -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY
 ```
 
-If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example:
+If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the `CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` parameter. Example:
 
-```console
+```cmd
 CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication
 
 Old Value:
@@ -79,6 +79,6 @@ CertUtil: -dsTemplate command completed successfully."
 ```
 
 >[!NOTE]
->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace *WHFBAuthentication* in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on your certification authority.
+>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace `WHFBAuthentication` in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the `Get-CATemplate` ADCS Administration Windows PowerShell cmdlet on your certification authority.
 
 </details>

windows/security/identity-protection/hello-for-business/includes/enrollment-agent-certificate-template.md

@@ -6,7 +6,7 @@ ms.topic: include
 <details>
 <summary><b>Configure an enrollment agent certificate template</b></summary>
 
-A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. The Windows Hello for Business on-premises certificate-based deployment uses AD FS as the CRA.
+A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. Windows Hello for Business certificate trust deployments use AD FS as the CRA.
 
 The CRA enrolls for an *enrollment agent certificate*. Once the CRA verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the CA. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The CA only issues a certificate for that template if the registration authority signs the certificate request.
 
@@ -78,9 +78,4 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
    - Select **OK**
 1. Close the console
 
-> [!NOTE]
-> AD FS used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request, or when the service first starts.
->
-> Approximately 60 days prior to the enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew and expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
-
 </details>