diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 13c1e99b51..f3f064b1d1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -52,7 +52,7 @@ The trust model determines how you want users to authenticate to the on-premises * The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers. > [!NOTE] -> Remote Desktop Protocol (RDP) does not support authentication with Windows Hello for Business key trust deployments. RDP is only supported with certificate trust deployments at this time. See [Remote Desktop](hello-feature-remote-desktop.md) to learn more. +> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard). Following are the various deployment guides and models included in this topic: - [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 390355cb33..e6d36e6967 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -28,7 +28,7 @@ Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft is committed to its vision of a world without passwords. We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business. ## Can I use Windows Hello for Business key trust and RDP? -RDP currently does not support key based authentication and does not support self signed certificates. RDP with Windows Hello for Business is currently only supported with certificate based deployments. +RDP currently does not support using key based authentication and self signed certificates as supplied credentials. RDP with supplied credentials Windows Hello for Business is currently only supported with certificate based deployments. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard). ## Can I deploy Windows Hello for Business using Microsoft Endpoint Configuration Manager? Windows Hello for Business deployments using Configuration Manager should use the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-hello-for-business-settings). diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index e1cf05225a..0ebcd33ec5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 09/09/2019 +ms.date: 09/16/2020 ms.reviewer: --- @@ -27,9 +27,9 @@ ms.reviewer: - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices - Certificate trust deployments -Windows Hello for Business supports using a certificate deployed to a WHFB container to a remote desktop to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. +Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard). -Microsoft continues to investigate supporting this feature for key trust deployments in a future release. +Microsoft continues to investigate supporting using keys trust for supplied credentials in a future release. ## Remote Desktop with Biometrics diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 5d10205e13..80d8f81611 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -94,8 +94,7 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md). Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust. -Windows Hello for Business with a key does not support RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments. - +Windows Hello for Business with a key does not support supplied credentials for RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard). ## Learn more diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 3fff407e34..1f28723cc9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: conceptual -ms.date: 08/19/2018 +ms.date: 09/16/2020 ms.reviewer: --- # Planning a Windows Hello for Business Deployment @@ -25,6 +25,8 @@ Congratulations! You are taking the first step forward in helping move your orga This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs. +If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup). + ## Using this guide There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It is important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization. @@ -91,7 +93,7 @@ The key trust type does not require issuing authentication certificates to end u The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. > [!NOTE] -> RDP does not support authentication with Windows Hello for Business key trust deployments. RDP is only supported with certificate trust deployments at this time. +> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard). #### Device registration diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md index 3fe33458fc..8ec19c126f 100644 --- a/windows/security/identity-protection/hello-for-business/toc.md +++ b/windows/security/identity-protection/hello-for-business/toc.md @@ -16,10 +16,10 @@ ## [How Windows Hello for Business works](hello-how-it-works.md) ### [Technical Deep Dive](hello-how-it-works.md#technical-deep-dive) -#### [Technology and Terminology](hello-how-it-works-technology.md) #### [Device Registration](hello-how-it-works-device-registration.md) #### [Provisioning](hello-how-it-works-provisioning.md) #### [Authentication](hello-how-it-works-authentication.md) +#### [Technology and Terminology](hello-how-it-works-technology.md) ## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md)