From 35652b7eeb133a747a7361f6e3eb5be5ff4a3269 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 17 Nov 2022 17:28:32 -0500
Subject: [PATCH] key trust updates
---
.../hello-deployment-rdp-certs.md | 6 -
.../hello-how-it-works-technology.md | 2 +-
.../hello-key-trust-adfs.md | 4 +-
.../hello-key-trust-policy-settings.md | 9 +-
.../hello-key-trust-validate-ad-prereq.md | 6 +-
.../hello-key-trust-validate-deploy-mfa.md | 4 +-
.../hello-key-trust-validate-pki.md | 4 +-
.../hello-for-business/toc.yml | 118 +++++++++---------
8 files changed, 73 insertions(+), 80 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 282264de1e..93e2a47b86 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -1,13 +1,7 @@
---
title: Deploy certificates for remote desktop sign-in
description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: erikdau
ms.collection:
- - M365-identity-device-management
- ContentEngagementFY23
ms.topic: how-to
localizationpriority: medium
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index ac9ba6f543..b8609c2ae3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -184,7 +184,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr
## Hybrid deployment
-The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
+The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
### Related to hybrid deployment
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 675b94f610..c32b9f41df 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -4,11 +4,11 @@ description: How to Prepare and Deploy Windows Server 2016 Active Directory Fede
ms.date: 08/19/2018
appliesto:
- ✅ Windows 10 and later
-- ✅ On-premises deployment
-- ✅ Key trust
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
+
Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index 3366c3c6fe..7507f0ee07 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -4,15 +4,14 @@ description: Configure Windows Hello for Business Policy settings for Windows He
ms.date: 08/19/2018
appliesto:
- ✅ Windows 10 and later
-- ✅ On-premises deployment
-- ✅ Key trust
---
# Configure Windows Hello for Business Policy settings - Key Trust
-You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
-Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
-Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
+To run the Group Policy Management Console from a Windows client, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+
+Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows client installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting: Enable Windows Hello for Business
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index ff36b79944..9be31d0bba 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -4,12 +4,12 @@ description: How to Validate Active Directory prerequisites for Windows Hello fo
ms.date: 08/19/2018
appliesto:
- ✅ Windows 10 and later
-- ✅ On-premises deployment
-- ✅ Key trust
---
# Validate Active Directory prerequisites - Key Trust
-Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
+
+Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
> [!NOTE]
>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index cdeaa17371..59886f6036 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -4,11 +4,11 @@ description: How to Validate and Deploy Multifactor Authentication (MFA) Service
ms.date: 08/19/2018
appliesto:
- ✅ Windows 10 and later
-- ✅ On-premises deployment
-- ✅ Key trust
---
# Validate and Deploy Multifactor Authentication (MFA)
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
+
> [!IMPORTANT]
> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index 3c7e014781..017b606e61 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -4,11 +4,11 @@ description: How to Validate Public Key Infrastructure for Windows Hello for Bus
ms.date: 08/19/2018
appliesto:
- ✅ Windows 10 and later
-- ✅ On-premises deployment
-- ✅ Key trust
---
# Validate and Configure Public Key Infrastructure - Key Trust
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
+
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.
## Deploy an enterprise certificate authority
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 2c22050ab0..4d8b648f78 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -2,12 +2,12 @@
href: index.yml
- name: Overview
items:
- - name: Windows Hello for Business Overview
+ - name: Windows Hello for Business overview
href: hello-overview.md
- name: Concepts
expanded: true
items:
- - name: Passwordless Strategy
+ - name: Passwordless strategy
href: passwordless-strategy.md
- name: Why a PIN is better than a password
href: hello-why-pin-is-better-than-password.md
@@ -15,7 +15,7 @@
href: hello-biometrics-in-enterprise.md
- name: How Windows Hello for Business works
href: hello-how-it-works.md
- - name: Technical Deep Dive
+ - name: Technical deep dive
items:
- name: Provisioning
href: hello-how-it-works-provisioning.md
@@ -25,93 +25,93 @@
href: webauthn-apis.md
- name: How-to Guides
items:
- - name: Windows Hello for Business Deployment Overview
+ - name: Windows Hello for Business deployment overview
href: hello-deployment-guide.md
- - name: Planning a Windows Hello for Business Deployment
+ - name: Planning a Windows Hello for Business deployment
href: hello-planning-guide.md
- - name: Deployment Prerequisite Overview
+ - name: Deployment prerequisite overview
href: hello-identity-verification.md
- name: Prepare people to use Windows Hello
href: hello-prepare-people-to-use.md
- - name: Deployment Guides
+ - name: Deployment guides
items:
- - name: Hybrid Cloud Kerberos Trust Deployment
+ - name: Hybrid cloud Kerberos trust deployment
href: hello-hybrid-cloud-kerberos-trust.md
- - name: Hybrid Azure AD Joined Key Trust
+ - name: Azure AD join
items:
- - name: Hybrid Azure AD Joined Key Trust Deployment
+ - name: Cloud-only deployment
+ href: hello-aad-join-cloud-only-deploy.md
+ - name: On-premises SSO for Azure AD joined devices
+ href: hello-hybrid-aadj-sso.md
+ - name: Configure Azure AD joined devices for on-premises SSO
+ href: hello-hybrid-aadj-sso-base.md
+ - name: Using certificates for on-premises SSO
+ href: hello-hybrid-aadj-sso-cert.md
+ - name: Hybrid Azure AD join with key trust
+ items:
+ - name: Key trust deployment
href: hello-hybrid-key-trust.md
- name: Prerequisites
href: hello-hybrid-key-trust-prereqs.md
- - name: New Installation Baseline
+ - name: New installation baseline
href: hello-hybrid-key-new-install.md
- - name: Configure Directory Synchronization
+ - name: Configure directory synchronization
href: hello-hybrid-key-trust-dirsync.md
- - name: Configure Azure Device Registration
+ - name: Configure Azure AD device registration
href: hello-hybrid-key-trust-devreg.md
- name: Configure Windows Hello for Business settings
href: hello-hybrid-key-whfb-settings.md
- - name: Sign-in and Provisioning
+ - name: Sign-in and provisioning
href: hello-hybrid-key-whfb-provision.md
- - name: Hybrid Azure AD Joined Certificate Trust
+ - name: Hybrid Azure AD join with certificate trust
items:
- - name: Hybrid Azure AD Joined Certificate Trust Deployment
+ - name: Certificate trust deployment
href: hello-hybrid-cert-trust.md
- name: Prerequisites
href: hello-hybrid-cert-trust-prereqs.md
- - name: New Installation Baseline
+ - name: New installation baseline
href: hello-hybrid-cert-new-install.md
- - name: Configure Azure Device Registration
+ - name: Configure Azure AD device registration
href: hello-hybrid-cert-trust-devreg.md
- name: Configure Windows Hello for Business settings
href: hello-hybrid-cert-whfb-settings.md
- - name: Sign-in and Provisioning
+ - name: Sign-in and provisioning
href: hello-hybrid-cert-whfb-provision.md
- - name: On-premises SSO for Azure AD Joined Devices
+ - name: Active Directory domain join with key trust
items:
- - name: On-premises SSO for Azure AD Joined Devices Deployment
- href: hello-hybrid-aadj-sso.md
- - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
- href: hello-hybrid-aadj-sso-base.md
- - name: Using Certificates for AADJ On-premises Single-sign On
- href: hello-hybrid-aadj-sso-cert.md
- - name: On-premises Key Trust
- items:
- - name: On-premises Key Trust Deployment
+ - name: Key trust deployment
href: hello-deployment-key-trust.md
- - name: Validate Active Directory Prerequisites
+ - name: Validate Active Directory prerequisites
href: hello-key-trust-validate-ad-prereq.md
- - name: Validate and Configure Public Key Infrastructure
+ - name: Validate and configure Public Key Infrastructure (PKI)
href: hello-key-trust-validate-pki.md
- - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ - name: Prepare and deploy Active Directory Federation Services (AD FS)
href: hello-key-trust-adfs.md
- - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ - name: Validate and deploy multi-factor authentication (MFA) services
href: hello-key-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-key-trust-policy-settings.md
- - name: On-premises Certificate Trust
+ - name: Active Directory domain join with certificate trust
items:
- - name: On-premises Certificate Trust Deployment
+ - name: Certificate trust deployment
href: hello-deployment-cert-trust.md
- - name: Validate Active Directory Prerequisites
+ - name: Validate Active Directory prerequisites
href: hello-cert-trust-validate-ad-prereq.md
- - name: Validate and Configure Public Key Infrastructure
+ - name: Validate and configure Public Key Infrastructure (PKI)
href: hello-cert-trust-validate-pki.md
- - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ - name: Prepare and Deploy Active Directory Federation Services (AD FS)
href: hello-cert-trust-adfs.md
- - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ - name: Validate and deploy multi-factor authentication (MFA) services
href: hello-cert-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-cert-trust-policy-settings.md
- - name: Azure AD join cloud only deployment
- href: hello-aad-join-cloud-only-deploy.md
- - name: Managing Windows Hello for Business in your organization
- href: hello-manage-in-organization.md
- - name: Deploying Certificates to Key Trust Users to Enable RDP
+ - name: Deploy certificates for RDP sign-in
href: hello-deployment-rdp-certs.md
- - name: Windows Hello for Business Features
+ - name: Manage Windows Hello for Business in your organization
+ href: hello-manage-in-organization.md
+ - name: Windows Hello for Business features
items:
- - name: Conditional Access
+ - name: Conditional access
href: hello-feature-conditional-access.md
- name: PIN Reset
href: hello-feature-pin-reset.md
@@ -121,23 +121,23 @@
href: hello-feature-dynamic-lock.md
- name: Multi-factor Unlock
href: feature-multifactor-unlock.md
- - name: Remote Desktop
+ - name: Remote desktop (RDP) sign-in
href: hello-feature-remote-desktop.md
- - name: Troubleshooting
- items:
- - name: Known Deployment Issues
- href: hello-deployment-issues.md
- - name: Errors During PIN Creation
- href: hello-errors-during-pin-creation.md
- - name: Event ID 300 - Windows Hello successfully created
- href: hello-event-300.md
- - name: Windows Hello and password changes
- href: hello-and-password-changes.md
+- name: Troubleshooting
+ items:
+ - name: Known deployment issues
+ href: hello-deployment-issues.md
+ - name: Errors during PIN creation
+ href: hello-errors-during-pin-creation.md
+ - name: Event ID 300 - Windows Hello successfully created
+ href: hello-event-300.md
+ - name: Windows Hello and password changes
+ href: hello-and-password-changes.md
- name: Reference
items:
- - name: Technology and Terminology
+ - name: Technology and terminology
href: hello-how-it-works-technology.md
- name: Frequently Asked Questions (FAQ)
href: hello-faq.yml
- name: Windows Hello for Business videos
- href: hello-videos.md
+ href: hello-videos.md
\ No newline at end of file